Understanding NMAP timing options is essential in planning a proper scanning strategy for ethical hacking and penetration testing purposes – especially when the time window for performing a scan is limited or looking to evade intrusion detection mechanisms in a network.
In this NMAP tutorial, we will take a closer look at NMAP timing options [flags], when and how to use them.
Before we start, I strongly recommend you not to pick up random targets on the Internet to practice this guide. Instead, take one hour to set up your own virtual hacking lab with Kali Linux with VirtualBox on your own computer for free, and stay on the safe side until you become an expert.
Alternatively, you can install NMAP on your own operating system by following the NMAP installation guide for Windows, macOS, Linux, and UNIX guide. You can choose to practice this tutorial by scanning the ports on your own computer – you may need to find your IP address first.
And with that out of the way, let’s get to started.
What Are NMAP Timing Options?
The scan output accuracy is directly influenced by NMAP timing options set for a specific scan. For instance, when scanning a large number of targets on a fast network such as a Local Area Network [LAN], we can increase the number of parallel operations performed by NMAP to get faster results.
On the other hand, when scanning targets across the Internet, it is advisable to slow down a scan to avoid triggering various intrusion detection mechanisms and get more accurate scan results.
Table 1.1 below shows a summary of all NMAP timing options we are going to cover in this tutorial.
|Set the Packet Time To Live [TTL]||–ttl|
|Minimum # of Parallel Operations||–min-parallelism|
|Maximum # of Parallel Operations||–max-parallelism|
|Minimum Host Group Size||–min-hostgroup|
|Maximum Host Group Size||–max-hostgroup|
|Maximum RTT Timeout||–max-rtt-timeout|
|Initial RTT Timeout||–initial-rtt-timeout|
|Minimum Scan Delay||–scan-delay|
|Maximum Scan Delay||–max-scan-delay|
|Minimum Packet Rate||–min-rate|
|Maximum Packet Rate||–max-rate|
|Defeat Reset Rate Limits||–defeat-rst-ratelimit|
NMAP Timing Unit Flags
By default, NMAP executes time units in seconds. However, by applying a qualifier to the timing flag, we can instruct NMAP to accept timing units in milliseconds, minutes, or hours – as seen in Table 1.2 below.
|(none)||Milliseconds (1/1000 of a second)||60000 milliseconds||60000ms|
For example, we can instruct NMAP to scan a target for a 1 minute before aborting using the –host-timeout option as shown below:
nmap --host-timeout 60000 192.168.130.132
The above command can be also executed as:
nmap --host-timeout 60s 192.168.130.132
nmap --host-timeout 1m 192.168.130.132
All the above commands will produce the same output as 60000 = 60s = 1m.
To understand the importance of setting up a proper time unit when running NMAP, let’s run the above command on a target in a fast network such as LAN [Figure 1.1].
The NMAP scan for the target in Figure 1.1 was completed in 4.67 seconds, way below the abortion limit of 60 seconds we set.
Let’s run the same command on a target located on the Internet [Figure 1.2].
As seen in Figure 1.2, the NMAP scan time unit of 60 seconds was not sufficient to complete the scan for scanme.nmap.org. Let’s set the time unit to 10 minutes [10m] and check the results [Figure 1.3]
But we don’t have to guess the correct timing unit. NMAP comes with ready-made timing templates to suit any scanning scenario.
NMAP Timing Templates
Syntax: nmap -T[Template No.] [Target]
Description: Specify an NMAP timing template for a scan.
Think of NMAP timing templates as shortcuts for different timing options.
NMAP provides six templates [0 to 5] we can use to slow down scanning [evade firewalls] or speed up [get faster results] – depending on the scanning scenario, as seen in Table 1.3 below.
|NMAP Timing Template||Name||Description|
|-T0||Paranoid scan||A very slow scan|
|-T1||Sneaky scan||Excellent for avoiding firewalls|
|-T2||Polite scan||Unlikely to interfere with the target system|
|-T3||Normal scan||The default NMAP timing template|
|-T4||Aggressive scan||Provides faster results on LANs|
|-T5||Insane scan||A fast aggressive scan|
Figure 1.3 shows an example of aggressive scan [T4] on a target located in a local network.
Minimum Parallel Operations In NMAP
Syntax: nmap –min-parallelism [Number] [Target]
Description: Specify the minimum number of parallel port scans NMAP should perform during a scan.
The number of parallel operations is set automatically by NMAP during a scan, based on the target’s network conditions. However, in some rare cases we can instruct NMAP to perform a specific minimum number of parallel operations [Figure 1.4].
In Figure 1.3 we instructed NMAP to perform 8 parallel operations for a target and the scan was completed in 5.18 seconds. Let’s instruct NMAP to perform 100 parallel operations for the same target and see the results [Figure 1.4].
In Figure 1.4 we instructed NMAP to perform a scan using 100 parallel operations. The target was scanned in 3.29 seconds – less time than the scan on Figure 1.3 of the same target.
As we see, the number of NMAP parallel operations can impact the performance of a scan. However, setting the –min-parallelism qualifier too high, may produce inaccurate scanning results.
Maximum Parallel Operations In NMAP
Syntax: nmap –max-parallelism [Number] [Target]
Description: Specify the maximum number of parallel port scans NMAP can perform during a scan.
This option will limit NMAP to a maximum number of parallel operations during a scan. One reason to use this option is to avoid NMAP flooding a target with packets by performing a slower scan [Figure 1.5].
In Figure 1.5 we instructed NMAP to allow a maximum of 1 parallel operation and the scan completed in 202.1 seconds – considerably slower than previous scans on the same target.
Minimum Host Group Size In NMAP
Syntax: nmap –min-hostgroup [Number] [Targets]
Description: Perform parallel scans on multiple targets to save time.
When performing a scan for a range of targets or the entire subnet, we can instruct NMAP to scan multiple targets at once to save time.
By default, NMAP will automatically adjust the size of the group scanned based on the network conditions and type of scan performed.
The –min-hostgroup option will instruct NMAP to keep the group size scanned above a specific number [Figure 1.6].
Maximum Host Group Size In NMAP
Syntax: nmap –max-hostgroup [Number] [Targets]
Description: Perform parallel scans on multiple targets to save time.
The maximum host group size option instructs NMAP to control the number of hosts in a group under a specified number. This scanning option is useful when looking to avoid detection when scanning secured networks with firewalls [Figure 1.7].
Initial RTT Timeout In NMAP
Syntax: nmap –initial-rtt-timeout [Time] [Target]
Description: Controls the initial Round-Trip Time [RTT] timeout value of packet response NMAP.
The –initial-rtt-timeout for a normal NMAP scan [-T3] has a default timing value of 1 second.
We can increase the NMAP intital RTT timeout value to avoid timeouts due to packet retransmission. In contrast, we can decrease the RTT timeout value to improve the scanning time.
NOTE: keep in mind that setting an RTT value too low can produce inaccurate scanning results.
Maximum RTT Timeout In NMAP
Syntax: nmap –max-rtt-timeout [Time] [Target]
Description: Controls the maximum Round-Trip Time [RTT] timeout value packet response in an NMAP scan.
The maximum RTT timeout is another timing parameter that NMAP automatically adjusts during a scan. However, in some situations, such as NMAP giving up a scan due to slow connection, we can adjust the maximum RTT timeout parameter to fit our scanning scenario [Figure 1.8].
NOTE: The default maximum RTT timeout in NMAP is 10 seconds. The usual values used for maximum RTT timeout are between 1 second [1s] to 100 seconds [100s].
Maximum Retries In NMAP
Syntax: nmap –max-retries [Number] [Target]
Description: Controls the maximum number of probe retransmissions performed by NMAP during a scan.
The maximum retries number is a parameter adjusted automatically by NMAP during a scan. As in the previou examples, we can instruct NMAP to use a value more suitable to our scenario [Figure 1.9].
For instance, we can use the –max-retries option, when we are troubleshooting a network connectivity issue.
A higher maximum retries value will produce more accurate results but will take longer for the scan to complete. Lowering the maximum retries value will speed up a scan and allow NMAP to give up too soon, therefore, affecting the scan output.
Set Packet Time To Live In NMAP
Syntax: nmap –ttl [Time] [Target]
Description: Specifies the Time To Live parameter in the packet header for an NMAP scan.
In the IP context, the Time To Live [TTL] is a mechanism located in the IP header that contains an 8-bit field indicating how many hops in a packet can pass through in a network before being dropped.
In a slow network, the packets sent to a destination may time-out before receiving a response from the target machine.
NMAP allows us to adjust the TTL parameter to avoid time-outs when scanning targets in a slow network [Figure 1.10].
Host Timeout In NMAP
Syntax: nmap –host-timeout [Time] [Targets]
Description: Instruct NMAP to stop scanning a host(s) after a given time.
In some scanning scenarios, it may be useful to abort a target if the response has many time-outs due to slow or unreliable network conditions or rate-limiting firewalls.
The host timeout option instructs NMAP to stop scanning a target if the scan is not completed in a given time for that specific target.
For instance, in Figure 1.11, we performed a scan on a target located on the Internet, and we instructed NMAP to stop the scanning process if not completed in 2 minutes [2m].
In Figure 1.12 we instruct NMAP to scan a given IP range and allow 30 seconds [30s] per host scanned before it stops the process.
When scanning multiple targets, NMAP will perform parallel scanning even if a target requires a longer time to respond.
NOTE: When using the –host-timeout option, no results will be displayed by NMAP if a target exceeds the timeout value.
Minimum Scan Delay In NMAP
Syntax: nmap –scan-delay [Time] [Target]
Description: Instructs NMAP to pause a specified time between probes when scanning a target.
The minimum scan delay parameter instructs NMAP to take a break between probes for a specified time interval to evade rate limiting configurations on some target systems.
By default, NMAP is equipped to detect rate limiting on targets and automatically adjust the scan delay parameter.
However, in some situations – when we know a network uses Intrusion Detection Systems [IDS] or rate limiting configurations, we can specify this parameter manually. Take note that even a low minimum scan delay can dramatically slow down the scanning process [Figure 1.13].
Maximum Scan Delay In NMAP
Syntax: nmap –max-scan-delay [Time] [Target]
Description: Instructs NMAP to wait a specified maximum amount of time between probes when scanning a target.
The maximum scan delay option instructs NMAP to use an upper time limit between probes to speed up a scan [Figure 1.14].
As in previous examples, setting an inadequate –max-scan-delay value can affect the accuracy of the scan output.
Minimum Packet Rate In NMAP
Syntax: nmap –min-rate [Number] [Target]
Description: Instructs NMAP to scan a target by sending a specified number of packets per second.
The minimum packet rate is automatically adjusted by NMAP when the –min-rate timing option is not specified.
For instance, we can instruct NMAP to send a minimum of 20 packets per second. However, if the network conditions are favorable, NMAP may perform the scan faster and use the specified minimum packet rate value as a low threshold [Figure 1.14].
NOTE: Setting up a value for minimum packet rate to high may affect the accuracy of the scan output results.
Maximum Packet Rate
Syntax: nmap –max-rate [Number] [Target]
Description: Instructs NMAP to scan a target by sending a specified maximum number of packets per second.
The maximum packet rate can be used to instruct NMAP to evade networks equipped with Intrusion Detection Systems [IDS] or systems configured with rate limiting solutions. However, this will dramatically slow down the scan [Figure 1.15].
TIP: to perform a sneaky scan, use a –max-rate 0.1 [send a packet every 10 seconds]
Defeat Reset Rate Limits
Flag: –defeat-rst-rate limit
Syntax: nmap –defeat-rst-rate limit [Target]
Description: Instructs NMAP to apply rate limiting to reset [RST] packages.
By default, NMAP can detect RST packet limiting targets and automatically adjust its parameters to avoid detection.
Setting up a value for the defeat reset rate limits in NMAP can speed up the scanning process but it may affect the scan output accuracy – one of the reasons why this method is rarely used.
Before You Go
This was quite a lengthy tutorial and I am happy you managed to reach this point. The NMAP timing options are important to be understood to find the right speed to adapt your scan to evade detection.
NMAP can be the ace in the sleeve for anyone willing to pursue a career in ethical hacking or cyber security. Here are a few articles to help you master NMAP:
- 5 Must Know NMAP Flags For OS/Service Detection
- NMAP Discovery Flags And How To Use Them
- 11 Most Used NMAP Commands And How To Use Them
If you found this NMAP tutorial useful, consider sharing it with your colleagues and friends.
Want to go one step further, consider supporting me on Patreon or simply send me some coins to the addresses below. Nothing like a small donation to keep me writing!
But most importantly, stay safe!