Exploring Nmap's Default Scan

Most of the information I've found while researching Nmap has been of the "what" variety, rather than the "how" or the "why", so I figured I'd spend some time learning a thing or two about what Nmap does, how it does it, and why.

In reading a book, a reference guide, and a few forum threads on the topic, I feel like I've achieved a basic understanding of Nmap's design philosophy. Highly configurable, many options, and conservative defaults. You can change almost anything about Nmap's behaviour to suit your needs.

But what actually happens when you run the simplest of scans, nmap <target>?

The Default Scan

Nmap's defaults have been set based on extensive research by its author. So what's going on under the hood?

If we were to build this on our own, it would look like this:

nmap -PA 80 -PE -PP -PR -PS 443 -sS -T3 --top-ports 1000 <target>

Let's break down the settings:

• -PA 80 - TCP ACK ping to port 80
• -PE - ICMP echo request
• -PP - ICMP timestamp request
• -PR - ARP ping if the target is on the same subnet
• -PS 443 - TCP SYN ping to port 443
• -sS - Use TCP SYN scan to find open ports
• -T3 - Use normal timing template
• --top-ports 1000 - Scan the top 1000 ports as determined by Fyodor's research

Timing Templates

The -T* settings (0-5) are timing templates that tell Nmap how aggressive to be with its scans. -T4 is recommended for most networks.

Nmap will adjust its scan speed based on network performance so the effects of most of the performance and timing settings are to set upper and lower limits for some of these delays. Where documentation wasn't available, I worked backwards from descriptions and what resources I could find to suss out the settings.

T0

1

--scan-delay 5m --max-parallelism 1

• --scan-delay 5m - Wait 5 minutes between probes
• --max-parallelism 1 - Only send one probe at a time

T1

1

--scan-delay 15s --max-parallelism 1

• --scan-delay 15s - Wait 15 seconds between probes
• --max-parallelism 1 - Only send one probe at a time

T2

1

--scan-delay 0.4s --max-parallelism 1

• --scan-delay 0.4s - Wait 0.4 seconds between probes
• --max-parallelism 1 - Only send one probe at a time

T3

Nmap's default. Will increase speed as the network proves itself.

T4

Nmap's recommended setting for most fast networks.

1

--max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 --max-scan-delay 10ms

T5

1

--max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m --script-timeout 10m --max-scan-delay 5ms

Resources

• An Nmap Primer
• Host Discovery
• Port Scanning Techniques
• Timing and Performance