π‘οΈ Methodology Checklist
- Standard fast scan:
nmap -T4 --min-rate 5000 [TARGET] - Max parallelism:
nmap --min-parallelism 100 [TARGET] - Adjust host timeout for slow targets:
--host-timeout 30s - Use timing template T4 for internal, T2 for IDS-sensitive engagements
- Limit retries on unresponsive ports:
--max-retries 1 - Check scan rate impact on target stability during testing
π― Operational Context
Think Dumber First:
--min-rate 5000with-T4is the sweet spot for HTB VPN connections. If youβre seeing inconsistent results or missing ports, drop to--min-rate 2000. Never use-T5(insane) in practice β it drops packets faster than the network can deliver them.--max-rtt-timeout 200msis more reliable than timing templates for tuning.
When you land here: Scan is too slow or producing unreliable results. Tune based on symptoms: missing ports = slow down or increase retries; timeout = increase RTT timeout; VPN instability = reduce rate and increase retries.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP] -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms | Aggressive RTT limits for fast networks |
sudo nmap [TARGET_IP] -F --max-retries 0 | Zero retries β fastest but misses packets |
sudo nmap [TARGET_IP] -F --min-rate 300 | Force minimum 300 packets/second |
sudo nmap [TARGET_IP] -T 4 | Aggressive timing template (standard for CTFs) |
sudo nmap [TARGET_IP] -T 5 | Insane timing β maximum speed, high miss risk |
sudo nmap [TARGET_IP] -T 0 | Paranoid β IDS evasion, extremely slow |
π¬ Deep Dive & Workflow
Golden Rule: Speed comes at the cost of accuracy. Tuning too aggressively leads to missed hosts and open ports.
Timing Templates (-T)
| Template | Name | Use Case |
|---|---|---|
-T 0 | Paranoid | IDS evasion, extremely slow |
-T 1 | Sneaky | IDS evasion, very slow |
-T 2 | Polite | Low bandwidth / shared networks |
-T 3 | Normal | Default β good balance |
-T 4 | Aggressive | Standard for CTFs β fast, reliable |
-T 5 | Insane | Very fast β high risk of missed ports |
RTT Timeouts
Controls how long Nmap waits for a response.
- Default starts at 100ms.
- Setting too low causes Nmap to miss slower hosts.
--initial-rtt-timeout: Starting wait time--max-rtt-timeout: Hard limit
Retries
Default is 10. Reducing speeds scans but risks missing ports on lossy networks (--max-retries).
Packet Rate
--min-rate [N] forces Nmap to send at least N packets/second. Best for white-box testing or CTFs where network load is known.
Decision Checklist
- Network stable? β Reduce
--max-retries - Bandwidth high? β Increase
--min-rate - Want easy speed? β Use
-T 4 - Missing hosts? β Timeouts too aggressive β slow down
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Scan completes instantly but misses known-open ports | --min-rate too high causing packet loss on VPN | Reduce rate: --min-rate 2000 --max-retries 3; confirm with targeted rescan of specific ports |
| Scan hangs mid-progress and freezes | VPN dropped mid-scan | Check VPN connection; re-run with port range after last known good port using -p [LAST_PORT]-65535 |
-T5 scan results inconsistent | Insane timing drops packets faster than VPN can handle | Use -T4 with explicit --min-rate instead; -T5 is effectively unusable over VPN |
| Scan takes >30 minutes on single host | Combining -p- with -sV -sC slowing full-port sweep | Separate passes: nmap -p- --min-rate 5000 first, then nmap -p [OPEN_PORTS] -sV -sC |
| Performance flags have no effect | Kernel-level rate limiting on scan host | Run ulimit -n 65535 before nmap; check sysctl net.core.rmem_max and increase if needed |
π Reporting Trigger
Finding Title: (Performance tuning is operational methodology β no vulnerability. Document scan coverage and timing parameters used in the engagement methodology section for report completeness.)