Performance Tuning, Evasion Techniques, and Counter-Detection
Timing Templates and Granular Control
Nmap's -T templates trade speed against stealth and network load. The useful range runs from -T0 (paranoid, one packet every five minutes) through -T5 (insane, maximum throughput with potential accuracy loss). For most authorized assessments, -T3 (normal) is the default, -T4 is the aggressive lab standard, and -T5 risks duplicate reports from dropped probes.
The templates configure a matrix of internal timers. When you need surgical control, override them individually:
nmap -sS -p- --min-parallelism 50 --max-retries 2 --host-timeout 10m 192.0.2.0/24
What it does: SYN-scans all 65,535 TCP ports with at least 50 probes in flight, giving up on a host after 2 retries or 10 minutes. When to use it: Scanning a stable lab network where you need completion certainty against firewalled hosts that silently drop packets. Risks: High parallelism can overwhelm state tables on low-end gear or trigger rate-limiting. Expected output: Standard Nmap port table with
open,closed,filtered, orunfilteredstates per host; hosts hitting--host-timeoutreport asSKIPPED.
| Template | Behavior | Typical Use Case |
|---|---|---|
-T0 / -T1 |
Serial, 5 min / 15 sec between probes | IDS evasion, extremely sensitive targets |
-T2 |
Polite, 0.4 sec between probes | Light load on shared infrastructure |
-T3 |
Default dynamic timing | General-purpose scanning |
-T4 |
Aggressive, 10 ms between groups, variable parallelism | Lab environments, time-boxed assessments |
-T5 |
Insane, 5 ms timeout assumptions | Local gigabit segments only; expect false negatives |
A common mistake: assuming -T5 finds more. It often finds less, because Nmap's timing estimators assume network conditions that congested or filtered paths violate. A port marked filtered at -T5 may reveal itself as open at -T3 with --max-retries 3.
Lab variant (full rate):
nmap -sS -T4 -p- --min-rate 1000 --max-rtt-timeout 500ms 10.0.0.0/24
Production variant (constrained):
nmap -sS -T2 -p 22,80,443,8080-8090 --max-rate 100 --max-retries 3 10.0.0.0/24
Fragmentation, MTU Manipulation, and Decoy Scanning
Nmap supports IP fragmentation with -f (8-byte fragments after the first) and --mtu for custom sizes. The goal is to split header information across fragments, forcing reassembly before inspection. This targets older or poorly configured IDS/IPS sensors that lack full reassembly engines.
nmap -sS -f --send-eth -p 22,80,443 192.0.2.100
What it does: Fragments SYN probes into 8-byte payloads, bypassing some simple pattern matchers;
--send-ethforces raw Ethernet to ensure Nmap controls fragmentation rather than the OS IP stack. When to use it: Validating whether a target's edge sensor reassembles before alerting. Risks: Modern sensors reassemble fragments; this often fails against Suricata withreassemble_fragments: yesor Palo Alto devices. Expected output: Identical port states to non-fragmented scan if reassembly occurs; discrepancies reveal sensor gaps.
Decoy scanning (-D) obscures the true source by interleaving spoofed probes from fake or real hosts:
nmap -sS -D 198.51.100.1,ME,198.51.100.2 -p 80,443 192.0.2.100
What it does: Sends scans from three apparent sources;
MEpositions your real IP among decoys. The target logs all three; only the true source receives replies. When to use it: Testing whether log analysts correlate alerts or simply count sources. Risks: Spoofed decoys to live hosts generate backscatter and RST storms; using real but unauthorized third-party IPs is abusive. Expected output: Your console shows responses; target logs show multiple sources.
⚠️ Authorized, defensive use only. Use these techniques only in lab environments or in explicitly authorized detection-validation exercises.
| Mistake | Why it bites you |
|---|---|
-f without --send-eth or --send-ip |
OS stack often reassembles before transmission, nullifying fragmentation |
| Decoys that are live, responsive hosts | Their RST responses to unsolicited SYNs create noise that helps analysts isolate the true scanner |
--mtu values not multiples of 8 |
Nmap rejects or misfragments; check with nmap --mtu 16 vs. nmap --mtu 17 |
Source Port Spoofing, MAC Spoofing, and Proxy Chains
Some firewall rules trust traffic from specific source ports (legacy DNS: 53, FTP data: 20). Nmap's --source-port exploits this:
nmap -sS --source-port 53 -p 22,80 192.0.2.100
What it does: Originates SYN probes from UDP/53, potentially matching
any port 53firewall rules. When to use it: Auditing rule sets that conflate port number with service trust. Risks: Return traffic to port 53 may conflict with local DNS processes or fail to reach your socket withoutSO_REUSEADDRmanipulation. Expected output:openports thatfilteredwithout the spoof; confirms weak rule logic.
MAC address spoofing (--spoof-mac) operates only on local Ethernet segments and requires root:
nmap -sS --spoof-mac 00:11:22:33:44:55 -e eth0 192.0.2.100
Proxy chains integration routes Nmap through SOCKS4/5 or HTTP proxies, adding latency but obscuring origin. Configure /etc/proxychains.conf, then:
proxychains nmap -sT -Pn -n --max-retries 1 198.51.100.0/24
What it does: Forces TCP connect scans (
-sT) through the proxy chain;-Pnskips host discovery (ICMP won't traverse);-ndisables DNS. When to use it: External perspective testing through a pivot or commercial scanning service. Risks:proxychainswraps sockets via LD_PRELOAD, which Nmap's raw scans bypass—only-sTreliably works. Expected output: Slower completion with proxy latency injected; identical state semantics.
Idle/Zombie Scan Mechanics
The idle scan (-sI) is Nmap's most source-anonymous technique. It exploits predictable IPID sequences on a "zombie" host to infer port states without sending packets from your IP to the target.
Mechanism: (1) Query zombie's IPID; (2) Forge SYN to target with zombie's source address; (3) Target replies SYN/ACK to zombie (raising its IPID by 1 if port open) or RST to zombie (IPID unchanged if closed, or no response if filtered); (4) Re-query zombie's IPID. A delta of 2 means port open; delta of 1 means closed or filtered.
Finding suitable zombies requires hosts with incremental IPID allocation and low traffic:
nmap -sI 192.0.2.50:80 -p 22,80,443 198.51.100.25
What it does: Uses
192.0.2.50as zombie, with port 80 as the probe zombie port (must be open for IPID sampling). When to use it: Extreme anonymity requirements in authorized red-team exercises. Risks: Zombies with randomized or zero IPID (modern Linux, Windows post-Vista) break the technique; high-traffic zombies yield ambiguous deltas. Expected output: Port states inferred via IPID changes; no packets from your IP to target except initial zombie probes.
Zombie suitability test:
nmap -sS -O -v --script ipidseq 192.0.2.50
Lab (aggressive zombie discovery):
nmap -n -Pn -sS -p 80 --script ipidseq --script-args probeport=80 192.0.2.0/24 | grep -i "incremental"
Production (single verified zombie, slow rate):
nmap -sI 192.0.2.50 -p 22,80,443 -T2 --max-retries 2 198.51.100.25
Adapting to IDS/IPS and Firewall Logging
Evasion is an arms race, not a solution. Modern sensors detect scans by volume, pattern, or behavioral anomaly—not just packet contents. Effective authorized testing mimics legitimate traffic patterns rather than chasing perfect invisibility.
Signature avoidance strategies:
| Technique | Limitation | Detection Counter |
|---|---|---|
Packet throttling (-T0, --max-rate) |
Completes slowly; patient attackers still win | Time-windowed correlation across probes |
Protocol mismatch (-sN, -sF, -sX) |
Null/Fin/Xmas scans fail against stateful filters and log as anomalies anyway | Track rare flag combinations |
Randomized target order (--randomize-hosts) |
Breaks sequential logs but not behavioral models | Cluster analysis by timing and probe distribution |
Decoys (-D) |
Multiple sources increase analyst workload | TTL analysis, TCP timestamp correlation, payload entropy matching |
The honest truth: a determined, resourced defender with full packet capture wins against a single scanner. Evasion buys time against lazy analysts or undersized sensors. Plan for detection and have your authorization documentation ready.
Defensive Perspective: Recognizing Nmap in Logs
Blue-team value comes from understanding scanner fingerprints. Nmap's default SYN scan exhibits predictable patterns that tcpdump reveals:
sudo tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack == 0' -c 20
Realistic output sample:
14:32:10.123456 IP 203.0.113.50.54321 > 192.0.2.100.80: Flags [S], seq 1234567890, win 1024, length 0
14:32:10.123512 IP 203.0.113.50.54322 > 192.0.2.100.443: Flags [S], seq 1234567900, win 1024, length 0
14:32:10.123578 IP 203.0.113.50.54323 > 192.0.2.100.22: Flags [S], seq 1234567910, win 1024, length 0
Fingerprintable elements: source ports increment sequentially (54321, 54322, 54323), TCP window size is fixed at 1024 (Nmap default for some probe types), initial sequence numbers advance predictably, and probes arrive in tight temporal clusters.
Suricata/Snort rule for SYN stealth detection:
alert tcp any any -> any any (
msg:"NMAP TCP SYN Stealth Scan";
flags:S;
ack:0;
threshold:type both, track by_src, count 20, seconds 60;
reference:url,https://nmap.org/book/synscan.html;
classtype:attempted-recon;
sid:1000001;
rev:1;
)
This fires on 20 SYN-without-ACK packets from a single source in 60 seconds. Tune count and seconds to your baseline—legitimate applications can trigger at aggressive thresholds.
For zombie scan detection, monitor for IPID anomalies: a single host showing IPID increments of exactly 2 with interleaved external connections suggests forged-source probing. Log IPID sequences where feasible.
Responsible Disclosure: Notify or Withhold?
Discovering evasion-capable gaps in defensive infrastructure creates an uncomfortable choice. The professional standard: notify the infrastructure owner before demonstrating impact, unless you are the owner or hold explicit authorization to validate without pre-briefing. Withholding techniques from a report to "stay useful for next engagement" is a career-limiting move that erodes trust. Document what you found, how you found it, and what a less constrained adversary could achieve. The value of a red team is measured by what defenses improve, not by what tricks remain secret.