How to use the command 'rustscan' (with examples)
RustScan is a powerful and fast port scanner tool that utilizes the speed of Rust alongside the comprehensive scanning ability of nmap
. Designed to operate faster than traditional tools, RustScan offers quick detection of open ports, applicable for various network diagnostic and security tasks. Its efficiency and versatility make it a preferred choice among security analysts and network administrators for vulnerability assessments and network mapping.
Scan all ports of one or more comma-delimited [a]ddresses using the default values:
Code:
rustscan --addresses ip_or_hostname
Motivation:
When you need to perform a thorough scan of all possible ports on a given address or amongst several addresses, this command is ideal. It allows for a comprehensive security assessment by checking every possible port for potential vulnerabilities, not leaving anything unchecked.
Explanation:
rustscan
: This is the command invoking RustScan.--addresses
: This flag tells RustScan which addresses you want to scan.ip_or_hostname
: Replace this with the specific IP address or hostname you wish to scan.
Example Output:
[~] The following open ports were discovered:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
This output gives a concise list of open ports and associated services.
Scan the [t]op 1000 ports with service and version detection:
Code:
rustscan --top --addresses address_or_addresses
Motivation:
For time-efficient scans where the goal is to check the most common or susceptible ports, this option filters out and checks only the top 1000 ports. It is useful for quick assessments or when dealing with numerous addresses.
Explanation:
rustscan
: The command name for initiating a scan.--top
: This flag instructs RustScan to target the top 1000 known ports.--addresses
: Specifies the addresses to scan.address_or_addresses
: The target IP address or hostname(s).
Example Output:
[~] Top 1000 ports scanning:
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.29
3306/tcp open mysql MySQL 5.7.30
The result includes port numbers, their status, services, and software versions.
Scan a specific list of [p]orts:
Code:
rustscan --ports 22,80,443 --addresses address_or_addresses
Motivation:
When looking to inspect specific ports of interest, such as those generally used for web services, this targeted scanning approach allows you to focus resources and attention on pertinent ports for quick troubleshooting or security evaluations.
Explanation:
rustscan
: Command to initiate RustScan.--ports
: Indicates user-defined ports for scanning.22,80,443
: Example list of ports; these are commonly associated with SSH, HTTP, and HTTPS respectively.--addresses
: Address flag for specifying targets.address_or_addresses
: Target address selection.
Example Output:
[~] Scanning specific ports:
22/tcp open ssh
80/tcp open http
443/tcp open https
This output reflects the status of the specified ports.
Scan a specific range of ports:
Code:
rustscan --range 1000-2000 --addresses address_or_addresses
Motivation:
If you are investigating a specific range of ports, perhaps due to suspected activity or customized service hosting, utilizing this command benefits specific security or performance assessments across those ports.
Explanation:
rustscan
: Initiates RustScan.--range
: Signals the examination of a specific port range.1000-2000
: The defined range of ports to scan.--addresses
: Designates the target addresses.address_or_addresses
: The input target(s) for scanning.
Example Output:
[~] Ports in the range 1000-2000:
1433/tcp open ms-sql-s
1521/tcp open oracle
1723/tcp open pptp
Here, the scanner reports open ports within the specified range.
Add script arguments to nmap
:
Code:
rustscan --addresses address_or_addresses -- -A -sC
Motivation:
Appending nmap
scripts through RustScan allows for enhanced information retrieval about a target, blending RustScan’s speed with nmap
’s comprehensive scripting library for deeper network insights – ideal for advanced diagnostics or penetration testing.
Explanation:
rustscan
: The initiating command for RustScan operations.--addresses
: Indicates the address input for scanning.address_or_addresses
: Target addresses for the scan.--
: This separator allows for passing subsequent commands directly tonmap
.-A -sC
:nmap
flags for aggressive scanning (OS, version detection, etc.) and using default scripts.
Example Output:
Host up: 0.0030s latency.
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 8f:c4:7d:7e:d8:00:98:92 (RSA)
80/tcp open http Apache httpd 2.4.29
This output contains deeper details like service versions and SSH host keys.
Scan with custom [b]atch size (default: 4500) and [t]imeout (default: 1500ms):
Code:
rustscan --batch-size 5000 --timeout 2000 --addresses address_or_addresses
Motivation:
Tuning batch sizes and timeouts is essential when network reliability and speed vary. Adjustments lead to improved scan performance, accommodating network conditions or specific scanning requirements by avoiding timeouts and ensuring all packets are handled properly.
Explanation:
rustscan
: Initiates the RustScan tool.--batch-size
: Specifies the number of packets per batch. Here, increased from default 4500 to 5000 for larger data processing.--timeout
: The maximum wait time for a response, increased here to 2000 milliseconds for reliability in slower environments.--addresses
: Designates target for scanning.address_or_addresses
: Input address(es).
Example Output:
Custom batch-size and timeout configuration:
Port Status
22/tcp open
80/tcp open
443/tcp open
This output reflects the success of the scan while accounting for user-configured operational parameters.
Scan with specific port order:
Code:
rustscan --scan-order random --addresses address_or_addresses
Motivation:
Executing scans in a randomized port order can be an effective method to evade detection by port monitoring security systems, adding a layer of stealth during penetration testing exercises.
Explanation:
rustscan
: Utilizes RustScan.--scan-order
: Dictates the sequence in which ports are scanned, with options likeserial
orrandom
.random
: Selecting random here ensures the scanning sequence is nondeterministic.--addresses
: Indicates target address or addresses.address_or_addresses
: Specifies who to scan.
Example Output:
Randomized scanning order:
443/tcp open https
22/tcp open ssh
80/tcp open http
Ports are scanned and reported in a non-sequential manner for stealth.
Scan in greppable mode (only output of the ports, no nmap
):
Code:
rustscan --greppable --addresses address_or_addresses
Motivation:
This mode is tailored for automated processing wherein only the crucial port information is needed quickly. It suits scripts and other tools that parse outputs for specific data analysis or monitoring purposes without extra details from nmap
.
Explanation:
rustscan
: Key command to start the scan.--greppable
: Limits output to a more machine-friendly format, omittingnmap
integration.--addresses
: Specifies targets for the operation.address_or_addresses
: Details of the host(s) to be scanned.
Example Output:
Open ports: 22, 80, 443
A simplified format perfect for automation and further processing.
Conclusion:
RustScan is an incredibly fast and adaptable tool for conducting port scans across various network environments. It efficiently bridges the gap between the need for speed and depth of analysis, catering to everyday network security assessments, penetration testing, and IT management. Understanding each use case of RustScan equips users with the ability to tailor scans to their specific needs, ensuring both broad and targeted assessments with the maximum amount of detail and accuracy.