Network mapper (Nmap) is a popular open-source network scanning and inspection tool. It is intended to find hosts and services on a computer network to create a network map. Nmap has a variety of scanning techniques, including TCP, UDP, SYN, ACK, and ICMP scans.
A timing template is a set of parameters in Nmap that affect how quickly and aggressiveness of a scan. Nmap has several predefined timing templates.
The timing template allows us to customize the scan to our needs, whether to swiftly obtain information on a target or conduct a more comprehensive and extensive scan.
Note: When implementing timing templates in Nmap, the scan results will not alter much. The only difference will be the time it takes to conduct a scan.
The -T flag is used to perform the default SYN scan or stealth scan on the target.
nmap -T<Number> <Server name/IP address of a server>
We can either add the server's name or the server's IP address.
The parameter <Number> defines the type of timing templates which we will discuss next. We should replace the parameter <Number> with a number ranging from 0 to 5.
There are a total six built-in timing templates in Nmap. Now we will discuss each of them in detail
This is the slowest and most conservative template. It transmits probes one by one, with an extensive delay between them. This template is incredibly effective for avoiding detection, however the scan may take a long time.
The following is the syntax to run a paranoid scan.
nmap -T0 <Server name/IP address of a server>
This template is slightly faster than a paranoid scan but still relatively slow. It transmits probes one at a time, each with a shorter delay. This template proves valuable when aiming to remain undetected while accomplishing a scan within a reasonable timeframe.
The following is the syntax to run a sneaky scan.
nmap -T1 <Server name/IP address of a server>
The polite scan is relatively faster than the sneaky scan but still relatively stealthy. It delivers probes in smaller groups, each with a delay between them. This template is also effective for avoiding detection while still finishing the scan in an acceptable amount of time.
The following is the syntax to run a polite scan.
nmap -T2 <Server name/IP address of a server>
This timing template is the default one, and it provides an excellent balance between speed and stealth. It delivers probes in bigger groupings, each with a delay between them. This template is appropriate for the majority of scanning situations.
The following is the syntax to run a normal scan.
nmap -T3 <Server name/IP address of a server>
This aggressive scan mode is used to scan more quickly. It transmits probes in bigger groupings, each with a shorter latency. This template is handy for scanning a large number of hosts or ports fast, but it is more likely to create false results or be discovered by the target host.
The following is the syntax to run an aggressive scan.
nmap -T4 <Server name/IP address of a server>
The insane scan is the fastest timing template. Using this template is strongly discouraged since it is extremely likely to cause major problems for the target host. It is also possible that the target's firewall will blacklist your IP address. Furthermore, this scan will almost certainly generate many alerts on the target. However, it delivers probes as rapidly as feasible, with no inter-probe latency. This template is handy for scanning many hosts or ports fast.
The following is the syntax to run an aggressive scan.
nmap -T5 <Server name/IP address of a server>
Let's investigate the Nmap official testing server (i.e., scanme.nmap.org) using Nmap's timing templates in the following terminal.
Free Resources