LabEx
Log InJoin For Free

Analyze Scan Statistics in Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn how to analyze scan statistics in Nmap. The lab covers using the --stats-every option to display scan statistics at regular intervals, adding verbosity with the -v option, and saving the statistics output to a file. You will also review timing statistics, compare statistics with different timing templates, and analyze scan duration.

The lab starts with running a scan with statistics enabled, then adds verbosity to the output. Next, you'll learn how to save the statistics to a file for later analysis. Finally, you will explore different timing templates and analyze the scan duration to understand how they affect the scan process.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/basic_syntax("Basic Command Syntax") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/timing_performance("Timing and Performance") nmap/NmapGroup -.-> nmap/verbosity("Verbosity Levels") subgraph Lab Skills nmap/basic_syntax -.-> lab-547087{{"Analyze Scan Statistics in Nmap"}} nmap/save_output -.-> lab-547087{{"Analyze Scan Statistics in Nmap"}} nmap/target_specification -.-> lab-547087{{"Analyze Scan Statistics in Nmap"}} nmap/timing_performance -.-> lab-547087{{"Analyze Scan Statistics in Nmap"}} nmap/verbosity -.-> lab-547087{{"Analyze Scan Statistics in Nmap"}} end

Run scan with stats with nmap --stats-every 5s 192.168.1.0/24

In this step, you will learn how to use the --stats-every option with Nmap to display scan statistics at regular intervals. This is useful for monitoring the progress of a scan, especially when scanning large networks.

First, let's understand the basic syntax:

nmap --stats-every <time> <target>
  • --stats-every <time>: Specifies the interval (in seconds) at which Nmap should display scan statistics.
  • <target>: The target IP address or network you want to scan.

For this step, you will scan the 192.168.1.0/24 network and display statistics every 5 seconds.

Execute the following command in your terminal:

sudo nmap --stats-every 5s 192.168.1.0/24

You will see Nmap start scanning the network and print statistics every 5 seconds. The statistics include information such as the number of hosts scanned, the number of hosts up, and the estimated time remaining.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Stats: 0:00:05 elapsed; 0 hosts completed (0 up), 256 hosts total
Stats: 0:00:10 elapsed; 0 hosts completed (0 up), 256 hosts total
Stats: 0:00:15 elapsed; 0 hosts completed (0 up), 256 hosts total
...

Note: The output will vary depending on your network configuration. The scan will likely take some time to complete. You can stop the scan at any time by pressing Ctrl+C. Since this is a demonstration, you don't need to wait for the scan to finish.

Add verbosity with nmap -v --stats-every 5s 127.0.0.1

In this step, you will learn how to increase the verbosity of Nmap output using the -v option, while also displaying scan statistics at regular intervals using --stats-every. Verbosity provides more detailed information about the scan process, which can be helpful for troubleshooting or understanding Nmap's behavior.

The -v option increases the verbosity level. You can use it multiple times (e.g., -vv) for even more detailed output.

Execute the following command in your terminal to scan the localhost (127.0.0.1) with verbosity and display statistics every 5 seconds:

sudo nmap -v --stats-every 5s 127.0.0.1

You will see Nmap start scanning and print more detailed information about each step of the scan, along with the statistics every 5 seconds.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Initiating Ping Scan at 10:05
Scanning 127.0.0.1 [4 ports]
Completed Ping Scan at 10:05, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:05
Completed Parallel DNS resolution of 1 host. at 10:05, 0.00s elapsed
Initiating Connect Scan at 10:05
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Completed Connect Scan at 10:05, 0.00s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000083s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Stats: 0:00:05 elapsed; 1 hosts completed (1 up), 1 hosts total
Stats: 0:00:10 elapsed; 1 hosts completed (1 up), 1 hosts total
Stats: 0:00:15 elapsed; 1 hosts completed (1 up), 1 hosts total
...

Notice the additional information provided by the -v option, such as the initiation and completion of different scan phases. This can be very useful for understanding what Nmap is doing and for diagnosing any issues.

You can stop the scan at any time by pressing Ctrl+C. Since this is a demonstration, you don't need to wait for the scan to finish.

Save stats output with nmap --stats-every 5s -oN stats.txt 192.168.1.1

In this step, you will learn how to save the output of an Nmap scan, including the statistics displayed by --stats-every, to a file using the -oN option. This allows you to analyze the scan results and statistics later.

The -oN option specifies that the output should be saved in "normal" format to the specified file.

Execute the following command in your terminal to scan the host 192.168.1.1, display statistics every 5 seconds, and save the output to a file named stats.txt in your ~/project directory:

sudo nmap --stats-every 5s -oN stats.txt 192.168.1.1

Nmap will start scanning and display statistics on the terminal, but it will also save the complete scan output to the stats.txt file.

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Stats: 0:00:05 elapsed; 0 hosts completed (0 up), 1 hosts total
Stats: 0:00:10 elapsed; 0 hosts completed (0 up), 1 hosts total
Stats: 0:00:15 elapsed; 0 hosts completed (0 up), 1 hosts total
...

After the scan (or after you interrupt it with Ctrl+C), you can view the contents of the stats.txt file using the cat command:

cat ~/project/stats.txt

This will display the Nmap scan output, including the scan report and the statistics that were displayed during the scan.

## Nmap 7.80 scan initiated Fri Oct 27 10:10:00 2023 as: nmap --stats-every 5s -oN stats.txt 192.168.1.1
Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

## Nmap done at Fri Oct 27 10:10:15 2023 -- 1 IP address (1 host up) scanned in 15.00 seconds

Note: The output in stats.txt will be the final scan report, not the periodic statistics updates. The statistics are only displayed on the terminal when using --stats-every.

Review timing stats in Xfce terminal

In this step, you will learn how to observe and interpret the timing statistics displayed by Nmap during a scan. We'll use the --stats-every option to display these statistics periodically in the Xfce terminal.

To review timing stats, execute the following command in your terminal:

sudo nmap --stats-every 2s 192.168.1.1

This command will scan the host 192.168.1.1 and display the scan statistics every 2 seconds.

You will see output similar to the following in your Xfce terminal:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 1 hosts total
Stats: 0:00:04 elapsed; 0 hosts completed (0 up), 1 hosts total
Stats: 0:00:06 elapsed; 0 hosts completed (0 up), 1 hosts total
Stats: 0:00:08 elapsed; 0 hosts completed (0 up), 1 hosts total
Nmap done at Fri Oct 27 10:15:10 2023 -- 1 IP address (1 host up) scanned in 10.00 seconds

Let's break down what these statistics mean:

  • Starting Nmap ...: This line shows the Nmap version and the time the scan started.
  • Nmap scan report for ...: This is the standard Nmap scan report, showing the open ports and other information about the target host.
  • Host is up ...: Indicates that the target host is reachable.
  • Not shown: 999 closed ports: By default, Nmap doesn't show closed ports to reduce output.
  • Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 1 hosts total: This is the key part for this step.
    • elapsed: This shows the elapsed time since the scan started (in hours:minutes:seconds format).
    • hosts completed: This shows how many hosts have been fully scanned.
    • (0 up): This indicates how many of the completed hosts are up.
    • hosts total: This shows the total number of hosts being scanned.
  • Nmap done at ...: This line shows the time the scan finished and the total time it took.

By observing these statistics, you can get a sense of how long the scan is taking and how quickly it is progressing. This can be useful for estimating the time required for larger scans and for troubleshooting any performance issues.

You can interrupt the scan at any time by pressing Ctrl+C.

Compare stats with different timing templates in Xfce terminal

In this step, you will explore how Nmap's timing templates affect scan speed and accuracy. Nmap provides several timing templates that control the aggressiveness of the scan. These templates are specified using the -T option, followed by a number from 0 to 5.

Here's a brief overview of the timing templates:

  • -T0 (paranoid): The slowest template, used for avoiding detection.
  • -T1 (sneaky): Similar to paranoid, but slightly faster.
  • -T2 (polite): Slows down the scan to conserve bandwidth and resources.
  • -T3 (normal): The default template, offering a balance between speed and accuracy.
  • -T4 (aggressive): Speeds up the scan by making it more aggressive.
  • -T5 (insane): The fastest template, but also the most likely to be detected and cause network issues.

To compare the effects of different timing templates, we'll run two scans against 127.0.0.1 (localhost), one with -T2 (polite) and another with -T4 (aggressive), and observe the statistics.

First, run the scan with the polite template:

sudo nmap -T2 --stats-every 5s 127.0.0.1

Observe the output in the Xfce terminal. Note the elapsed time and the rate at which ports are being scanned. You should see that the scan progresses relatively slowly.

Next, run the scan with the aggressive template:

sudo nmap -T4 --stats-every 5s 127.0.0.1

Again, observe the output in the Xfce terminal. Compare the elapsed time and the scanning rate with the previous scan. You should notice that the scan progresses much faster with the aggressive template.

By comparing the statistics from these two scans, you can see how the timing templates affect the speed and aggressiveness of Nmap scans. Keep in mind that using more aggressive templates can increase the risk of detection and may cause issues on the target network. Choose the appropriate template based on your specific needs and the environment you are scanning.

You can interrupt the scan at any time by pressing Ctrl+C.

Analyze scan duration in Xfce terminal

In this step, you will learn how to analyze the scan duration of Nmap scans. Understanding how long a scan takes is crucial for planning and optimizing your network assessments. Nmap provides detailed statistics during and after a scan, including the start time, end time, and total elapsed time.

To analyze scan duration, we'll perform a scan and then examine the output for the relevant timing information.

First, run a scan against 127.0.0.1 (localhost) with the --stats-every option to display statistics periodically:

sudo nmap --stats-every 5s 127.0.0.1

As the scan runs, observe the statistics being printed to the Xfce terminal every 5 seconds. These statistics include information about the scan's progress, the number of ports scanned, and the estimated time remaining.

Once the scan is complete, Nmap will print a summary of the results, including the total elapsed time. Look for the line that starts with "Nmap done". This line will tell you how long the scan took to complete.

For example:

Nmap done: 1 IP address (1 host up) scanned in 2.54 seconds

In this example, the scan took 2.54 seconds to complete.

You can also analyze the scan duration by saving the output to a file using the -oN option, as demonstrated in a previous step. After the scan is complete, you can open the file and look for the "Nmap done" line to find the elapsed time.

By analyzing the scan duration, you can gain insights into the performance of your Nmap scans and identify potential bottlenecks. This information can be used to optimize your scan settings and improve the efficiency of your network assessments.

Summary

In this lab, you learned how to use the --stats-every option in Nmap to display scan statistics at regular intervals, allowing you to monitor the progress of a scan, especially when scanning large networks. The lab demonstrated how to execute a scan with statistics displayed every 5 seconds, showing information like hosts scanned, hosts up, and estimated time remaining.

Furthermore, the lab introduced the -v option to increase verbosity, providing more detailed information about the scan process alongside the regular statistics updates.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner