MENU

Fast Scan of Large Networks with Nmap

When performing security assessments or network reconnaissance, scanning large subnets (e.g., /16 or larger) efficiently is crucial. Using default Nmap settings can result in slow, time-consuming scans. This guide provides optimized Nmap commands to perform fast and effective scans across large networks by tuning timing, parallelism, and port selection.

Optimized Nmap Command for Speed

The following command is designed for rapid scanning of large networks by focusing on common critical ports and aggressively optimizing performance settings: 

nmap -sT -p 21,22,80,443,3306,3389,8000,8080 -T5 \
--min-hostgroup 250 --min-parallelism 40 --max-parallelism 250 \
--max-rtt-timeout 600ms --max-scan-delay 2s --min-rate 10000 \
--max-retries 2 --host-timeout 3m -Pn 10.38.0.0/16

Explanation of Key Parameters:

  • -sT: TCP connect scan (does not require root privileges).
  • -p [ports]: Scan only the most commonly exploited or relevant ports.
  • -T5: Insane timing template (fastest, but may be noisy).
  • --min-hostgroup 250: Scans hosts in batches of at least 250 to improve efficiency.
  • --min-parallelism 40: Sends at least 40 probes in parallel.
  • --max-parallelism 250: Limits parallel probes to avoid overwhelming the system.
  • --max-rtt-timeout 600ms: Reduces wait time for response.
  • --max-scan-delay 2s: Limits delay between probes.
  • --min-rate 10000: Sends at least 10,000 packets per second.
  • --max-retries 2: Limits retransmissions to speed up timeouts.
  • --host-timeout 3m: Aborts scanning a host after 3 minutes.
  • -Pn: Skips host discovery (treats all IPs as online).

Extended Version with More Popular Ports

For a more comprehensive scan, include additional commonly used ports: 

nmap -sT -p 7,20,21,22,23,25,53,80,443,587,593,902,989,1194,2484,3306,3389,5000,5432,5672,8000,8080,9200,9300,12345,11211 -T5 \
--min-hostgroup 250 --min-parallelism 40 --max-parallelism 250 \
--max-rtt-timeout 600ms --max-scan-delay 2s --min-rate 10000 \
--max-retries 2 --host-timeout 3m -Pn 10.38.0.0/16

This version includes ports used by services such as DNS (53), SMTP (25, 587), PostgreSQL (5432), Redis (6379), Elasticsearch (9200), and more.

Quick Host Discovery via ICMP Ping Sweep (Windows)

Before running a full Nmap scan, identify active hosts using a fast ICMP ping sweep on Windows: 

FOR /L %i IN (1,1,254) DO @ping -n 1 -w 300 192.168.0.%i | FIND /i "TTL" >> ips.txt

This script pings all IPs from 192.168.0.1 to 192.168.0.254, with a 300ms timeout. Only responses containing "TTL" (indicating a live host) are saved to ips.txt.

Published on Aug 21, 2025