Timing options

You might have noticed that port scanning is probably the most time consuming part of an Nmap scan. Luckily, Nmap offers you a set of different timing flags to optimize your scans. These flags are invoked with the -T flag and are numbered from 0 (slowest) to 5 (fastest). The default scanning speed is 3.

Here is an example. We will use the -T2 flag, which is a rather slow option that is not supposed to interfere with the target system:

root@kali:~# nmap -T2 192.168.5.102
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-05 18:18 CET
Nmap scan report for 192.168.5.102
Host is up (0.99s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
514/tcp filtered shell
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2049/tcp open nfs
3260/tcp open iscsi
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 705.65 seconds

Notice that the scan took 705 seconds.

Now, we will run the same scan, but with the fastest flag -T5:

root@kali:~# nmap -T5 192.168.5.102
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-05 18:32 CET
Warning: 192.168.5.102 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.5.102
Host is up (1.0s latency).
Not shown: 951 closed ports, 27 filtered ports
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2049/tcp open nfs
3260/tcp open iscsi
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 14.35 seconds

Now the scan is much faster (only 14 seconds).

The slower scan options are useful for avoiding detection systems, but they are really slow. The faster scan options (greater than 3) trade accuracy for speed.

Geek University 2022