VM Kali Linux - nmap why is so slow?

Possibilities:

  1. You are using a VM with a virtual NAT (Network Address Translation) network adapter. I have experienced profound slowdown under VirtualBox, for instance, when using NAT instead of a bridged network adapter.
  2. You are scanning something that isn't there. The -Pn option means "don't bother trying to find out if anything is listening at this address, just start port scanning it." If the target is not actually there, you'll waste a lot of time sending packets into nowhere.
  3. Your network (or your connection to the target) is slow. What is the latency to the target as measured by nmap -sn or ping? How far away is the target? What kind of network speed do you have? Any of these can impact total scan times.
  4. You are performing a lot of work. The -p- option means to scan 65535 TCP ports. Depending on network conditions and host behavior, this can be a significant amount of traffic.

bonsaiviking's answer is valid, but here are a few more points:

  1. -sT scan realise a full TCP handshake, it takes significantly longer than a -sS (SYN Stealth Scan): Basically,
    • You send a Syn, Receive a
    • Syn/Ack(Opened) or a RST packet(Closed) or nothing(filtered)
    • If you get a Syn/Ack, you complete the connection with Ack: the connection is established.

With a Syn Stealth Scan, You do not establish a full connection, therefore do not have to complete it with an Ack packet and this is much faster.

  1. You perform DNS resolution, if you scan multiple IPs or CIDR segment this would take long. you can skip this with -n

  2. You do not use Timing Optimization: Refer to https://nmap.org/book/man-performance.html ; Slow scans are annoying but reliable, fast scan can be noisy and unreliable: Nmap doesn't have time to check properly a port so gives up :(

  3. You can check why the scan is taking forever by analyzing the process in debug or verbose mode: When verbose mode doesn't provide sufficient data for you, debugging is available to flood you with much more! As with the verbosity option (-v), debugging is enabled with a command-line flag (-d) and the debug level can be increased by specifying it multiple times. Alternatively, you can set a debug level by giving an argument to -d. For example, -d9 sets level nine. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.

This is what I would suggest:

sudo nmap --min-hostgroup 100 -F -sS -n -T4 <Target_IP>