Running Nmap on a schedule

Posted on 2016-08-17
Last Modified: 2016-09-05
What is the best way to run Nmap on a schedule in windows.

We want to be able to run Nmap scans on a daily basis that are run on a schedule.
Question by:VH
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 100 total points (awarded by participants)
ID: 41759161
Here is a summary of nmap commands:

Work out the commands you want and then, you can also output to a file using a command: nmap -oG test.txt

Once you have worked out this, you can make a scheduled task with Task Scheduler.
LVL 63

Accepted Solution

btan earned 400 total points (awarded by participants)
ID: 41759187
By default there isn't a NMAP scheduled scan. But there can be a script with other tools to work off something similar. But the example is for non-windows for e.g. Using Nmap, Ndiff, cron, and a shell script, it's possible to scan a network daily and get email reports of the state of the network and changes since the previous scan
But I am thinking ZenMap for Windows and tap on windows scheduler for the schedule approach as well as have ndiff to compare btw differen XML result from the scan. But it is not readily automated. There is a Scandiff tools that is based on Powershell that does this
Scandiff is a PowerShell script to automate host discovery and scanning with nmap. This script was written to perform nmap host discovery and port scanning from a remote network and send the results to a recipient through email. After discovering and scanning hosts, scandiff performs an nmap ndiff on the output against previous results, 7zips all generated output, and optionally emails all output to a specified email address.
Using scandiff:
 .\scandiff-0.9.ps1 -frequency [daily|weekly] -basename foo -outdir X:\path\to\output\directory -targets (nmap-style target specification or path to file containing targets) -email [0|1] -discover [0|1]

 ./scandiff.ps1 -frequency daily -basename nmap-output -targets,
 ./scandiff.ps1 -frequency daily -basename nmap-output -targets c:\targets.txt

Scandiff takes a number of arguments. The usage of each argument is described below:

PARAMETER frequency
 Frequency is either daily or weekly.

Daily performs discovery using a limited set of ports and performs an nmap scan using the default nmap TCP port list.

Weekly performs a discovery using a limited set of ports and performs an nmap scan using the full TCP port range and a limited set of UDP ports defined in the script.

But primarily, you should consider your target topology and aggressiveness when in scheduling of NMAP scan as it affect the finding accuracy and resource required for a timely picture update of your system. For example, you will not want to have too big of a window span in between scans nor have a very short window span such that the scan is almost back to back that these scanning does not give any timely or significant results respectively. You can check out consideration for the scan times (below) and it stated techniques for improving scan times include omitting non-critical tests, and upgrading to the latest version of Nmap (performance enhancements are made frequently). For e.g. Optimizing timing parameters can also make a substantial difference. Those options are listed below.

--min-hostgroup <numhosts>; --max-hostgroup <numhosts> (Adjust parallel scan group sizes)
--min-parallelism <numprobes>; --max-parallelism <numprobes> (Adjust probe parallelization)
--min-rtt-timeout <time>, --max-rtt-timeout <time>, --initial-rtt-timeout <time> (Adjust probe timeouts)
--max-retries <numtries> (Specify the maximum number of port scan probe retransmissions)
--host-timeout <time> (Give up on slow target hosts)
--scan-delay <time>; --max-scan-delay <time> (Adjust delay between probes)
--min-rate <number>; --max-rate <number> (Directly control the scanning rate)

Furthermore, you (which you may already know) can specify them with the -T option and their number (0–5) or their name.  

-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template)  

The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5) as below:

T0 - The main effects of T0 are serializing the scan so only one port is scanned at a time, and waiting five minutes between sending each probe.
T1 and T2 are similar but they only wait 15 seconds and 0.4 seconds, respectively, between probes.
T3 is Nmap's default behavior, which includes parallelization.
T4 does the equivalent of --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 and sets the maximum TCP scan delay to 10 milliseconds.
T5 does the equivalent of --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m as well as setting the maximum TCP scan delay to 5 ms.
LVL 63

Expert Comment

ID: 41784462
Scheduled means to run and leverage on scripts shared

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question