1
00:00:00,270 --> 00:00:07,050
Correct timing in Nmap scans is important for the accuracy and effectiveness of the scan. In the

2
00:00:07,050 --> 00:00:14,490
case of outside scans, it is usually preferable to use slow scans to avoid devices such as IPS / IDS,

3
00:00:15,000 --> 00:00:21,440
whereas in a scan from an internal network, quick scan options will be preferred. Qhile a fine grained

4
00:00:21,440 --> 00:00:24,300
timing controls are powerful and effective.

5
00:00:24,310 --> 00:00:28,750
Fortunately Nmap offers a simple approach with six timing templates.

6
00:00:30,100 --> 00:00:37,510
You can specify them with "-T" option and their number (0–5) or their name. The template

7
00:00:37,510 --> 00:00:39,330
names are paranoid (0),

8
00:00:39,340 --> 00:00:47,520
sneaky (1), polite (2) , normal (3), aggressive (4) and insane (5).

9
00:00:47,650 --> 00:00:52,520
The first two are for IDS evasion. Polite mode,

10
00:00:52,540 --> 00:00:59,300
slows down the scan to use less bandwidth and target machine resources. Normal mode is the default,

11
00:00:59,300 --> 00:01:02,240
And so T3 does nothing.

12
00:01:02,240 --> 00:01:08,150
Aggressive mode speed scans up by making the assumption that you are on a reasonably fast and reliable

13
00:01:08,150 --> 00:01:09,040
network.

14
00:01:09,140 --> 00:01:15,290
Finally insane mode assumes that you're on an extraordinarily fast network or you're willing to sacrifice

15
00:01:15,410 --> 00:01:16,660
accuracy for speed.

16
00:01:17,920 --> 00:01:24,440
--max-retries option is to specify the maximum number of port scan probe retransmissions.

17
00:01:25,350 --> 00:01:32,430
When and Nmap receives no response to a port scan probe it could mean that the port is filltered or maybe

18
00:01:32,430 --> 00:01:36,540
the probe or response was simply lost on the network.

19
00:01:36,550 --> 00:01:42,300
It's also possible that the target host as rate limiting enable that temporarily block the response.

20
00:01:42,590 --> 00:01:49,210
So Nmap tries again by retransmitting the initial probe. If Nmap detects poor network reliability,

21
00:01:49,690 --> 00:01:53,730
it may try many more times before giving up on report.

22
00:01:53,770 --> 00:02:00,040
Now while this benefits accuracy it also lengthens scan times. So, when performance is critical,

23
00:02:00,040 --> 00:02:04,370
scans may be sped up by limiting the number of retransmissions allowed.

24
00:02:04,540 --> 00:02:11,650
You can even specify --max-retries 0 to prevent any retransmissions. Though that's only recommended for

25
00:02:11,650 --> 00:02:19,480
situations such as informal surveys where occasional missed ports and hosts are acceptable.

26
00:02:19,580 --> 00:02:29,060
The default (with no -­T template) template is to allow ten retransmissions. -­host­timeout is used to give

27
00:02:29,060 --> 00:02:30,360
up slow targets.

28
00:02:30,830 --> 00:02:34,760
Some hosts simply take a long time to scan.

29
00:02:34,760 --> 00:02:40,070
This may be due to poorly performing or unreliable networking hardware or software,

30
00:02:40,340 --> 00:02:47,450
packet rate limiting or restricted firewall. The slowest few percent of the scanned hosts can eat up

31
00:02:47,450 --> 00:02:49,760
a majority of the scan time.

32
00:02:49,820 --> 00:02:53,230
Sometimes it's best to cut your losses and skip to those hosts initially.

33
00:02:53,240 --> 00:03:00,650
Specify -­host­timeout with a maximum amount of time you are willing to wait.

34
00:03:00,650 --> 00:03:06,420
For example specify 30 minutes to ensure that Nmap doesn't waste more than half an hour on a single host.

35
00:03:07,360 --> 00:03:12,310
Note that Nmap may be scanning other hosts at the same time during that half an hour so it's not a complete

36
00:03:12,310 --> 00:03:12,970
loss.

37
00:03:13,920 --> 00:03:20,730
Nmap utilizes parallelism and many advanced algorithms to accelerate the scans. Especially in the

38
00:03:20,730 --> 00:03:22,160
case of external scans,

39
00:03:22,170 --> 00:03:29,580
it may be necessary to close the parallel scan. That is to send a single packet to a server at the same time.

40
00:03:29,580 --> 00:03:33,430
Nmap utilizes different options for this purpose:

41
00:03:33,480 --> 00:03:39,060
As we saw just a few minutes ago you can manage the timing using -T option.

42
00:03:39,060 --> 00:03:47,250
If you use the templates (0) paranoid (1) sneaky or (2) polite parallelisation is closed. That means these

43
00:03:47,250 --> 00:03:54,930
template serialises the scan. So only one port is scanned at a time. --scan-delay option causes Nmap

44
00:03:54,930 --> 00:04:01,440
to wait at least the given amount of time between each probe it sends to a given host.

45
00:04:01,450 --> 00:04:09,710
This is particularly useful in the case of rate limiting. Solaris machines (among many others) will usually

46
00:04:09,710 --> 00:04:15,520
respond to UDP scan probe packets with only one ICMP message per second.

47
00:04:15,770 --> 00:04:18,740
Any more than that sent by Nmap will be wasteful.

48
00:04:18,740 --> 00:04:26,920
--scan-delay of 1 second will keep Nmap at that slow rate. Nmap tries to detect rate limiting and

49
00:04:26,920 --> 00:04:28,360
adjust the scan delay accordingly.

50
00:04:28,480 --> 00:04:33,490
But it doesn't hurt to specify it explicitly if you already know what rate works best.

51
00:04:33,490 --> 00:04:40,660
OK so by default and map calculates an ever-changing ideal parallelism based on network performance

52
00:04:41,320 --> 00:04:48,400
the --max-parallelism option is sometimes set to 1 to prevent Nmap from sending more than one probe

53
00:04:48,400 --> 00:04:56,860
at a time to hosts. Nmap has the ability to port scan or version scan multiple hosts in parallel.

54
00:04:56,860 --> 00:05:02,610
Nmap does this by dividing the target IP space into groups and then scanning one group at a time.

55
00:05:03,460 --> 00:05:11,430
When a maximum group size is specified with --max-hostgroup Nmap will never exceed that size.

56
00:05:11,480 --> 00:05:18,700
So if you specify maximum number of hosts in a group as 1 using -­max-hostgroup option, there will be

57
00:05:18,700 --> 00:05:23,250
only 1 host in the group and only 1 host will be scanned at a time.

58
00:05:23,500 --> 00:05:28,660
So what do you reckon the difference is between the --max-parallelism and the --max-hostgroup.

59
00:05:28,690 --> 00:05:37,820
Do you see it when you set --max-parallelism to 1 Nmap sends only 1 packet to a host a time. When

60
00:05:37,820 --> 00:05:43,880
you set --max-hostgroup to 1 Nmap scans only one host at a time.