Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

To Optimize Scans

Save for later
  • 20 min read
  • 23 Jun 2017

article-image

In this article by Paulino Calderon Pale author of the book Nmap Network Exploration and Security Auditing Cookbook, Second Edition, we will explore the following topics:

  • Skipping phases to speed up scans
  • Selecting the correct timing template
  • Adjusting timing parameters
  • Adjusting performance parameters

(For more resources related to this topic, see here.)

One of my favorite things about Nmap is how customizable it is. If configured properly, Nmap can be used to scan from single targets to millions of IP addresses in a single run. However, we need to be careful and need to understand the configuration options and scanning phases that can affect performance, but most importantly, really think about our scan objective beforehand. Do we need the information from the reverse DNS lookup? Do we know all targets are online? Is the network congested? Do targets respond fast enough? These and many more aspects can really add up to your scanning time.

Therefore, optimizing scans is important and can save us hours if we are working with many targets. This article starts by introducing the different scanning phases, timing, and performance options. Unless we have a solid understanding of what goes on behind the curtains during a scan, we won't be able to completely optimize our scans. Timing templates are designed to work in common scenarios, but we want to go further and shave off those extra seconds per host during our scans. Remember that this can also not only improve performance but accuracy as well. Maybe those targets marked as offline were only too slow to respond to the probes sent after all.

Skipping phases to speed up scans

Nmap scans can be broken in phases. When we are working with many hosts, we can save up time by skipping tests or phases that return information we don't need or that we already have. By carefully selecting our scan flags, we can significantly improve the performance of our scans.

This explains the process that takes place behind the curtains when scanning, and how to skip certain phases to speed up scans.

How to do it...

To perform a full port scan with the timing template set to aggressive, and without the reverse DNS resolution (-n) or ping (-Pn), use the following command:

# nmap -T4 -n -Pn -p- 74.207.244.221

Note the scanning time at the end of the report:

Nmap scan report for 74.207.244.221
Host is up (0.11s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open ssh
80/tcp   open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 60.84 seconds

Now, compare the running time that we get if we don't skip any tests:


# nmap -p- scanme.nmap.org
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.11s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open ssh
80/tcp   open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 77.45 seconds

Although the time difference isn't very drastic, it really adds up when you work with many hosts. I recommend that you think about your objectives and the information you need, to consider the possibility of skipping some of the scanning phases that we will describe next.

How it works...

Nmap scans are divided in several phases. Some of them require some arguments to be set to run, but others, such as the reverse DNS resolution, are executed by default. Let's review the phases that can be skipped and their corresponding Nmap flag:

  • Target enumeration: In this phase, Nmap parses the target list. This phase can't exactly be skipped, but you can save DNS forward lookups using only the IP addresses as targets.
  • Host discovery: This is the phase where Nmap establishes if the targets are online and in the network. By default, Nmap sends an ICMP echo request and some additional probes, but it supports several host discovery techniques that can even be combined. To skip the host discovery phase (no ping), use the flag -Pn. And we can easily see what probes we skipped by comparing the packet trace of the two scans:
    
    $ nmap -Pn -p80 -n --packet-trace scanme.nmap.org
    SENT (0.0864s) TCP 106.187.53.215:62670 > 74.207.244.221:80 S ttl=46 id=4184 iplen=44 seq=3846739633 win=1024 <mss 1460>
    RCVD (0.1957s) TCP 74.207.244.221:80 > 106.187.53.215:62670 SA ttl=56 id=0 iplen=44 seq=2588014713 win=14600 <mss 1460>
    Nmap scan report for scanme.nmap.org (74.207.244.221)
    Host is up (0.11s latency).
    PORT   STATE SERVICE
    80/tcp open http
    Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
    

    For scanning without skipping host discovery, we use the command:

    
    $ nmap -p80 -n --packet-trace scanme.nmap.org
    SENT (0.1099s) ICMP 106.187.53.215 > 74.207.244.221 Echo request (type=8/code=0) ttl=59 id=12270 iplen=28 SENT (0.1101s) TCP 106.187.53.215:43199 > 74.207.244.221:443 S ttl=59 id=38710 iplen=44 seq=1913383349 win=1024 <mss 1460> SENT (0.1101s) TCP 106.187.53.215:43199 > 74.207.244.221:80 A ttl=44 id=10665 iplen=40 seq=0 win=1024 SENT (0.1102s) ICMP 106.187.53.215 > 74.207.244.221 Timestamp request (type=13/code=0) ttl=51 id=42939 iplen=40 RCVD (0.2120s) ICMP 74.207.244.221 > 106.187.53.215 Echo reply (type=0/code=0) ttl=56 id=2147 iplen=28 SENT (0.2731s) TCP 106.187.53.215:43199 > 74.207.244.221:80 S ttl=51 id=34952 iplen=44 seq=2609466214 win=1024 <mss 1460> RCVD (0.3822s) TCP 74.207.244.221:80 > 106.187.53.215:43199 SA ttl=56 id=0 iplen=44 seq=4191686720 win=14600 <mss 1460> Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.10s latency). PORT   STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
  • Reverse DNS resolution: Host names often reveal by themselves additional information and Nmap uses reverse DNS lookups to obtain them. This step can be skipped by adding the argument -n to your scan arguments. Let's see the traffic generated by the two scans with and without reverse DNS resolution. First, let's skip reverse DNS resolution by adding -n to your command:
    
    $ nmap -n -Pn -p80 --packet-trace scanme.nmap.org
    SENT (0.1832s) TCP 106.187.53.215:45748 > 74.207.244.221:80 S ttl=37 id=33309 iplen=44 seq=2623325197 win=1024 <mss 1460> RCVD (0.2877s) TCP 74.207.244.221:80 > 106.187.53.215:45748 SA ttl=56 id=0 iplen=44 seq=3220507551 win=14600 <mss 1460> Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.10s latency). PORT   STATE SERVICE 80/tcp open http   Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

    And if we try the same command but not' skipping reverse DNS resolution, as follows:

    
    $ nmap -Pn -p80 --packet-trace scanme.nmap.org
    NSOCK (0.0600s) UDP connection requested to 106.187.36.20:53 (IOD #1) EID 8
    NSOCK (0.0600s) Read request from IOD #1 [106.187.36.20:53] (timeout: -1ms) EID                                                 18
    NSOCK (0.0600s) UDP connection requested to 106.187.35.20:53 (IOD #2) EID 24
    NSOCK (0.0600s) Read request from IOD #2 [106.187.35.20:53] (timeout: -1ms) EID                                                 34
    NSOCK (0.0600s) UDP connection requested to 106.187.34.20:53 (IOD #3) EID 40
    NSOCK (0.0600s) Read request from IOD #3 [106.187.34.20:53] (timeout: -1ms) EID                                                 50
    NSOCK (0.0600s) Write request for 45 bytes to IOD #1 EID 59 [106.187.36.20:53]:                                                 =............221.244.207.74.in-addr.arpa.....
    NSOCK (0.0600s) Callback: CONNECT SUCCESS for EID 8 [106.187.36.20:53]
    NSOCK (0.0600s) Callback: WRITE SUCCESS for EID 59 [106.187.36.20:53]
    NSOCK (0.0600s) Callback: CONNECT SUCCESS for EID 24 [106.187.35.20:53]
    NSOCK (0.0600s) Callback: CONNECT SUCCESS for EID 40 [106.187.34.20:53]
    NSOCK (0.0620s) Callback: READ SUCCESS for EID 18 [106.187.36.20:53] (174 bytes)
    NSOCK (0.0620s) Read request from IOD #1 [106.187.36.20:53] (timeout: -1ms) EID                                                 66
    NSOCK (0.0620s) nsi_delete() (IOD #1)
    NSOCK (0.0620s) msevent_cancel() on event #66 (type READ)
    NSOCK (0.0620s) nsi_delete() (IOD #2)
    NSOCK (0.0620s) msevent_cancel() on event #34 (type READ)
    NSOCK (0.0620s) nsi_delete() (IOD #3)
    NSOCK (0.0620s) msevent_cancel() on event #50 (type READ)
    SENT (0.0910s) TCP 106.187.53.215:46089 > 74.207.244.221:80 S ttl=42 id=23960 ip                                                 len=44 seq=1992555555 win=1024 <mss 1460>
    RCVD (0.1932s) TCP 74.207.244.221:80 > 106.187.53.215:46089 SA ttl=56 id=0 iplen                                                =44 seq=4229796359 win=14600 <mss 1460>
    Nmap scan report for scanme.nmap.org (74.207.244.221)
    Host is up (0.10s latency).
    PORT   STATE SERVICE
    80/tcp open http
    Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
    
  • Port scanning: In this phase, Nmap determines the state of the ports. By default, it uses SYN/TCP Connect scanning depending on the user privileges, but several other port scanning techniques are supported. Although this may not be so obvious, Nmap can do a few different things with targets without port scanning them like resolving their DNS names or checking whether they are online. For this reason, this phase can be skipped with the argument -sn:
    
    $ nmap -sn -R --packet-trace 74.207.244.221
    SENT (0.0363s) ICMP 106.187.53.215 > 74.207.244.221 Echo request (type=8/code=0) ttl=56 id=36390 iplen=28
    SENT (0.0364s) TCP 106.187.53.215:53376 > 74.207.244.221:443 S ttl=39 id=22228 iplen=44 seq=155734416 win=1024 <mss 1460>
    SENT (0.0365s) TCP 106.187.53.215:53376 > 74.207.244.221:80 A ttl=46 id=36835 iplen=40 seq=0 win=1024
    SENT (0.0366s) ICMP 106.187.53.215 > 74.207.244.221 Timestamp request (type=13/code=0) ttl=50 id=2630 iplen=40
    RCVD (0.1377s) TCP 74.207.244.221:443 > 106.187.53.215:53376 RA ttl=56 id=0 iplen=40 seq=0 win=0
    NSOCK (0.1660s) UDP connection requested to 106.187.36.20:53 (IOD #1) EID 8
    NSOCK (0.1660s) Read request from IOD #1 [106.187.36.20:53] (timeout: -1ms) EID 18
    NSOCK (0.1660s) UDP connection requested to 106.187.35.20:53 (IOD #2) EID 24
    NSOCK (0.1660s) Read request from IOD #2 [106.187.35.20:53] (timeout: -1ms) EID 34
    NSOCK (0.1660s) UDP connection requested to 106.187.34.20:53 (IOD #3) EID 40
    NSOCK (0.1660s) Read request from IOD #3 [106.187.34.20:53] (timeout: -1ms) EID 50
    NSOCK (0.1660s) Write request for 45 bytes to IOD #1 EID 59 [106.187.36.20:53]: [............221.244.207.74.in-addr.arpa.....
    NSOCK (0.1660s) Callback: CONNECT SUCCESS for EID 8 [106.187.36.20:53]
    NSOCK (0.1660s) Callback: WRITE SUCCESS for EID 59 [106.187.36.20:53]
    NSOCK (0.1660s) Callback: CONNECT SUCCESS for EID 24 [106.187.35.20:53]
    NSOCK (0.1660s) Callback: CONNECT SUCCESS for EID 40 [106.187.34.20:53]
    NSOCK (0.1660s) Callback: READ SUCCESS for EID 18 [106.187.36.20:53] (174 bytes)
    NSOCK (0.1660s) Read request from IOD #1 [106.187.36.20:53] (timeout: -1ms) EID 66
    NSOCK (0.1660s) nsi_delete() (IOD #1)
    NSOCK (0.1660s) msevent_cancel() on event #66 (type READ)
    NSOCK (0.1660s) nsi_delete() (IOD #2)
    NSOCK (0.1660s) msevent_cancel() on event #34 (type READ)
    NSOCK (0.1660s) nsi_delete() (IOD #3)
    NSOCK (0.1660s) msevent_cancel() on event #50 (type READ)
    Nmap scan report for scanme.nmap.org (74.207.244.221)
    Host is up (0.10s latency).
    Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
    

In the previous example, we can see that an ICMP echo request and a reverse DNS lookup were performed (We forced DNS lookups with the option -R), but no port scanning was done.

There's more...

I recommend that you also run a couple of test scans to measure the speeds of the different DNS servers. I've found that ISPs tend to have the slowest DNS servers, but you can make Nmap use different DNS servers by specifying the argument --dns-servers. For example, to use Google's DNS servers, use the following command:

# nmap -R --dns-servers 8.8.8.8,8.8.4.4 -O scanme.nmap.org

You can test your DNS server speed by comparing the scan times. The following command tells Nmap not to ping or scan the port and only perform a reverse DNS lookup:

$ nmap -R -Pn -sn 74.207.244.221
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 1.01 seconds

To further customize your scans, it is important that you understand the scan phases of Nmap. See Appendix-Scanning Phases for more information.

Selecting the correct timing template

Nmap includes six templates that set different timing and performance arguments to optimize your scans based on network condition. Even though Nmap automatically adjusts some of these values, it is recommended that you set the correct timing template to hint Nmap about the speed of your network connection and the target's response time.

The following will teach you about Nmap's timing templates and how to choose the more appropriate one.

How to do it...

Open your terminal and type the following command to use the aggressive timing template (-T4). Let's also use debugging (-d) to see what Nmap option -T4 sets:


# nmap -T4 -d 192.168.4.20
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 500, min 100, max 1250
max-scan-delay: TCP 10, UDP 1000, SCTP 10
parallelism: min 0, max 0
max-retries: 6, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
<Scan output removed for clarity>

You may use the integers between 0 and 5, for example,-T[0-5].

How it works...

The option -T is used to set the timing template in Nmap. Nmap provides six timing templates to help users tune the timing and performance arguments. The available timing templates and their initial configuration values are as follows:

  • Paranoid(-0)—This template is useful to avoid detection systems, but it is painfully slow because only one port is scanned at a time, and the timeout between probes is 5 minutes:
    --------------- Timing report ---------------
    hostgroups: min 1, max 100000
    rtt-timeouts: init 300000, min 100, max 300000
    max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
    parallelism: min 0, max 1
    max-retries: 10, host-timeout: 0
    min-rate: 0, max-rate: 0
    ---------------------------------------------
    
  • Sneaky (-1)—This template is useful for avoiding detection systems but is still very slow:
    --------------- Timing report ---------------
    hostgroups: min 1, max 100000
    rtt-timeouts: init 15000, min 100, max 15000
    max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
    parallelism: min 0, max 1
    max-retries: 10, host-timeout: 0
    min-rate: 0, max-rate: 0
    ---------------------------------------------
    
  • Polite (-2)—This template is used when scanning is not supposed to interfere with the target system, very conservative and safe setting:
    --------------- Timing report ---------------
    hostgroups: min 1, max 100000
    rtt-timeouts: init 1000, min 100, max 10000
    max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
    parallelism: min 0, max 1
    max-retries: 10, host-timeout: 0
    min-rate: 0, max-rate: 0
    ---------------------------------------------
    
  • Normal (-3)—This is Nmap's default timing template, which is used when the argument -T is not set:
    --------------- Timing report ---------------
    hostgroups: min 1, max 100000
    rtt-timeouts: init 1000, min 100, max 10000
    max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
    parallelism: min 0, max 0
    max-retries: 10, host-timeout: 0
    min-rate: 0, max-rate: 0
    ---------------------------------------------
    
  • Aggressive (-4)—This is the recommended timing template for broadband and Ethernet connections:
    --------------- Timing report ---------------
    hostgroups: min 1, max 100000
    rtt-timeouts: init 500, min 100, max 1250
    max-scan-delay: TCP 10, UDP 1000, SCTP 10
    parallelism: min 0, max 0
    max-retries: 6, host-timeout: 0
    min-rate: 0, max-rate: 0
    
  • ---------------------------------------------
    Insane (-5)—This timing template sacrifices accuracy for speed:
    --------------- Timing report ---------------
    hostgroups: min 1, max 100000
    rtt-timeouts: init 250, min 50, max 300
    max-scan-delay: TCP 5, UDP 1000, SCTP 5
    parallelism: min 0, max 0
    max-retries: 2, host-timeout: 900000
    min-rate: 0, max-rate: 0
    ---------------------------------------------
    

There's more...

An interactive mode in Nmap allows users to press keys to dynamically change the runtime variables, such as verbose, debugging, and packet tracing. Although the discussion of including timing and performance options in the interactive mode has come up a few times in the development mailing list; so far, this hasn't been implemented yet. However, there is an unofficial patch submitted in June 2012 that allows you to change the minimum and maximum packet rate values(--max-rateand --min-rate) dynamically. If you would like to try it out, it's located at http://seclists.org/nmap-dev/2012/q2/883.

Adjusting timing parameters

Nmap not only adjusts itself to different network and target conditions while scanning, but it can be fine-tuned using timing options to improve performance. Nmap automatically calculates packet round trip, timeout, and delay values, but these values can also be set manually through specific settings.

The following describes the timing parameters supported by Nmap.

How to do it...

Enter the following command to adjust the initial round trip timeout, the delay between probes and a time out for each scanned host:

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at $19.99/month. Cancel anytime
# nmap -T4 --scan-delay 1s --initial-rtt-timeout 150ms --host-timeout 15m -d scanme.nmap.org
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 150, min 100, max 1250
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 6, host-timeout: 900000
min-rate: 0, max-rate: 0
---------------------------------------------

How it works...

Nmap supports different timing arguments that can be customized. However, setting these values incorrectly will most likely hurt performance rather than improve it. Let's examine closer each timing parameter and learn its Nmap option parameter name.

The Round Trip Time (RTT) value is used by Nmap to know when to give up or retransmit a probe response. Nmap estimates this value by analyzing previous responses, but you can set the initial RTT timeout with the argument --initial-rtt-timeout, as shown in the following command:

# nmap -A -p- --initial-rtt-timeout 150ms <target>

In addition, you can set the minimum and maximum RTT timeout values with--min-rtt-timeout and --max-rtt-timeout, respectively, as shown in the following command:

# nmap -A -p- --min-rtt-timeout 200ms --max-rtt-timeout 600ms <target>

Another very important setting we can control in Nmap is the waiting time between probes. Use the arguments --scan-delay and --max-scan-delay to set the waiting time and maximum amount of time allowed to wait between probes, respectively, as shown in the following commands:

# nmap -A --max-scan-delay 10s scanme.nmap.org

# nmap -A --scan-delay 1s scanme.nmap.org

Note that the arguments previously shown are very useful when avoiding detection mechanisms. Be careful not to set --max-scan-delay too low because it will most likely miss the ports that are open.

There's more...

If you would like Nmap to give up on a host after a certain amount of time, you can set the argument --host-timeout:

# nmap -sV -A -p- --host-timeout 5m <target>

Estimating round trip times with Nping

To use Nping to estimate the round trip time taken between the target and you, the following command can be used:

# nping -c30 <target>

This will make Nping send 30 ICMP echo request packets, and after it finishes, it will show the average, minimum, and maximum RTT values obtained:

# nping -c30 scanme.nmap.org

...

SENT (29.3569s) ICMP 50.116.1.121 > 74.207.244.221 Echo request (type=8/code=0) ttl=64 id=27550 iplen=28

RCVD (29.3576s) ICMP 74.207.244.221 > 50.116.1.121 Echo reply (type=0/code=0) ttl=63 id=7572 iplen=28

 

Max rtt: 10.170ms | Min rtt: 0.316ms | Avg rtt: 0.851ms

Raw packets sent: 30 (840B) | Rcvd: 30 (840B) | Lost: 0 (0.00%)

Tx time: 29.09096s | Tx bytes/s: 28.87 | Tx pkts/s: 1.03

Rx time: 30.09258s | Rx bytes/s: 27.91 | Rx pkts/s: 1.00

Nping done: 1 IP address pinged in 30.47 seconds

Examine the round trip times and use the maximum to set the correct --initial-rtt-timeout and --max-rtt-timeout values. The official documentation recommends using double the maximum RTT value for the --initial-rtt-timeout, and as high as four times the maximum round time value for the –max-rtt-timeout.

Displaying the timing settings

Enable debugging to make Nmap inform you about the timing settings before scanning:

$ nmap -d<target>

--------------- Timing report ---------------

hostgroups: min 1, max 100000

rtt-timeouts: init 1000, min 100, max 10000

max-scan-delay: TCP 1000, UDP 1000, SCTP 1000

parallelism: min 0, max 0

max-retries: 10, host-timeout: 0

min-rate: 0, max-rate: 0

---------------------------------------------

To further customize your scans, it is important that you understand the scan phases of Nmap. See Appendix-Scanning Phases for more information.

Adjusting performance parameters

Nmap not only adjusts itself to different network and target conditions while scanning, but it also supports several parameters that affect the behavior of Nmap, such as the number of hosts scanned concurrently, number of retries, and number of allowed probes. Learning how to adjust these parameters properly can reduce a lot of your scanning time.

The following explains the Nmap parameters that can be adjusted to improve performance.

How to do it...

Enter the following command, adjusting the values for your target condition:

$ nmap --min-hostgroup 100 --max-hostgroup 500 --max-retries 2 <target>

How it works...

The command shown previously tells Nmap to scan and report by grouping no less than 100 (--min-hostgroup 100) and no more than 500 hosts (--max-hostgroup 500). It also tells Nmap to retry only twice before giving up on any port (--max-retries 2):

# nmap --min-hostgroup 100 --max-hostgroup 500 --max-retries 2 <target>

It is important to note that setting these values incorrectly will most likely hurt the performance or accuracy rather than improve it. Nmap sends many probes during its port scanning phase due to the ambiguity of what a lack of responsemeans; either the packet got lost, the service is filtered, or the service is not open. By default, Nmap adjusts the number of retries based on the network conditions, but you can set this value with the argument --max-retries. By increasing the number of retries, we can improve Nmap's accuracy, but keep in mind this sacrifices speed:

$ nmap --max-retries 10<target>

The arguments --min-hostgroup and --max-hostgroup control the number of hosts that we probe concurrently. Keep in mind that reports are also generated based on this value, so adjust it depending on how often would you like to see the scan results. Larger groups are optimalto improve performance, but you may prefer smaller host groups on slow networks:

# nmap -A -p- --min-hostgroup 100 --max-hostgroup 500 <target>

There is also a very important argument that can be used to limit the number of packets sent per second by Nmap. The arguments --min-rate and --max-rate need to be used carefully to avoid undesirable effects. These rates are set automatically by Nmap if the arguments are not present:

# nmap -A -p- --min-rate 50 --max-rate 100 <target>

Finally, the arguments --min-parallelism and --max-parallelism can be used to control the number of probes for a host group. By setting these arguments, Nmap will no longer adjust the values dynamically:

# nmap -A --max-parallelism 1 <target>

# nmap -A --min-parallelism 10 --max-parallelism 250 <target>

There's more...

If you would like Nmap to give up on a host after a certain amount of time, you can set the argument --host-timeout, as shown in the following command:

# nmap -sV -A -p- --host-timeout 5m <target>

Interactive mode in Nmap allows users to press keys to dynamically change the runtime variables, such as verbose, debugging, and packet tracing. Although the discussion of including timing and performance options in the interactive mode has come up a few times in the development mailing list, so far this hasn't been implemented yet. However, there is an unofficial patch submitted in June 2012 that allows you to change the minimum and maximum packet rate values (--max-rate and --min-rate) dynamically. If you would like to try it out, it's located at http://seclists.org/nmap-dev/2012/q2/883.

To further customize your scans, it is important that you understand the scan phases of Nmap. See Appendix-Scanning Phases for more information.

Summary

In this article, we are finally able to learn how to implement and optimize scans. Nmap scans among several clients, allowing us to save time and take advantage of extra bandwidth and CPU resources. This article is short but full of tips for optimizing your scans. Prepare to dig deep into Nmap's internals and the timing and performance parameters!

Resources for Article:


Further resources on this subject: