Adjusting the aggressiveness and number of packets sent during a scan is important to evade detection. Let’s look at Nmap’s timing templates to learn how to perform stealthier scans.

What are Nmap timing templates?

In Nmap, a timing template refers to the set of options that control the speed and aggressiveness of a scan. Nmap provides several predefined timing templates that we can use to adjust the timing of the scan to suit our needs.

The timing template determines how long Nmap should wait for a response to a packet it sends and how many packets to send in a certain period of time. This allows us to adjust the scan per our requirements, whether we’re looking to quickly gather information about a target or perform a more thorough and detailed scan.

To specify a timing template in Nmap, we can use the -T option followed by a letter representing the desired template. For example, to use the sneaky timing template, we can use the -T1 option. There are six timing templates in total. Let’s look at each one of them.

Six timing templates

T0 (paranoid scan)

This template is the slowest and most conservative. It sends probes one at a time, with a long delay between each probe. This template is extremely useful for avoiding detection, but it might take a long time to complete the scan.

This is also the type of scan attackers perform when attacking a large organization or state entity. This helps them avoid detection. However, the scans can take weeks or even months to complete for an entire network of computers.

Here’s how we run a paranoid scan:

Get hands-on with 1200+ tech skills courses.