Understanding Timing Templates (`-T0` to `-T5`) with Nmap
Categories:
4 minute read
Introduction
Nmap (Network Mapper) is one of the most powerful open-source tools for network scanning, penetration testing, and security auditing. A crucial aspect of using Nmap effectively is understanding its timing templates, which control the speed and aggressiveness of scans. The -T flag in Nmap allows users to specify timing templates ranging from -T0 (slowest) to -T5 (fastest), which help balance scan accuracy, stealth, and speed.
This article will provide an in-depth look at Nmap’s timing templates, their impact on scans, and when to use each template for optimal results.
What are Nmap Timing Templates?
Timing templates in Nmap are pre-configured settings that adjust various scan parameters, such as timeout durations, parallel scanning, and packet sending rates. These templates enable users to fine-tune their scans depending on network conditions, target response rates, and the desired level of stealth.
The Six Timing Templates (-T0 to -T5)
Nmap provides six timing templates:
-T0(Paranoid)-T1(Sneaky)-T2(Polite)-T3(Normal - Default)-T4(Aggressive)-T5(Insane)
Each of these templates modifies several internal timing values, including host-timeout, max-retries, and min/max parallelism, which influence how quickly and aggressively the scan is conducted.
Breakdown of Each Timing Template
-T0 (Paranoid Mode)
Use Case: Maximum stealth, avoiding Intrusion Detection Systems (IDS).
- Sends packets at very long intervals (multiple seconds between probes).
- Uses serialized (one at a time) scans with no parallelism.
- Ideal for highly sensitive networks where detection must be minimized.
- Extremely slow and can take hours or even days to complete a scan.
Example Usage:
nmap -T0 -sS target.com
This runs a stealthy SYN scan with -T0, which minimizes the chances of detection but takes significantly longer.
-T1 (Sneaky Mode)
Use Case: Avoiding detection while scanning slightly faster than -T0.
- Slightly increases packet sending speed compared to
-T0. - Still uses serialized scanning with very minimal parallelism.
- Works well against IDS systems configured to detect frequent scan attempts.
- Useful when scanning enterprise networks with strict monitoring policies.
Example Usage:
nmap -T1 -A target.com
This enables aggressive scanning (-A includes OS detection, version detection, and script scanning) but with a slow, IDS-evading approach.
-T2 (Polite Mode)
Use Case: Reducing network load while scanning at a reasonable speed.
- Sends packets at a slower rate to prevent overwhelming the target.
- Increases timeouts for responses, allowing more accurate results on slower networks.
- Suitable for scanning production environments without impacting performance.
Example Usage:
nmap -T2 -sV target.com
This performs a version scan (-sV) while being polite to the network.
-T3 (Normal Mode)
Use Case: Default scanning behavior; a balance between speed and accuracy.
- Uses a moderate parallelism level.
- Works well in most standard scanning scenarios.
- Reliable and suitable for general reconnaissance.
Example Usage:
nmap -T3 -p 1-65535 target.com
This scans all 65,535 ports with a normal timing template, ensuring balanced performance and accuracy.
-T4 (Aggressive Mode)
Use Case: Speeding up scans in stable and responsive networks.
- Uses higher parallelism and sends packets at a much faster rate.
- Reduces retransmission delays, assuming a low-latency network.
- More likely to be detected by IDS/IPS systems due to increased traffic.
- Best suited for scanning local networks or high-speed internet connections.
Example Usage:
nmap -T4 -F target.com
This performs a fast scan (-F scans only common ports) while being aggressive in timing.
-T5 (Insane Mode)
Use Case: Maximum speed with little concern for accuracy or stealth.
- Uses extremely aggressive settings, assuming low-latency conditions.
- Sends packets as quickly as possible with minimal retries.
- Can overwhelm networks and lead to inaccurate results due to dropped packets.
- Best used in controlled environments where speed is prioritized over stealth.
Example Usage:
nmap -T5 -p- target.com
This performs a full port scan (-p-) on all ports with maximum speed, risking false negatives if packets are dropped.
Choosing the Right Timing Template
When deciding which -T option to use, consider the following factors:
| Timing Template | Speed | Stealth | Recommended For |
|---|---|---|---|
-T0 (Paranoid) | Very Slow | High Stealth | IDS Evasion, Highly Monitored Networks |
-T1 (Sneaky) | Slow | High Stealth | Enterprise Networks, Avoiding Detection |
-T2 (Polite) | Moderate | Medium | Production Networks, Minimal Impact Scans |
-T3 (Normal) | Balanced | Moderate | General Scanning, Reconnaissance |
-T4 (Aggressive) | Fast | Low Stealth | Fast, Reliable Networks, Pentesting |
-T5 (Insane) | Very Fast | No Stealth | Internal Networks, Speed-Critical Scans |
Additional Timing Considerations
Beyond the -T templates, Nmap provides additional options to fine-tune scan timing:
--min-parallelismand--max-parallelism: Control how many probes are sent simultaneously.--scan-delay <time>: Introduces delays between probes.--host-timeout <time>: Specifies a timeout for scanning hosts that do not respond.--max-retries <number>: Limits the number of retries for unreachable hosts.
Conclusion
Understanding Nmap’s timing templates is crucial for optimizing scans based on different scenarios. Whether prioritizing stealth (-T0, -T1), balancing accuracy and speed (-T2, -T3), or maximizing efficiency (-T4, -T5), choosing the right template can significantly impact scan success.
By experimenting with these templates in different environments, you can improve your proficiency with Nmap and enhance your network reconnaissance capabilities.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.