How do I configure the scan profile to speed up the scan?

There is a couple of different configurations to be made if you want to speed up your scans, in this article we will cover how this can be configured.

You will find information about setting up your scan profile in this article:

Host Discovery

To speed up the host discovery phase, try removing "ICMP" ping as most servers block this feature very often. The scanning engine have mechanisms that in case ICMP would not detect anything it would use TCP SYN method, but again this will be loss of time, especially for big IP adress ranges.

Difference between "TCP SYN" and "TCP SYN and ACK"

No difference in speed but rather in methods used to discover alive hosts. "SYN and ACK" method will maximize the chances of bypassing firewalls because often establishing new connections from outside the network will be blocked, thus SYN packets will just be ignored, whereas ACK (meaning we already have established connection) can bypass mentioned firewall rules. 
There is no winner between those two, as in different scenarios both can show different results so the best way is to pick one or another if one failed or gives inaccurate results.

Port discovery

For TCP scan , "TCP SYN scan" method is used by default which is the most popular scan option because it can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. It is also useful when checking TCP and UDP ports as because using this method TCP and UDP ports are checked at the same time, thus it saves lots of time.

Of course, discovering UDP ports takes more time due to how the protocol works, so to speed up the Port Discovery phase try choosing UDP "Port coverage: Light scan" as this will cover few but most popular UDP ports (~30 UDP ports including DNS, SNMP, and DHCP - registered ports 53, 161/162, and 67/68).

Optimize scanning time by ignoring RST rate limits is explained here:

Tips to increase the speed:

  1. Be aware that 3-way handshake method is considered an old method which takes much more time to explore ports comparing to SYN scan (this is used by default). There are  some edge cases when 3-way handshake will perform faster so if you encounter unusual long time of the scan try to use it instead of TCP SYN.
  2. You can lower the "Port coverage" to "Light scan", but be aware that it will only check ports from the predefined list, that can be found here:

Note: After port discovery is completed, scanner will just consider and work with ports that were found open during this phase, that means that the platform is already optimized from that side.

Moving to the next part "Performance" in your scanning profile:

Here we have scan intensity where option that you choose can be compared with "Timing Policy" options available for the nmap:

LOW - nmap "Polite"
NORMAL - nmap "Normal"
High - nmap "Aggressive"

LOW mode slows down the scan to use less bandwidth and target machine resources. NORMAL mode is the default and so -T3 does nothing. HIGH mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network.

Try selecting "High" option, this would speed up the port discovery phase. Downside of this option can potentially turn into some missed or incorrectly classified ports.

Have more questions? Submit a request


Please sign in to leave a comment.