Network Enumeration with Nmap - Performance

#readwise # Network Enumeration with Nmap - Performance ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/static/images/article0.00998d930354.png) ## Metadata - Author: [[Hack The Box]] - Full Title: Network Enumeration with Nmap - Performance - URL: https://academy.hackthebox.com/module/19/section/105 ## Summary Nmap is a tool used for network scanning, and adjusting its settings can improve scanning speed. By modifying timeouts and retry rates, users can speed up scans but may miss some hosts. Different timing templates allow users to set the scan's aggressiveness, impacting results and network traffic. Finding the right balance is key to effective and efficient scanning. ## Highlights Scanning performance plays a significant role when we need to scan an extensive network or are dealing with low network bandwidth. We can use various options to tell `Nmap` how fast (`-T <0-5>`), with which frequency (`--min-parallelism <number>`), which timeouts (`--max-rtt-timeout <time>`) the test packets should have, how many packets should be sent simultaneously (`--min-rate <number>`), and with the number of retries (`--max-retries <number>`) for the scanned ports the targets should be scanned. ([View Highlight](https://read.readwise.io/read/01jp4w33x0r4gra6p01vc7hf38)) ^9yk5q1 --- `Nmap` starts with a high timeout (`--min-RTT-timeout`) of 100ms ([View Highlight](https://read.readwise.io/read/01jp4w3tb9yd4d91y57nstw15x)) ^fecs78 --- ```sh sudo nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms ``` >`<SNIP>` > `Nmap done: 256 IP addresses (8 hosts up) scanned in 12.29 seconds` | Scanning Options | Description | | ---------------------------- | ----------------------------------------------------- | | `10.129.2.0/24` | Scans the specified target network. | | `-F` | Scans top 100 ports. | | `--initial-rtt-timeout 50ms` | Sets the specified time value as initial RTT timeout. | | `--max-rtt-timeout 100ms` | Sets the specified time value as maximum RTT timeout. | ([View Highlight](https://read.readwise.io/read/01jp4w4rprnejwved8edyahv3g)) --- Another way to increase scan speed is by specifying the retry rate of sent packets (`--max-retries`). The default value is `10`, but we can reduce it to `0`. This means if Nmap does not receive a response for a port, it won't send any more packets to that port and will skip it. ([View Highlight](https://read.readwise.io/read/01jp4wskhasbwjxqmr96nnm1nt)) ^whl1py --- During a white-box penetration test, we may get whitelisted for the security systems to check the systems in the network for vulnerabilities and not only test the protection measures. If we know the network bandwidth, we can work with the rate of packets sent, which significantly speeds up our scans with `Nmap`. When setting the minimum rate (`--min-rate <number>`) for sending packets, we tell `Nmap` to simultaneously send the specified number of packets. It will attempt to maintain the rate accordingly. ([View Highlight](https://read.readwise.io/read/01jp4x4ygdnx9jagwabq26823n)) ^f52t3v --- `--min-rate 300` Sets the minimum number of packets to be sent per second. ([View Highlight](https://read.readwise.io/read/01jp4x5awng31y3s4mhmh7njc1)) ^dodli6 --- Because such settings cannot always be optimized manually, as in a black-box penetration test, `Nmap` offers six different timing templates (`-T <0-5>`) for us to use. These values (`0-5`) determine the aggressiveness of our scans. This can also have negative effects if the scan is too aggressive, and security systems may block us due to the produced network traffic. The default timing template used when we have defined nothing else is the normal (`-T 3`). ^6ot7jv - Timing templates ^bqkwtx - `-T 0` / `-T paranoid` - `-T 1` / `-T sneaky` - `-T 2` / `-T polite` - `-T 3` / `-T normal` - `-T 4` / `-T aggressive` - `-T 5` / `-T insane` These templates contain options that we can also set manually, and have seen some of them already. The developers determined the values set for these templates according to their best results, making it easier for us to adapt our scans to the corresponding network environment. The exact used options with their values we can find here: [https://nmap.org/book/performance-timing-templates.html](https://nmap.org/book/performance-timing-templates.html) ([View Highlight](https://read.readwise.io/read/01jp4x81mxazhy5ypd3yc6ppsn)) ^kd0f8a ---