A review of Nmap scan options and timing templates

RELATED CONTENT Tech tips Code complexity analysis: How to keep it simple How to use Windows XP Mode in Windows 7 Understand role-based access control in Microsoft Exchange 2010 Avoid common Web application firewall configuration errors SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks How to automate and apply Microsoft Windows 7 AppLocker rules How to use Microsoft Windows 7 AppLocker for whitelisting applications Should you disable IE ESC, or manage it in Windows servers? Scanning with N-Stalker offers basic Web application security assessment Endpoint and NAC Protection Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features USB drive security best practices and processes First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads Four things to remember about server virtualization security concerns Threat and Vulnerability Management Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Computer Misuse Act 1990  (SearchSecurityUK.com) Regulation of Investigatory Powers Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Optimizing the timing parameters your scan uses can reduce scan times dramatically. But scanning isn't necessarily always about speed. For example, the Maximum Delay Between Probes option, --max_scan_delay, sets an upper limit for the time Nmap will delay between each request. This option can significantly slow the total scan time, but can be useful on slow or congested WAN connections. On the other hand, the Minimum Delay Between Probes option, --scan_delay, lets you set the delay between each probe frame to speed up or slow down a scan as required, allowing you to scan over a slow link or test an intrusion prevention device, for example.

These and other low-level Nmap scan options can be particularly useful when analyzing networks where routers and firewalls are filtering the traffic to a point where Nmap can't determine its own timing estimates. You can read the Nmap Timing and Performance Reference Guide for a detailed explanation of the many timing options and how best to use them.

Collecting only the information you need is another way of improving scan performance. For example, if you need to scan UDP ports, you shouldn't combine the test with a TCP scan as the timing requirements will be different. UDP scans tend to take a lot longer to complete. One way to speed up any type of scan is to use the Parallel Host and Parallel Port scanning options to set the minimum, or maximum, number of hosts or ports that are scanned simultaneously. These options can be used to improve the efficiency of an unattended batch scan, or to allow Nmap to display results more quickly by reducing the number of simultaneous hosts being scanned.

If you don't want to configure all these options separately, you can use Nmap's predefined timing templates, with names like paranoid (T0) and insane (T5), instead. These range from the slow, quiet and accurate to the fast, loud and not so accurate. If you are auditing a remote office over a slow link, for example, you can add a lower-numbered timing template, such as –T2, to slow down the scan and use less bandwidth and resources on the target machines. Conversely, you can use more aggressive speeds, like –T4 and -T5 on more reliable networks. These timing templates are also great for testing security devices, such as intrusion detection and intrusion prevention systems. By running each timing template, you can refine your network monitoring thresholds based on the conditions that triggered particular alarm or packet filtering events to occur.

Unlike other Nmap commands, the location of a timing option on the command line is important because the last option takes priority. This means you can put a timing template at the beginning of the command line and specify other individual timing options afterwards to create a customized combination of timings without having to specify every possible timing option on the command line. For example:

nmap –T0 –-scan_delay 180000 scanreport.txt www.yourorg.com

The above command sets the scan delay to three minutes instead of the paranoid setting (T0) of five minutes, while leaving its other template settings unchanged. If it still appears to be taking longer than expected, even after your careful construction of a scan command, you can change certain options or request status messages while you're running a scan without having to abort and restart it. For example, typing V will increase the detail of the output while most keys will give you a status update showing hosts completed and estimated time remaining.

How to use the Zenmap GUI
As you can see, to get the most out of Nmap, you need to spend time exploring its many different options and how they affect your scan results. At first this can seem rather daunting, particularly if, like me, you don't like working from a command prompt. Thankfully, Nmap has for sometime had a very good GUI, which makes learning how to use Nmap a lot easier. The interface also has several advanced features for the more experienced user. One small gripe is that the Help button isn't context-sensitive; it just takes you to the online pages at http://nmap.org/zenmap/. These, however, do cover everything you need to know about using Zenmap.

As a beginner, I would recommend using the Command Constructor Wizard as this groups related options together, letting you see the Nmap command build up as you select an option. Not only is this good practice, but you get to appreciate the hundreds of different options available. Once you have built a scan using Zenmap that you want to reuse, it's easy to save it as a profile. You can then rerun the exact same scan, and Zenmap will graphically show any differences between the two scans. It can also compare scans against different hosts, which is great for checking if a new server has been set up in the same way as an existing one. It can also compare different scans against the same host, testing responses from security devices, for example.

This ability to compare scans and present scan results in different formats makes Zenmap a great add-on even for experienced users. The ease with which an individual host detected in a scan can be scanned in more detail and have their results added to the original scan is also impressive -- it's something you can't do from a scan started from the command line. Features like this make auditing, monitoring and presenting information about a network much easier.

At the start of this series of articles I said you should consider open source security tools if they're the most effective solution for a particular task. Hopefully, I've managed to show you how useful and easy Nmap is to use and that it is an obvious choice for network administrators tasked with keeping track of what's running on their network and who's connecting to it.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.