[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 765
  • Last Modified:

Running Nmap on a schedule

What is the best way to run Nmap on a schedule in windows.

We want to be able to run Nmap scans on a daily basis that are run on a schedule.
  • 2
2 Solutions
John HurstBusiness Consultant (Owner)Commented:
Here is a summary of nmap commands:


Work out the commands you want and then, you can also output to a file using a command: nmap -oG test.txt

Once you have worked out this, you can make a scheduled task with Task Scheduler.
btanExec ConsultantCommented:
By default there isn't a NMAP scheduled scan. But there can be a script with other tools to work off something similar. But the example is for non-windows for e.g. Using Nmap, Ndiff, cron, and a shell script, it's possible to scan a network daily and get email reports of the state of the network and changes since the previous scan
But I am thinking ZenMap for Windows and tap on windows scheduler for the schedule approach as well as have ndiff to compare btw differen XML result from the scan. But it is not readily automated. There is a Scandiff tools that is based on Powershell that does this
Scandiff is a PowerShell script to automate host discovery and scanning with nmap. This script was written to perform nmap host discovery and port scanning from a remote network and send the results to a recipient through email. After discovering and scanning hosts, scandiff performs an nmap ndiff on the output against previous results, 7zips all generated output, and optionally emails all output to a specified email address.
Using scandiff:
 .\scandiff-0.9.ps1 -frequency [daily|weekly] -basename foo -outdir X:\path\to\output\directory -targets (nmap-style target specification or path to file containing targets) -email [0|1] -discover [0|1]

 ./scandiff.ps1 -frequency daily -basename nmap-output -targets,scanme.nmap.org
 ./scandiff.ps1 -frequency daily -basename nmap-output -targets c:\targets.txt

Scandiff takes a number of arguments. The usage of each argument is described below:

PARAMETER frequency
 Frequency is either daily or weekly.

Daily performs discovery using a limited set of ports and performs an nmap scan using the default nmap TCP port list.

Weekly performs a discovery using a limited set of ports and performs an nmap scan using the full TCP port range and a limited set of UDP ports defined in the script.

But primarily, you should consider your target topology and aggressiveness when in scheduling of NMAP scan as it affect the finding accuracy and resource required for a timely picture update of your system. For example, you will not want to have too big of a window span in between scans nor have a very short window span such that the scan is almost back to back that these scanning does not give any timely or significant results respectively. You can check out consideration for the scan times (below) and it stated techniques for improving scan times include omitting non-critical tests, and upgrading to the latest version of Nmap (performance enhancements are made frequently). For e.g. Optimizing timing parameters can also make a substantial difference. Those options are listed below.

--min-hostgroup <numhosts>; --max-hostgroup <numhosts> (Adjust parallel scan group sizes)
--min-parallelism <numprobes>; --max-parallelism <numprobes> (Adjust probe parallelization)
--min-rtt-timeout <time>, --max-rtt-timeout <time>, --initial-rtt-timeout <time> (Adjust probe timeouts)
--max-retries <numtries> (Specify the maximum number of port scan probe retransmissions)
--host-timeout <time> (Give up on slow target hosts)
--scan-delay <time>; --max-scan-delay <time> (Adjust delay between probes)
--min-rate <number>; --max-rate <number> (Directly control the scanning rate)

Furthermore, you (which you may already know) can specify them with the -T option and their number (0–5) or their name.  

-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template)  

The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5) as below:

T0 - The main effects of T0 are serializing the scan so only one port is scanned at a time, and waiting five minutes between sending each probe.
T1 and T2 are similar but they only wait 15 seconds and 0.4 seconds, respectively, between probes.
T3 is Nmap's default behavior, which includes parallelization.
T4 does the equivalent of --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 and sets the maximum TCP scan delay to 10 milliseconds.
T5 does the equivalent of --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m as well as setting the maximum TCP scan delay to 5 ms.
btanExec ConsultantCommented:
Scheduled means to run and leverage on scripts shared

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now