Breaking Down Nmap – Part 3

Welcome to the third & final installation of the series Breaking Down Nmap. In this post, we’re going to talk about basics of Timing & Performance as well as Firewall / IDS Evasion.

Note: Some of the options are going to be left unexplained, take this opportunity to experiment with it 😀
–data, –data-string, –data-length, –proxies, –ip-options, –badsum to name a few.

Timing & Performance Basics

–max-retries <numtries> (Limit port scan probe retransmissions)
By default when Nmap receives no response to a scan probe, it re-transmits the initial probe, it may also make more attempts than required against a slow host or under poor network conditions; this behavior considerably increases scan duration. Specifying –max-retries 0 prevents re-transmission of the probes, thereby reducing the scan time.
The default re-transmission count is 10 (when none of the -T options are used).

–host-timeout <time> (Give up on slow hosts)
This is option is invoked so that nmap can skip a slow / unresponsive host this can help in cutting down the scan time.

–script-timeout <time>
This option sets a limit on the script’s execution time. Any script that exceeds the specified time will terminate and provide no output.
Pairing this with the debugging option (-d), nmap will report on each timeout.

–scan-delay<time>; –max-scan-delay<time> (alter delay between probes)
This option allows you to control the amount of time nmap waits between each probe. This is particularly useful when you already know what rate works best.
By default, nmap tries to detect rate limiting and adjusts the scan accordingly.
Additionally, –scan-delay may also be used to evade threshold based intrusion detection & prevention systems(IDS/IPS).

–min-rate <num>; –max-rate <num> (Directly control the scan rate)
These option allow a user to control the scanning rate, by keeping it between a minimum and maximum range. It is important to note that, these two options are a global setting and affect the entire scan. Also, they only affect port & discovery scans whereas OS fingerprinting has its own time implementation.

Firewall / IDS Evasion Basics

-f (fragment packets); –mtu (using a specified mtu)
This option causes the scan to use fragmented IP packets (also affects ping scans!), the idea is to split the TCP header over several packets; making it difficult for packet filters, IDS/IPS and other monitoring solutions to detect the scan.
For instance, if you use it once (-f), the packet fragments are of 8-bytes each, if you use it twice (-ff or -f -f), the packet fragments are of 16-bytes each and so on (in multiples of 8). or you can use –mtu to specify your own offset, however it is to be noted that this too works with multiples of 8.
Pro tip: Use wireshark to ensure that packets are fragmented as intended (Use –send-eth to bypass the IP layer and send raw Ethernet frames).

–source-port <number>; -g <number> (spoofing scan source port)
This is option allows you to send your outgoing scans over a specific port. However, while this works with raw socket scans like TCP SYN and UDP scans, it may not work as intended for version detection, script scans, OS detection.


This brings us to the end of the series. I hope it has helped you grasp a little more about nmap and experiment further with this powerful tool.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s