LabEx
Log InJoin Free

Adjust Packet Rates in Nmap

NmapBeginner
Practice Now

Introduction

In this lab, you will learn how to adjust packet rates in Nmap to control the speed of your scans. This involves using the --min-rate and --max-rate options to specify the minimum and maximum number of packets Nmap should send per second.

The lab guides you through setting minimum and maximum rates individually, combining them in a single scan, adding verbosity for detailed output, and saving the results to a file. You'll use commands like nmap --min-rate 100 192.168.1.1, nmap --max-rate 50 127.0.0.1, and nmap -sS --min-rate 80 --max-rate 120 192.168.1.1 to experiment with different rate configurations and observe their impact in the Xfce terminal.

Set minimum rate with nmap --min-rate 100 192.168.1.1

In this step, we will explore how to control the scanning rate of Nmap using the --min-rate option. This option allows you to specify the minimum number of packets Nmap should send per second. This is useful when you want to ensure that your scan completes within a reasonable timeframe, especially when scanning networks with high latency or rate limiting.

Understanding --min-rate

The --min-rate option takes a numerical value as an argument, representing the desired minimum number of packets per second. Nmap will attempt to send at least this many packets per second. However, it's important to note that Nmap might not always be able to achieve the specified rate due to network conditions or other factors.

Practical Example

Let's use --min-rate to set a minimum sending rate of 100 packets per second when scanning the target IP address 192.168.1.1.

  1. Open your Xfce terminal.

  2. Execute the following command:

sudo nmap --min-rate 100 192.168.1.1

Explanation:

  • sudo: This command requires sudo because Nmap often needs elevated privileges to perform certain types of scans, such as SYN scans.
  • nmap: This is the command-line tool for network exploration and security auditing.
  • --min-rate 100: This option tells Nmap to attempt to send at least 100 packets per second.
  • 192.168.1.1: This is the target IP address you want to scan. Note: Replace this with a valid IP address on your network for testing purposes. Scanning networks without permission is illegal. You can use your gateway IP address or a test machine on your local network.

Expected Output:

The output will vary depending on the target and the scan type Nmap performs by default. However, you should see Nmap running and displaying information about the scan progress. The key is that Nmap will attempt to send at least 100 packets per second. You won't see explicit confirmation of the rate in the output, but you can infer it based on the scan duration and the number of ports scanned.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 EDT
Nmap scan report for 192.168.1.1
Host is up (0.00032s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
80/tcp  open  http

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

Important Considerations:

  • Network Conditions: The actual sending rate might be lower than the specified --min-rate if the network is congested or the target is slow to respond.
  • Target Limitations: The target host might have rate limiting in place, which could prevent Nmap from sending packets at the desired rate.
  • Scan Type: The type of scan you perform can also affect the sending rate. Some scan types require more packets than others.

By using the --min-rate option, you can influence the speed of your Nmap scans and ensure they complete within a reasonable timeframe. Remember to adjust the rate based on your network conditions and the target's capabilities.

Set maximum rate with nmap --max-rate 50 127.0.0.1

In this step, we will learn how to limit the scanning rate of Nmap using the --max-rate option. This option allows you to specify the maximum number of packets Nmap should send per second. This is particularly useful when you want to avoid overwhelming the target system or network, potentially triggering intrusion detection systems (IDS) or causing denial-of-service (DoS) like conditions.

Understanding --max-rate

The --max-rate option takes a numerical value as an argument, representing the desired maximum number of packets per second. Nmap will attempt to send no more than this many packets per second. This helps to ensure that your scan is less intrusive and less likely to be detected.

Practical Example

Let's use --max-rate to set a maximum sending rate of 50 packets per second when scanning the target IP address 127.0.0.1 (localhost).

  1. Open your Xfce terminal.

  2. Execute the following command:

sudo nmap --max-rate 50 127.0.0.1

Explanation:

  • sudo: This command requires sudo because Nmap often needs elevated privileges to perform certain types of scans. While scanning localhost might not strictly require it, it's good practice to include it for consistency.
  • nmap: This is the command-line tool for network exploration and security auditing.
  • --max-rate 50: This option tells Nmap to limit its sending rate to a maximum of 50 packets per second.
  • 127.0.0.1: This is the target IP address, which is the loopback address (localhost). This is a safe target for testing.

Expected Output:

The output will vary depending on the scan type Nmap performs by default. However, you should see Nmap running and displaying information about the scan progress. The key is that Nmap will attempt to send no more than 50 packets per second. You won't see explicit confirmation of the rate in the output, but the scan will likely take longer than if no rate limit was set.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
631/tcp  open  ipp
902/tcp  open  iss-realsecure

Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds

Important Considerations:

  • Network Conditions: Even with --max-rate, network congestion can still affect the actual sending rate.
  • Target Responsiveness: If the target is slow to respond, Nmap might send packets at a lower rate than the specified maximum.
  • Balancing Speed and Stealth: --max-rate helps to make your scans less intrusive, but it also increases the scan duration. You need to find a balance between speed and stealth that is appropriate for your situation.

By using the --max-rate option, you can control the aggressiveness of your Nmap scans and minimize the risk of disrupting the target system or network.

Combine rates with nmap -sS --min-rate 80 --max-rate 120 192.168.1.1

In this step, we will combine the --min-rate and --max-rate options to define a range for the scanning rate. This allows Nmap to dynamically adjust the sending rate based on network conditions and target responsiveness, staying within the specified boundaries.

Understanding Combined Rate Control

By using both --min-rate and --max-rate, you provide Nmap with more flexibility in managing the scan speed. Nmap will attempt to send packets at a rate between the minimum and maximum values. This can be useful for optimizing scan performance while still avoiding overwhelming the target.

Practical Example

Let's use --min-rate and --max-rate together with a SYN scan (-sS) to scan the target IP address 192.168.1.1. We'll set the minimum rate to 80 packets per second and the maximum rate to 120 packets per second.

  1. Open your Xfce terminal.

  2. Execute the following command:

sudo nmap -sS --min-rate 80 --max-rate 120 192.168.1.1

Explanation:

  • sudo: This command requires sudo because SYN scans (-sS) require elevated privileges.
  • nmap: This is the command-line tool for network exploration and security auditing.
  • -sS: This option specifies a SYN scan, which is a stealthy and efficient scan type.
  • --min-rate 80: This option tells Nmap to attempt to send at least 80 packets per second.
  • --max-rate 120: This option tells Nmap to limit its sending rate to a maximum of 120 packets per second.
  • 192.168.1.1: This is the target IP address you want to scan. Note: Replace this with a valid IP address on your network for testing purposes. Scanning networks without permission is illegal. You can use your gateway IP address or a test machine on your local network.

Expected Output:

The output will vary depending on the target and the scan results. However, you should see Nmap running a SYN scan and displaying information about the scan progress. Nmap will attempt to maintain a sending rate between 80 and 120 packets per second.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 EDT
Nmap scan report for 192.168.1.1
Host is up (0.00029s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
80/tcp  open  http

Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds

Important Considerations:

  • Network Conditions: The actual sending rate will fluctuate between the specified minimum and maximum values based on network congestion and target responsiveness.
  • Scan Type: The choice of scan type (-sS in this case) can influence the effectiveness of rate limiting.
  • Balancing Speed and Stealth: Combining --min-rate and --max-rate allows for a more nuanced approach to balancing scan speed and stealth.

By using both --min-rate and --max-rate, you can fine-tune the scanning rate of Nmap to optimize performance and minimize the risk of detection.

Add verbosity with nmap -v --min-rate 100 127.0.0.1

In this step, we will add verbosity to the Nmap scan using the -v option. Verbosity increases the amount of information Nmap displays during the scan, providing more details about the process and results. This is helpful for understanding what Nmap is doing and troubleshooting any issues.

Understanding Verbosity Levels

The -v option increases the verbosity level. You can use it multiple times (e.g., -vv or -vvv) to further increase the verbosity. Each level provides more detailed information.

Practical Example

Let's combine verbosity with the --min-rate option to scan the target IP address 127.0.0.1 (localhost). We'll set the minimum rate to 100 packets per second and enable verbosity.

  1. Open your Xfce terminal.

  2. Execute the following command:

sudo nmap -v --min-rate 100 127.0.0.1

Explanation:

  • sudo: This command requires sudo because Nmap often needs elevated privileges to perform certain types of scans.
  • nmap: This is the command-line tool for network exploration and security auditing.
  • -v: This option enables verbosity, providing more detailed output.
  • --min-rate 100: This option tells Nmap to attempt to send at least 100 packets per second.
  • 127.0.0.1: This is the target IP address, which is the loopback address (localhost). This is a safe target for testing.

Expected Output:

The output will be more detailed than previous scans. You'll see information about the scan phases, the probes being sent, and the reasons for port states.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 EDT
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 10:15
Scanning localhost (127.0.0.1) [4 ports]
Completed Ping Scan at 10:15, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:15
Completed Parallel DNS resolution of 1 host. at 10:15, 0.00s elapsed
Initiating SYN Stealth Scan at 10:15
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Discovered open port 902/tcp on 127.0.0.1
Completed SYN Stealth Scan at 10:15, 0.65s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
631/tcp  open  ipp
902/tcp  open  iss-realsecure

Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds

Benefits of Verbosity:

  • Troubleshooting: Verbosity helps identify issues during the scan, such as dropped packets or firewall interference.
  • Understanding Nmap's Behavior: It provides insights into how Nmap works and the decisions it makes during the scan.
  • Detailed Results: You can get more information about the target system and its services.

By using the -v option, you can enhance your Nmap scans with more detailed information, making it easier to understand and troubleshoot the results.

Save results with nmap --max-rate 60 -oN rate.txt 192.168.1.1

In this step, we will learn how to save Nmap scan results to a file using the -oN option. This allows you to analyze the results later, share them with others, or use them for reporting purposes.

Understanding Nmap Output Options

Nmap provides several options for saving scan results in different formats. The -oN option saves the results in a "normal" human-readable format. Other options include -oX for XML format, -oS for script kiddie format, and -oG for Grepable format.

Practical Example

Let's save the results of an Nmap scan to a file named rate.txt in the ~/project directory. We'll also set the maximum rate to 60 packets per second and scan the target IP address 192.168.1.1.

  1. Open your Xfce terminal.

  2. Execute the following command:

sudo nmap --max-rate 60 -oN rate.txt 192.168.1.1

Explanation:

  • sudo: This command requires sudo because Nmap often needs elevated privileges to perform certain types of scans.
  • nmap: This is the command-line tool for network exploration and security auditing.
  • --max-rate 60: This option limits the sending rate to a maximum of 60 packets per second.
  • -oN rate.txt: This option tells Nmap to save the results in normal format to a file named rate.txt. The file will be created in your current directory, which is ~/project.
  • 192.168.1.1: This is the target IP address you want to scan. Note: Replace this with a valid IP address on your network for testing purposes. Scanning networks without permission is illegal. You can use your gateway IP address or a test machine on your local network.

Verifying the Output File

After the scan completes, you can verify that the results have been saved to the rate.txt file.

  1. Use the ls command to check if the file exists in your ~/project directory:
ls ~/project/rate.txt

If the file exists, you will see its name in the output.

  1. Use the cat command to view the contents of the rate.txt file:
cat ~/project/rate.txt

You should see the Nmap scan results in a human-readable format.

Example Output of cat ~/project/rate.txt:

## Nmap 7.80 scan initiated Fri Oct 27 10:20:00 2023
Nmap scan report for 192.168.1.1
Host is up (0.00032s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
80/tcp  open  http

## Nmap done at Fri Oct 27 10:20:01 2023 -- 1 IP address (1 host up) scanned in 0.91 seconds

Benefits of Saving Results:

  • Analysis: You can analyze the scan results in detail at your own pace.
  • Reporting: You can include the results in reports or documentation.
  • Sharing: You can easily share the results with colleagues or clients.
  • Historical Data: You can keep a record of past scans for comparison and tracking changes over time.

By using the -oN option (or other output options), you can effectively save and manage your Nmap scan results for various purposes.

Review rate impact in Xfce terminal

In this step, we will review the impact of different rate settings on Nmap scan times. By comparing the scan times with and without rate limiting, you can understand how these settings affect the speed and thoroughness of your scans.

Understanding Rate Limiting

Nmap's rate limiting options, such as --min-rate and --max-rate, control the number of packets sent per second. Setting these options can be useful for avoiding network congestion, evading intrusion detection systems (IDS), or ensuring a more reliable scan on unstable networks. However, they can also increase the overall scan time.

Practical Example

We will perform two Nmap scans, one with rate limiting and one without, and then compare the scan times.

  1. Scan without rate limiting:

    Open your Xfce terminal and execute the following command to scan 127.0.0.1 without any rate limits:

sudo nmap 127.0.0.1

Note the time it takes for the scan to complete. The output will display the start and end times, as well as the total scan time.

**Example Output:**

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:25 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
631/tcp  open  ipp
902/tcp  open  iss-realsecure

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

In this example, the scan took 0.15 seconds.

  1. Scan with rate limiting:

    Now, execute the following command to scan 127.0.0.1 with a maximum rate of 50 packets per second:

sudo nmap --max-rate 50 127.0.0.1

Again, note the time it takes for the scan to complete.

**Example Output:**

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:26 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
631/tcp  open  ipp
902/tcp  open  iss-realsecure

Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds

In this example, the scan took 0.75 seconds.

  1. Compare the scan times:

    Compare the scan times from the two scans. You should observe that the scan with rate limiting took longer than the scan without rate limiting. This is because Nmap was forced to send packets at a slower rate, increasing the overall scan time.

Analyzing the Impact

The difference in scan times demonstrates the impact of rate limiting. While rate limiting can be beneficial in certain situations, it's important to be aware of the trade-off between speed and other factors like network stability or stealth.

Considerations:

  • Network Conditions: On a congested network, rate limiting might actually improve scan reliability by preventing packet loss.
  • Target System: Some target systems may be more sensitive to high scan rates and could become unstable or unresponsive.
  • IDS/IPS: Rate limiting can help evade detection by intrusion detection and prevention systems.

By understanding the impact of rate limiting, you can make informed decisions about when and how to use these options in your Nmap scans.

Summary

In this lab, we explored how to adjust packet rates in Nmap using the --min-rate and --max-rate options. We learned to set a minimum packet sending rate with --min-rate, ensuring Nmap attempts to send at least a specified number of packets per second, and a maximum rate with --max-rate.

We also practiced combining these options with other Nmap flags like -sS for SYN scans and -v for increased verbosity. Finally, we learned how to save the scan results to a file using the -oN option for later review and analysis of the rate impact.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux