Nmap’s timing templates are a deceptive shortcut; most users think they’re just about speed, but they’re fundamentally about how much effort Nmap expends to get an accurate scan, and that effort directly dictates speed.
Let’s watch Nmap actually do its thing with a timing template. Imagine we’ve got a small, isolated network segment with a single host at 192.168.1.100. We want to see what ports are open.
First, the default:
nmap 192.168.1.100
This will take a while. Nmap is being polite, sending probes at a moderate pace, waiting for responses, and retransmitting if it doesn’t hear back within a reasonable time. It’s trying to be accurate without annoying the network or the target.
Now, let’s crank it up with -T4 (Aggressive):
nmap -T4 192.168.1.100
Notice how much faster that was? Nmap is sending probes more rapidly, reducing delays between probes, and retransmitting faster. It’s willing to make more "noise" and assume the network can handle it.
And for the truly impatient (and potentially disruptive), -T5 (Insane):
nmap -T5 192.168.1.100
This one is a blur. Nmap is firing off probes as fast as it can, with minimal delays and very aggressive retransmissions. It’s essentially saying, "I’m going to blast this and hope for the best."
The core problem Nmap timing templates solve is the trade-off between scan speed and accuracy in the face of network latency, packet loss, and IDS/IPS systems. Too slow, and scans take forever, especially on large networks. Too fast, and you risk:
- False Negatives: Packets get dropped by the network or the target, and Nmap misses open ports because its probes or responses get lost.
- False Positives: Network devices (like firewalls or load balancers) might send back RST packets in response to probes for closed ports, which Nmap could misinterpret as open if it’s not careful.
- Detection: Aggressive scans are much more likely to trigger intrusion detection systems.
Nmap’s timing templates (-T0 through -T5) are a set of pre-defined configurations that adjust several internal parameters:
- Probe Rate: How many probes Nmap sends per second.
- Delay Between Probes: How long Nmap waits before sending the next probe.
- Retransmission Timeout: How long Nmap waits for a response before retransmitting a probe.
- Host Timeout: How long Nmap waits for a host to respond before declaring it down.
Let’s look at the underlying mechanics of -T4 (Aggressive). It sets the base RTT (Round Trip Time) to 1000ms and the RTO_MIN (Retransmission Timeout Minimum) to 1000ms, RTO_MAX to 10000ms. It also uses an aggressive probe rate, sending probes approximately every 10ms, and a host timeout of 1000ms. The key is that it significantly reduces the idle time between probes and speeds up retransmissions, making the scan much faster than the default.
Conversely, -T0 (Paranoid) is incredibly slow. It uses a base RTT of 10000ms, RTO_MIN of 10000ms, RTO_MAX of 30000ms, and a very low probe rate (one probe every 5 seconds). This is designed to evade IDS and minimize network impact, but it’s impractical for most use cases.
The most common and often best-performing template is -T4. It strikes a good balance for most modern networks, offering a significant speedup over the default (-T3) without being overly aggressive and risking detection or excessive packet loss on moderately latent networks. -T5 is rarely recommended for general use; it’s for situations where you know the network is extremely fast and reliable, and you’re willing to accept the risks.
What most people don’t realize is that Nmap dynamically adjusts its timing based on observed network performance even within a template. If you use -T4 and Nmap starts seeing consistent, fast responses, it will gradually increase its probe rate and decrease delays. If it encounters high latency or packet loss, it will automatically back off, slowing down the scan to maintain accuracy, even while staying within the bounds of the -T4 template. This adaptive behavior is crucial for making Nmap effective across diverse network conditions.
The next hurdle you’ll face is understanding how Nmap’s SYN scan (-sS) interacts with firewall rules and how to bypass common firewall evasion techniques.