Performance Optimization
Performance Optimization
Optimizing the performance of scanning and enumeration tools is crucial to efficiently conduct security assessments. Proper optimization reduces scan time, minimizes network impact, and can help evade detection. This guide focuses on best practices for performance optimization across common security tools.
Scan Performance Considerations
When planning and executing scans, consider these key factors:
Production Impact: High-intensity scans can negatively affect production systems
Network Load: Excessive packets may congest network infrastructure
Detection Risk: Aggressive scanning increases the chance of triggering security controls
Time Constraints: Assessment windows may be limited and require efficiency
Target Resilience: Some targets may be unable to handle aggressive scanning
Nmap Performance Optimization
Nmap offers several parameters to control scan speed and resource usage:
RTT Timeouts
Round-Trip Time (RTT) affects how long Nmap waits for responses:
# Default scan
sudo nmap 10.129.2.0/24 -F
# Optimized RTT
sudo nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100msThe optimized scan can be significantly faster (as seen in the example below), but may miss some hosts:
Default: 256 IP addresses (10 hosts up) scanned in 39.44 seconds
Optimized: 256 IP addresses (8 hosts up) scanned in 12.29 secondsRetry Rates
Controlling packet retries can dramatically speed up scans:
# Default retry behavior
sudo nmap 10.129.2.0/24 -F
# No retries
sudo nmap 10.129.2.0/24 -F --max-retries 0Reducing retries sacrifices reliability for speed:
Default: 23 open ports found
No retries: 21 open ports foundPacket Rates
Setting packet transmission rates is extremely effective for increasing scan speed:
# Default scan
sudo nmap 10.129.2.0/24 -F -oN tnet.default
# Rate-optimized scan
sudo nmap 10.129.2.0/24 -F -oN tnet.minrate300 --min-rate 300Impact on performance:
Default: 256 IP addresses scanned in 29.83 seconds
Optimized: 256 IP addresses scanned in 8.67 secondsIn this case, both scans found the same number of open ports (23), making this an effective optimization.
Timing Templates
Nmap provides six timing templates to simplify scan optimization:
-T 0/-T paranoid: Extremely slow, used for IDS evasion-T 1/-T sneaky: Slow, also for IDS evasion-T 2/-T polite: Slows down to consume less bandwidth-T 3/-T normal: Default timing-T 4/-T aggressive: Faster scan assuming reliable network-T 5/-T insane: Extremely fast scan assuming very high bandwidth
Example usage:
sudo nmap 10.129.2.0/24 -F -oN tnet.T5 -T 5Results:
Default: 256 IP addresses scanned in 32.44 seconds
T5: 256 IP addresses scanned in 18.07 secondsOptimizing Web Application Scanning Tools
Gobuster Performance
# Increase threads (default: 10)
gobuster dir -u http://target.com -w wordlist.txt -t 50
# Filter out common response lengths to reduce false positives
gobuster dir -u http://target.com -w wordlist.txt --exclude-length 400-600FFUF Performance
# Increase threads (default: 40)
ffuf -w wordlist.txt -u https://target.com/FUZZ -t 100
# Add delay between requests to avoid overloading the server
ffuf -w wordlist.txt -u https://target.com/FUZZ -p 0.1
# Use multiple wordlists efficiently
ffuf -w domains.txt:DOMAIN -w paths.txt:PATH -u https://DOMAIN/PATHResource Management for Multi-Tool Scanning
When running multiple tools simultaneously:
CPU allocation: Use
niceto set process prioritiesnice -n 19 nmap -sV 10.129.2.0/24 &Memory management: Monitor with
htopand adjust tool parameters accordinglyProcess scheduling: Use
atorcronto schedule scans during off-peak hoursecho "nmap -sV 10.129.2.0/24 -oN scan.txt" | at 2amDistributed scanning: Split large scans across multiple machines
# Machine 1 nmap -sV 10.129.2.1-50 # Machine 2 nmap -sV 10.129.2.51-100
Network Considerations
Bandwidth Management
# Use trickle to limit bandwidth
trickle -d 100 -u 100 nmap -sV 10.129.2.0/24Connection Management
# Limit open connections with ulimit
ulimit -n 1024Target-Specific Optimizations
Adapting to Target Response Times
For targets with slow response times:
# Increase timeout for slow targets
nmap --max-rtt-timeout 500ms 10.129.2.100For highly responsive targets:
# Decrease timeout for fast targets
nmap --max-rtt-timeout 100ms --min-rate 300 10.129.2.100Scan Phasing
Break scans into phases for better performance:
Discovery phase: Quick scan to find live hosts
nmap -sn 10.129.2.0/24 --max-retries 1Service phase: Targeted scan on discovered hosts
nmap -sV -F 10.129.2.1,5,10Deep inspection phase: Focused scans on specific services
nmap -p 80 --script http-enum 10.129.2.1
Balancing Stealth and Speed
Different scenarios require different performance profiles:
Fast Enumeration (Internal Testing)
# Maximum performance
nmap -T5 --min-rate 1000 -F 10.129.2.0/24Stealth Enumeration (External Testing)
# Low and slow approach
nmap -T1 --max-retries 1 --randomize-hosts 10.129.2.0/24Balanced Approach
# Good balance of speed and stealth
nmap -T3 --min-rate 100 --max-retries 2 10.129.2.0/24Performance Testing Methodology
To find the optimal settings for a given environment:
Start with conservative settings
Run a baseline scan and record time and results
Gradually increase performance parameters
Compare results between runs
Find the point where increased performance doesn't cause missing results
Best Practices Summary
Test your settings: Ensure optimizations don't compromise necessary data
Start conservatively: Begin with lower speeds and increase gradually
Know your target: Adapt settings to the specific environment
Monitor impact: Watch for signs of network or target system stress
Document approach: Record successful optimization parameters for future use
Layer your scans: Start broad and light, then focus on areas of interest
By carefully managing scan performance, you can achieve the optimal balance between speed, comprehensive results, and minimal impact on target systems.
Last updated