Exploring Nmap's Default Scan

February 15, 2018

Most of the information I’ve found while researching Nmap has been of the “what” variety, rather than the “how” or the “why”, so I figured I’d spend some time learning a thing or two about what Nmap does, how it does it, and why.

In reading a book, a reference guide, and a few forum threads on the topic, I feel like I’ve achieved a basic understanding of Nmap’s design philosophy. Highly configurable, many options, and conservative defaults. You can change almost anything about Nmap’s behaviour to suit your needs.

But what actually happens when you run the simplest of scans, nmap <target>?

The Default Scan

Nmap’s defaults have been set based on extensive research by its author. So what’s going on under the hood?

If we were to build this on our own, it would look like this:

nmap -PA 80 -PE -PP -PR -PS 443 -sS -T3 --top-ports 1000 <target>

Let’s break down the settings:

Timing Templates

The -T* settings (0-5) are timing templates that tell Nmap how aggressive to be with its scans. -T4 is recommended for most networks.

Nmap will adjust its scan speed based on network performance so the effects of most of the performance and timing settings are to set upper and lower limits for some of these delays. Where documentation wasn’t available, I worked backwards from descriptions and what resources I could find to suss out the settings.

T0

--scan-delay 5m --max-parallelism 1

T1

--scan-delay 15s --max-parallelism 1

T2

--scan-delay 0.4s --max-parallelism 1

T3

Nmap’s default. Will increase speed as the network proves itself.

T4

Nmap’s recommended setting for most fast networks.

--max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 --max-scan-delay 10ms

T5

--max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m --script-timeout 10m --max-scan-delay 5ms

Resources