In this lab, the goal is to optimize scan timing and performance in Nmap. You will learn various techniques to enhance Nmap scans, including using the fast template with -T4 for a quick network scan, increasing parallelism, setting delays, tracking progress, testing stealth, and comparing timing in the Xfce terminal. These steps will help you understand how to balance speed and accuracy in Nmap scans.
In this step, we will use the fast template option with Nmap to perform a quick scan of a network. The -T4 option is used to specify a timing template that balances speed and accuracy. It's faster than the default template but may be less accurate in some cases.
Before we begin, let's understand what a timing template is. Nmap uses timing templates to control how aggressively it scans a target. These templates affect parameters like the delay between probes, the number of retries, and the timeout values. The -T option allows you to choose a predefined template, ranging from -T0 (paranoid) to -T5 (insane). Higher numbers indicate more aggressive scanning.
The -T4 template is a good compromise for most networks. It's faster than the default template (-T3) but still avoids being overly aggressive, which could lead to dropped packets or trigger intrusion detection systems.
Now, let's perform the scan. We'll use the nmap -T4 192.168.1.0/24 command to scan the 192.168.1.0/24 network.
Open your terminal in the LabEx VM. Make sure you are in the ~/project directory.
Execute the following command:
sudo nmap -T4 192.168.1.0/24This command tells Nmap to scan all IP addresses in the 192.168.1.0/24 range using the -T4 timing template. The /24 specifies a subnet mask of 255.255.255.0, meaning Nmap will scan 256 IP addresses (192.168.1.0 through 192.168.1.255).
The output will show the results of the scan, including the open ports and services running on each host. Since the 192.168.1.0/24 network is likely your local network, the results will vary depending on the devices connected to it.
Example output (will vary based on your network):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00028s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 192.168.1.100
Host is up (0.00031s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 256 IP addresses (2 hosts up) scanned in 5.23 secondsThis output shows that Nmap scanned 256 IP addresses and found two hosts up: 192.168.1.1 and 192.168.1.100. Host 192.168.1.1 has port 80 (http) open, and host 192.168.1.100 has port 22 (ssh) open. The scan took approximately 5.23 seconds.
In this step, we will increase the parallelism of Nmap scans using the --min-parallelism option. This option allows you to specify the minimum number of probes Nmap sends in parallel. Increasing parallelism can significantly speed up scans, especially on networks with many hosts or ports.
By default, Nmap dynamically adjusts the level of parallelism based on network conditions. However, you can use --min-parallelism to ensure that Nmap always sends at least a certain number of probes concurrently.
Let's understand what parallelism means in the context of Nmap. When Nmap scans a target, it sends out probes to different ports or hosts. With parallelism, Nmap can send multiple probes simultaneously instead of waiting for a response from each probe before sending the next one. This can greatly reduce the overall scan time.
Now, let's perform a scan with increased parallelism. We'll use the nmap --min-parallelism 20 127.0.0.1 command to scan the localhost (127.0.0.1) with a minimum parallelism of 20.
Open your terminal in the LabEx VM. Make sure you are in the ~/project directory.
Execute the following command:
sudo nmap --min-parallelism 20 127.0.0.1This command tells Nmap to scan 127.0.0.1 and attempt to maintain at least 20 probes in parallel. Note that Nmap may still adjust the parallelism dynamically based on network conditions, but it will try to stay above the specified minimum.
The output will show the results of the scan, including the open ports and services running on localhost.
Example output (will vary based on your system):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000027s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
631/tcp open ipp
9000/tcp open cslistener
Nmap done: 1 IP address (1 host up) scanned in 0.15 secondsThis output shows that Nmap scanned localhost (127.0.0.1) and found three ports open: 22 (ssh), 631 (ipp), and 9000 (cslistener). The scan completed relatively quickly due to the increased parallelism. The actual time saved will depend on the network conditions and the target being scanned.
In this step, we will set a delay between probes using the --scan-delay option in Nmap. This option allows you to specify the amount of time Nmap should wait between sending each probe. Increasing the scan delay can be useful for avoiding detection by intrusion detection systems (IDS) or for scanning hosts that are sensitive to network traffic.
By default, Nmap automatically adjusts the scan delay based on network conditions. However, you can use --scan-delay to manually set a specific delay. The delay is specified in milliseconds (ms) or seconds (s).
Let's understand why you might want to use a scan delay. A very fast scan can overwhelm a target host or trigger security alerts. Adding a delay makes the scan less aggressive and less likely to be noticed. This is especially important when scanning production systems or networks where you want to minimize the impact of the scan.
Now, let's perform a scan with a specified delay. We'll use the nmap --scan-delay 500ms 192.168.1.1 command to scan the host 192.168.1.1 with a delay of 500 milliseconds between each probe.
Open your terminal in the LabEx VM. Make sure you are in the ~/project directory.
Execute the following command:
sudo nmap --scan-delay 500ms 192.168.1.1This command tells Nmap to scan 192.168.1.1 and wait 500 milliseconds between sending each probe. This will significantly slow down the scan compared to a scan without a delay.
The output will show the results of the scan, including the open ports and services running on 192.168.1.1.
Example output (will vary based on your network):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00031s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 5.50 secondsThis output shows that Nmap scanned 192.168.1.1 and found port 80 (http) open. Notice that the scan took longer (5.50 seconds) than it might have without the --scan-delay option. The exact time will vary depending on the target and network conditions.
In this step, we will learn how to track the progress of an Nmap scan using the -v (verbose) and --stats-every options. These options provide real-time feedback on the scan's progress, which is especially useful for long-running scans.
The -v option increases the verbosity level of Nmap's output. With -v, Nmap will display more information about the scan, including the probes being sent, the responses received, and the status of each host. You can use -vv for even more verbose output.
The --stats-every option allows you to specify how often Nmap should print statistics about the scan's progress. The value is specified in seconds (s), minutes (m), or hours (h). For example, --stats-every 5s will print statistics every 5 seconds.
Let's understand why tracking progress is important. When scanning large networks, Nmap scans can take a significant amount of time. Without progress information, it can be difficult to know how far along the scan is and whether it's making progress. The -v and --stats-every options provide valuable insights into the scan's status.
Now, let's perform a scan with progress tracking. We'll use the nmap -v --stats-every 5s 192.168.1.0/24 command to scan the 192.168.1.0/24 network and print statistics every 5 seconds.
Open your terminal in the LabEx VM. Make sure you are in the ~/project directory.
Execute the following command:
sudo nmap -v --stats-every 5s 192.168.1.0/24This command tells Nmap to scan all IP addresses in the 192.168.1.0/24 range, display verbose output, and print statistics every 5 seconds.
The output will show the progress of the scan, including the number of hosts scanned, the number of hosts up, and the estimated time remaining.
Example output (will vary based on your network):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:20 UTC
Initiating Ping Scan at 10:20
Scanning 256 hosts [2 ports/host]
Completed Ping Scan at 10:20, 0.23s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 10:20
Completed Parallel DNS resolution of 256 hosts. at 10:20, 1.42s elapsed
Initiating SYN Stealth Scan at 10:20
Scanning 256 hosts [1000 ports/host]
5s elapsed; 0 hosts completed (0.00/s). 0 hosts up.
10s elapsed; 0 hosts completed (0.00/s). 0 hosts up.
15s elapsed; 0 hosts completed (0.00/s). 0 hosts up.
20s elapsed; 1 hosts completed (0.04/s). 1 hosts up.
Nmap scan report for 192.168.1.1
Host is up (0.00029s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
25s elapsed; 1 hosts completed (0.04/s). 1 hosts up.
Nmap scan report for 192.168.1.100
Host is up (0.00032s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
30s elapsed; 2 hosts completed (0.07/s). 2 hosts up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 32.50 secondsThis output shows the progress of the scan every 5 seconds. You can see the number of hosts completed, the scan rate (hosts/s), and the number of hosts that are up. The scan also reports open ports as they are discovered.
In this step, we will explore how to perform a stealth scan using Nmap with the -T1 timing template. Stealth scanning aims to minimize the chances of being detected by intrusion detection systems (IDS) or firewalls.
The -T1 option is known as the "sneaky" timing template. It's slower than the default template and is designed to be less noticeable. It achieves this by increasing the delay between probes, which reduces the load on the target system and makes the scan less likely to be flagged as malicious.
It's important to understand that no scan is truly invisible. Even with stealth techniques, there's always a risk of detection. However, using the -T1 option can significantly reduce that risk.
Now, let's perform a stealth scan of the localhost (127.0.0.1) using the -T1 timing template.
Open your terminal in the LabEx VM. Make sure you are in the ~/project directory.
Execute the following command:
sudo nmap -T1 127.0.0.1This command tells Nmap to scan the localhost (127.0.0.1) using the -T1 timing template. Because we are scanning localhost, the scan should complete relatively quickly, even with the slower timing template.
The output will show the results of the scan, including the open ports and services running on the localhost.
Example output (may vary based on your system configuration):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:40 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000007s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
631/tcp open ipp
9000/tcp open cslistener
Nmap done: 1 IP address (1 host up) scanned in 10.50 secondsThis output shows that Nmap scanned the localhost and found three ports open: 22 (ssh), 631 (ipp), and 9000 (cslistener). The scan took approximately 10.50 seconds. Note that the scan time might be longer compared to using a faster timing template like -T4.
In this step, we will compare the execution time of Nmap scans using different timing templates. We'll use the Xfce terminal to run the scans and observe the time it takes for each scan to complete. This will help you understand the impact of timing templates on scan speed.
We will compare the -T1 (sneaky) and -T4 (fast) timing templates. We'll scan the localhost (127.0.0.1) for this comparison.
Open your terminal in the LabEx VM. Make sure you are in the ~/project directory.
First, let's run a scan using the -T1 timing template. We'll use the time command to measure the execution time.
Execute the following command:
time sudo nmap -T1 127.0.0.1The time command will execute the Nmap scan and then display the time it took to complete. Pay attention to the "real" time reported by the time command. This represents the total elapsed time.
Example output (the time will vary):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 11:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000007s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
631/tcp open ipp
9000/tcp open cslistener
Nmap done: 1 IP address (1 host up) scanned in 10.50 seconds
real 0m10.552s
user 0m0.103s
sys 0m0.032sIn this example, the "real" time is 0 minutes and 10.552 seconds.
Now, let's run the same scan using the -T4 timing template.
Execute the following command:
time sudo nmap -T4 127.0.0.1Again, pay attention to the "real" time reported by the time command.
Example output (the time will vary):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 11:01 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000007s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
631/tcp open ipp
9000/tcp open cslistener
Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds
real 0m1.285s
user 0m0.098s
sys 0m0.029sIn this example, the "real" time is 0 minutes and 1.285 seconds.
Compare the "real" times from the two scans. You should observe that the scan using the -T4 timing template completes significantly faster than the scan using the -T1 timing template. This demonstrates the trade-off between speed and stealth. -T1 is slower but more stealthy, while -T4 is faster but potentially more noticeable.
In this lab, participants learned to optimize Nmap scan timing and performance. They used the -T4 option for a fast yet balanced scan of the 192.168.1.0/24 network, understanding that higher -T values mean more aggressive scanning. They also increased parallelism with --min-parallelism 20, set a scan delay with --scan-delay 500ms, tracked progress with -v --stats-every 5s, tested stealth scanning with -T1, and compared timings in the Xfce terminal.
