What are Nmap Timing Templates?

Network mapper (Nmap) is a popular open-source network scanning and inspection tool. It is intended to find hosts and services on a computer network to create a network map. Nmap has a variety of scanning techniques, including TCP, UDP, SYN, ACK, and ICMP scans.

Nmap timing templates

A timing template is a set of parameters in Nmap that affect how quickly and aggressiveness of a scan. Nmap has several predefined timing templates.

The timing template allows us to customize the scan to our needs, whether to swiftly obtain information on a target or conduct a more comprehensive and extensive scan.

Note: When implementing timing templates in Nmap, the scan results will not alter much. The only difference will be the time it takes to conduct a scan.

Syntax

The -T flag is used to perform the default SYN scan or stealth scan on the target.

nmap -T<Number> <Server name/IP address of a server>
  • We can either add the server's name or the server's IP address.

  • The parameter <Number> defines the type of timing templates which we will discuss next. We should replace the parameter <Number> with a number ranging from 0 to 5.

Types of Nmap timing templates

There are a total six built-in timing templates in Nmap. Now we will discuss each of them in detail

Paranoid scan (T0)

This is the slowest and most conservative template. It transmits probes one by one, with an extensive delay between them. This template is incredibly effective for avoiding detection, however the scan may take a long time.

The following is the syntax to run a paranoid scan.

nmap -T0 <Server name/IP address of a server>

Sneaky scan (T1)

This template is slightly faster than a paranoid scan but still relatively slow. It transmits probes one at a time, each with a shorter delay. This template proves valuable when aiming to remain undetected while accomplishing a scan within a reasonable timeframe.

The following is the syntax to run a sneaky scan.

nmap -T1 <Server name/IP address of a server>

Polite scan (T2)

The polite scan is relatively faster than the sneaky scan but still relatively stealthy. It delivers probes in smaller groups, each with a delay between them. This template is also effective for avoiding detection while still finishing the scan in an acceptable amount of time.

The following is the syntax to run a polite scan.

nmap -T2 <Server name/IP address of a server>

Normal scan (T3)

This timing template is the default one, and it provides an excellent balance between speed and stealth. It delivers probes in bigger groupings, each with a delay between them. This template is appropriate for the majority of scanning situations.

The following is the syntax to run a normal scan.

nmap -T3 <Server name/IP address of a server>

Aggressive scan (T4)

This aggressive scan mode is used to scan more quickly. It transmits probes in bigger groupings, each with a shorter latency. This template is handy for scanning a large number of hosts or ports fast, but it is more likely to create false results or be discovered by the target host.

The following is the syntax to run an aggressive scan.

nmap -T4 <Server name/IP address of a server>

Insane scan (T5)

The insane scan is the fastest timing template. Using this template is strongly discouraged since it is extremely likely to cause major problems for the target host. It is also possible that the target's firewall will blacklist your IP address. Furthermore, this scan will almost certainly generate many alerts on the target. However, it delivers probes as rapidly as feasible, with no inter-probe latency. This template is handy for scanning many hosts or ports fast.

The following is the syntax to run an aggressive scan.

nmap -T5 <Server name/IP address of a server>

Coding example

Let's investigate the Nmap official testing server (i.e., scanme.nmap.org) using Nmap's timing templates in the following terminal.

Terminal 1
Terminal
Loading...

Free Resources

Copyright ©2025 Educative, Inc. All rights reserved