How to Supercharge Your Nmap Scans

For many security professionals, running Nmap scans against critical systems is an everyday occurrence. Unfortunately, waiting for these scans to finally complete is also part of normal life.

It’s possible to get some of that time back. Some simple built-in Nmap command-line options can significantly decrease the time it takes to scan remote devices, even if you’re scanning just one system. With these optimization techniques, I’ve been able to increase some of my Nmap scans so they complete hours faster than the default settings!

The Basics of Nmap Supercharging
Nmap is an incredibly smart program, and it’s designed to adjust and react to almost any network environment. If Nmap finds itself scanning a slow network link, it will slow down to match the network speed. If the target device is on a locally attached 10 gigabit network, then Nmap will run at lightning fast speeds.

The speed of the network between the Nmap host and the remote target is just one of the metrics that Nmap considers during a scan. The total time spent in an Nmap scan is also dependent on these variables:

  • Retransmissions – Most modern networks employ some type of filtering for enhanced security. If a port filtered to a remote device, the filter will simply drop the port probe instead of sending back a negative response. In these situations, Nmap will attempt to contact the target device again to ensure that the packet didn’t disappear through network errors or congestion. Each of these retransmissions takes time, and an extensive number of retransmissions can cause significant scanning delays.
  • Host delays – Some target devices employ throttling techniques that identify port scans and react by intentionally delaying the responses. A single device could hold up the entire Nmap scanning process for all of the other target devices.
  • Simultaneous host scans – Are you still scanning one device at a time? Nmap can scan multiple devices simultaneously, and one simple command allows you to set the wheels in motion.
  • Parallel port scanning – A default host scan often involves scanning thousands of different ports, and the number of simultaneous port scans can contribute heavily to the total scan time.
  • Delays between port probes – Nmap’s advanced scanning engine is designed to put the right amount of delay between each port probe. These delays are customizable, and a slight “overclocking” of the scanning rate can often tweak the total scan time to be a bit faster.

You’ve got complete control over the Nmap scan, including the number of simultaneous device scans, number of simultaneous port probes, and the delays between each of these probes.