[Lesson 13] Network Vulnerability and Scanning: Nmap’s Timing in Theory

Photo by petradr on Unsplash

⏰ Correct timing in Nmap is important for the accuracy and effectiveness of the scan. In the case of outside scan, it is usually preferable to use slow scans to avoid devices such as IPS/IDS. Whereas the scanning of internal network, fast scan options will be preferred.

The fine grained timing controls are powerful and effective. Fortunately, Nmap offers a simple approach with six timing templates. You can specify them with “-T” option associated with the number(0–5)/names.

📛 The template names:

  • paranoid (0) 👉 for IDS evasion.
  • sneaky (1) 👉 for IDS evasion.
  • polite (2) 👉 Polite mode slow down the scan to use less bandwidth and target machine resources.
  • normal (3) 👉 Normal mode is the default so “-T3” actually does nothing.
  • aggressive (4) 👉 Aggressive mode speed up the scans by making the assumption that you are on a reasonably fast and reliable network.
  • insane (5) 👉 Insane mode assumes that you’re on an extraordinarily fast network or you are willing to sacrifice accuracy for speed.

💥 The --max-retries option is specify the maximum number of port scan probe re-transmissions.

💥 When Nmap receives no response from a port scan probe, this could mean that the port is filtered or maybe the probe/response is simply lost on the network.

💥 It is also possible that the target host is rate limiting which enable the temporarily block of response. Thus, Nmap tries again by re-transmitting the initial probe.

💥 If Nmap detects poor network reliability, it may try many more times before providing the report about the scan.

💥While this benefits the accuracy of the scan, it also lengthens the scanning periods. Thus, when the performance is critical, then the scans maybe speed up by limiting the number of re-transmissions allowed.

💥 You may also specify --max-retries 0 to prevent any re-transmissions. This is only recommended for situations such as informal surveys where occasional missed ports and hosts are acceptable.

💥 The default (without --T template) template is allowed to perform ten transmissions

🍀 --host-timeout is used to give up on slow target. Some hosts just simply require a long period of time to scan. This maybe due to poorly performing or unreliable networking hardware or software, packet rate limiting or restricted firewall.

🍀The few percentage of the slow scanned host can consume the majority of the scan time. Sometimes, it is best to cut your losses and skip those hosts initially.

🍀 Specify the --host-timeout with a maximum amount of time you are willing to wait. For instance, 30 minutes is specified to ensure that Nmap doesn’t waste more than half an hour on a single host.

🍀 Note that Nmap maybe scanning other hosts at the same time during half an hour so it’s not a complete loss.

🎇 Nmap utilizes the parallelism and many advanced algorithms to accelerate the scans. Especially in the case of external scans, it maybe necessary to close parallel scan.

🎇That is to send a single packet to a server at the same time. Nmap utilizes different options for this purpose.

🎇As we mentioned before in this lesson, you can manage the timing with the -T option. If you use the templates like paranoid(0), sneaky(1) or polite(2) and then the parallelism is closed.

🎇That mean these templates will serializes the scan. Thus, only one port will be scanned at a time.

🎇--scan-delay option cause the Nmap to wait at least the time provided in between each probe is sends to a given host. This is particular useful in the case of rate limiting.

🎇Solaris machines(one of many others) that will usually respond to UDP scan probe packets with only one ICMP message per second. Any more that that sent by Nmap will be wasteful.

🎇 --scan-delay of 1 second will keep Nmap at slow rate. Nmap tries to detect the rate limiting and adjust scan delay accordingly. However, it doesn’t hurt to specify it explicitly when you already know what rate works the best.

🎇By default, Nmap calculates an ever-changing ideal parallelism based on network performance. The --max-parallelism option is sometimes set to 1 to prevent Nmap from sending more than one probe at a time to hosts.

🎇Nmap has the ability to perform port scan or version scan on multiple hosts in parallel. Nmap does this by dividing the target IP space into groups and then scan one group at a time.

🎇When a maximum group size is specified with --max-hostgroup, Nmap will never exceed that size during the scan.

🎇If you specify maximum number of hosts in a group as 1 using --max-hostgroup option, there will be only 1 host in the group and only 1 host will be scanned at a time.

Photo by Kelly Sikkema on Unsplash

❓What the key difference between --max-parallelism and --max-hostgroup?

💭When you set the --max-parallelism to 1, Nmap sends only 1 packet to a host at a time.

💭When you set --max-hostgroup to 1, Nmap scans only one host at a time.

A Bachelor CS student with major in Network Security (UniSZa). Every stories I shared is based on my personal opinion. Thanks you. Having my Internship now.