How to Supercharge Your Nmap Scans

Other Important Supercharging Techniques
Configuring the maximum number of retries isn’t the only option that Nmap provides. Nmap has configuration options for almost every step of the scan.

“Giving up” on a Host
Nmap’s –host-timeout option can get your scan rolling again when it comes across a slow computer because of protocol throttling, extensive filtering, or slow network connectivity. Using an option of –host-timeout 5m will tell Nmap to scan the device for five minutes and then continue with the rest of the scan – even if the scan of that host hasn’t yet completed.

Scanning Multiple Hosts Simultaneously
By default, Nmap will scan groups of hosts simultaneously. If system and network resources allow, this number can be increased to a larger maximum with the –max-hostgroup option. If the Nmap scan is configured to only scan a limited number of ports, this option can get through a much larger set of hosts in a shorter amount of time. The minimum number of hosts can be configured through the –min-hostgroup option.

Scanning Multiple Ports Simultaneously
When a single host is scanned, Nmap will scan ports on the device in parallel to maximize the time spent waiting for a reply. If system and network resources will allow additional simultaneous port scanning, the –max-parallelism and –min-parallelism options allow Nmap to set the bar a bit higher. This option has the potential for overwhelming older IP stacks, so it should be used with care.

Waiting on an answer
By default, Nmap does an excellent job at waiting on replies from port probes. To decrease this delay even further, the –max-scan-delay and –scan-delay options can be used to move the scan along even faster. This particular Nmap option has a delicate touch; setting the time too low will cause Nmap to miss important responses from the target device.

Removing the Need for Options – Nmap’s Master Speed Controls
As you can tell, Nmap includes extensive settings and options for controlling the conversation to the target device. Fortunately, many of these settings and options can be controlled with a single command line option.

Nmap’s master speed controls consist of six built-in timing policies named -T0 through -T5. Each timing policy includes a number of presets, and some of these are shown in this chart:

Notice that Nmap also assigns names to the timing policies. The slowest policy, -T0, is also named “paranoid.” The fastest timing policy, -T5, is appropriately named “insane.” Where the default options are listed, Nmap will adjust its internal timing policy to match the current scanning environment. At the “aggressive” or “insane” levels, Nmap has very little room to make adjustments. If you’re unsure of the networking environment between Nmap and the target device, a good suggestion is to keep the timing policy at the “normal” level and slower.

Giving Nmap the Checkered Flag
You’ve now got everything you need to tweak those Nmap engines. With just a few timing and retransmission changes, you may find that your Nmap scans are running much faster!

Did this article help your Nmap scans run faster? Leave a comment below and let us know what you did!