Evading Detection with Slow Scans Using Nmap

Network reconnaissance is one of the fundamental phases of any penetration test or cyber attack. Among the tools commonly used for scanning and enumeration, Nmap (Network Mapper) stands out for its versatility, power, and popularity in both offensive and defensive security circles. However, running a fast or aggressive scan with Nmap can quickly trigger alarms on modern Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS), or get flagged by firewall logs.

To stay under the radar, attackers and penetration testers alike often resort to slow scanning techniques. These tactics aim to avoid detection by mimicking legitimate traffic or staying below the thresholds that would trigger security alerts. In this post, we’ll explore how to evade detection using slow scans with Nmap, the principles behind such evasion, practical command-line examples, and considerations for ethical use.

Why Slow Scanning?

Security systems often rely on anomalous traffic behavior to detect reconnaissance activities. A sudden spike in port scans, many connection attempts from a single IP address, or unusual traffic timing patterns can be clear indicators of scanning activity.

Slow scanning addresses these issues by:

• Reducing the rate of connection attempts to avoid tripping detection thresholds.
• Spreading scans over a longer period to blend into background noise.
• Mimicking human behavior rather than automated tools.
• Avoiding aggressive flags that could reveal intentions.

This method is particularly useful in environments with:

• IDS/IPS like Snort, Suricata, or Zeek.
• Web Application Firewalls (WAFs).
• SIEM (Security Information and Event Management) solutions.

Key Nmap Flags for Slow Scanning

To perform slow scans, Nmap offers a variety of timing and stealth-related flags. Here are some of the most relevant:

1. --scan-delay and --max-scan-delay

These options introduce a delay between probes.

• --scan-delay <time> sets a fixed delay between each probe (e.g., --scan-delay 5s).
• --max-scan-delay <time> sets a maximum delay when used with timing templates.

This slows down the scan, helping it fly under the radar.

2. -T Timing Templates

Nmap provides predefined timing templates ranging from 0 (paranoid) to 5 (insane).

• -T0 or -T1 are useful for stealth scans, as they space out probes significantly.
• -T3 is the default and may still trigger alerts in sensitive environments.
• Use -T1 for very slow scans to avoid detection.

3. -Pn (No Ping)

• Skips host discovery. This is useful because ICMP ping (used for host detection) is often blocked or monitored.
• Scanning without ping makes the scan slower but stealthier.

4. --top-ports or -p

Scanning all 65,535 ports increases chances of detection. Instead:

• Use --top-ports 100 or -p 22,80,443 to target only relevant ports.
• This minimizes traffic and detection risk.

5. -sS (TCP SYN Scan)

• The TCP SYN scan is often called a “half-open” scan.
• It doesn’t complete the TCP handshake, which can reduce visibility.
• More stealthy than -sT (TCP connect) but may still be logged by advanced firewalls.

Example: A Basic Slow Scan Command

Here’s a simple Nmap command for a slow and stealthy scan:

nmap -sS -T1 --scan-delay 5s -Pn -p 22,80,443 192.168.1.10

What this does:

• -sS: TCP SYN scan (stealthier than a full connect).
• -T1: Very slow timing template.
• --scan-delay 5s: Adds 5 seconds between probe attempts.
• -Pn: Disables host discovery.
• -p 22,80,443: Scans only a few common ports.
• 192.168.1.10: Target IP.

Understanding IDS/IPS Detection Thresholds

Security devices are configured to detect scanning patterns using:

• Connection rate: Number of connection attempts in a given timeframe.
• Port range: Large port ranges often signal a scan.
• Connection type: TCP SYN, NULL, or FIN scans may be flagged.
• Payloads: Aggressive scans that send extra data or malformed packets.

By reducing the connection rate, using minimal port ranges, and sticking to standard behavior, you reduce the likelihood of triggering these systems.

Practical Use Cases

Penetration Testing in Real-World Environments

When working under a Rules of Engagement (RoE) agreement, a penetration tester may be required to avoid tripping alerts or disrupting services. In such cases, slow scanning becomes a key tactic for passive reconnaissance.

• Helps discover open ports over a weekend or overnight.
• Can identify services without causing downtime or panic.

Red Team Exercises

In Red Team operations, detection avoidance is critical. Teams will use slow scans as part of multi-phase campaigns that mimic advanced persistent threats (APTs).

• Slow scanning over weeks makes detection extremely difficult.
• Works well when combined with proxy chains, VPNs, or hop points.

Advanced Tactics for Stealth

Fragmented Packets (-f)

Nmap can fragment packets, making them harder for detection systems to reassemble:

nmap -sS -f -Pn -T1 target.com

However, some firewalls and IDS are aware of this trick.

Decoy Scans (-D)

To hide the source of the scan, Nmap can send probes from decoy IPs:

nmap -sS -D 192.168.1.2,192.168.1.3,ME -Pn target.com

This makes it appear as though multiple sources are scanning.

Spoofing MAC Address (--spoof-mac)

Nmap can spoof MAC addresses to impersonate other devices:

nmap -sS --spoof-mac 00:11:22:33:44:55 target.com

This is useful on internal networks with MAC-based filtering or monitoring.

Trade-offs and Limitations

Slow scanning is stealthy, but it has some downsides:

1. Time-Consuming

A full port scan with --scan-delay 10s on 1000 ports could take nearly 3 hours per host. Multiply that by 100 hosts and you’re looking at weeks.

2. Incomplete Results

Slow scans often skip aggressive detection techniques like OS fingerprinting (-O) or service versioning (-sV), which might alert defenses.

3. Limited Against Anomaly-Based IDS

Advanced IDS/IPS solutions using machine learning or behavioral analysis may detect even slow scans based on subtle patterns.

Defensive Countermeasures

It’s essential to understand that attackers may use these tactics, and defenders must adapt:

• Log correlation: Look for long-term patterns of activity from the same IP.
• Threshold tuning: Lower thresholds for alerts over longer timeframes.
• Time-based heuristics: Analyze port scans spread across hours or days.
• Honeypots: Place decoy services to detect slow scans targeting fake ports.

Tools like Zeek, Suricata, and ELK Stack (Elasticsearch, Logstash, Kibana) can help correlate and analyze logs effectively.

Ethical Considerations

While Nmap is a powerful tool, using it to evade detection without authorization is illegal and unethical. Always ensure:

• You have explicit permission to scan the network.
• Scanning complies with local laws and organizational policies.
• You document and justify slow scanning in a penetration testing report.

Conclusion

Evading detection with slow scans using Nmap is a critical technique in the arsenal of any penetration tester or Red Team professional. By carefully tuning scan parameters like timing, delay, and probe types, it’s possible to blend into the background noise of network traffic and bypass basic detection systems.

However, this comes at the cost of time and complexity. As defensive technologies become more advanced, even these stealth techniques may be detected by sophisticated monitoring systems. Whether you’re testing a client’s network security or studying how attackers operate, understanding the nuances of slow Nmap scanning is essential.

Always remember: the goal is not just to be stealthy, but to be ethical, purposeful, and responsible in every reconnaissance action you take.

If you found this post helpful, consider exploring related articles on stealth scanning techniques, IDS/IPS evasion, and network traffic analysis using Zeek to deepen your understanding of both offensive and defensive cybersecurity strategies.