Speeding Up NMAP UDP Scans

…when you learn something new - share it. that everyone may benefit from your growth.

discovered this fun fact when i asked the internet for help in getting my nmap UDP scans to run faster.

Vanilla nmap UDP scan:
sudo nmap -sU target-ip

-sU: UDP scan

Fast:
sudo nmap -sU -T4 target-ip
or
sudo nmap -sU -T5 target-ip

-T: adjust timing, 0=slowest, 5=fastest (default=3). faster can miss ports

Faster:
sudo nmap -sU -T5 --max-retries max-tries target-ip

–max-retries max-tries: limits probe re-transmissions to max-tries

(not actually) Fasterer:
sudo nmap -Pn -sU -T5 --max-retries max-tries target-ip

-Pn: skip host discovery. I did not think I needed it, I was on the same network. Why would I bother checking to see if the host is up?

WRONG

bonsaiviking is an nmap dev and said:
“Remove -Pn. Seriously, it slows you way down because Nmap uses the host discovery phase to calibrate scan speeds. If it finds a good TCP probe that gets a response, it will use that to monitor network speed and responsiveness. Otherwise it has to use rate-limited ICMP responses.”
***https://twitter.com/escollapse/status/1244995094807265283

based on your nmap version, you can also (per bonsaiviking):
“If you’re willing to give up some accuracy and miss some open ports, you can use --defeat-icmp-ratelimit to really speed up UDP scans.”

o_O meow I see

fun reads:
https://www.stationx.net/nmap-cheat-sheet/
https://linux.die.net/man/1/nmap

1 Like