Hi everyone, welcome to pentestguy. Well, we know different port scanners, like Nmap, Masscan, etc., are used during pentesting. In this article, we will focus on a detailed guide to rustscan. It’s the modern port scanner that finds the ports quickly. This detailed guide to rustscan will help you understand its scripting engine and how it automatically pipes results into Nmap, so we can get the Nmap output as well.
Download and Install rustscan
Download the .deb.zip file if you are using a Debian-based operating system like Kali/ParrotSec. Use the download link – https://github.com/bee-san/RustScan/releases/tag/2.4.1
Unzip the zip file and install the deb package using the command below.
unzip rustscan.deb.zipsudo dpkg -i rustscan_X.X_amd64.deb
Like other tools, rustscan also has the help menu, which we can refer.
rustscan -h
Scope/Targets
With RustScan we can define the scope or targets in multiple ways, which are given below.
Rustscan has the default scan where we need to provide the target IP or hostname to scan. And it automatically pipes to nmap.
rustscan -a 192.168.X.X
Rustscan also supports the multiple targets as input, which can be a combination of IP addresses or hostnames, look at the command below to achieve the same.
rustscan -a google.com,192.168.X.X
It also supports CIDR range, one of the decent choices if you are targeting the CIDR scope from bug bounty program. Use the below command for CIDR scan.
rustscan -a 213.139.133.32/28
User can also feed the input file, which contains the target hosts/IP addresses.
rustscan -a target.txt
Port Specific
RustScan provides different port-specific options, where we can define the different options to achieve the result.
Like nmap, rustscan scans the top 1000 ports, but the user needs to provide the –top argument to perform a scan for the top 1000 ports. Use the command below to achieve the same.
rustscan --top -a 192.168.31.210
We can specify the ports that we want to target.
rustscan -a 192.168.X.X -p 21,80
Also, can specify the port range -r flag along with the arguments, where the user can specify the range of port as for example, the command given below.
rustscan -r 1-100 -a 192.168.X.X
Exclude the ports using -e options and it will exclude those specific ports.
rustscan -r 1-100 -e 21,22,23 -a 192.168.X.X
The order of scanning to be performed. The “serial” option will scan ports in ascending order, while the “random” option will scan ports randomly, by default, the option is the serial one, but we can specify it according to our choice.
rustscan -a 192.168.X.X --scan-order random
By using the –udp options, we can scan all the UDP ports. Use the below command to scan the UDP ports.
rustscan --udp -a 192.168.X.X
Configuration
RustScan supports the configuration, if you want to create a config file, then make sure to create it at the home directory with the name .rustscan.toml and for you can use the sample given below.
# RustScan Configuration File
# Set the batch size for scanning
batch_size = 500
# Scan only the top 1000 most common ports
top = 1000
# Increase the timeout (in milliseconds) for better accuracy
timeout = 1500
# Number of retries for better accuracy
retries = 2
# Use adaptive scanning to adjust speed based on target response
adaptive = true
# Enable verbosity for better debugging
verbosity = 2
# Set the scan order (e.g., random)
scan_order = "Serial"
# Save output in a structured format (JSON, XML, or default)
output = "default"But we can run it without the configuration or no configuration, which will give a kind of warning messages, but it will work perfectly and you can also add the arguments in the command, which we can add in the config file.
rustscan -n -a 192.168.X.X
Scripts
As RustScan automatically pipes the nmap scan, we can provide the — -A for performing the aggressive scan of the nmap, as given below.
rustscan -a 192.168.X.X -- -A
Nmap has a lot of scripts which we can use via RustScan, you can see the example below where it used ftp-vsftpd-backdoor.nse with –script option
rustscan -a 192.168.X.X -- --script ftp-vsftpd-backdoor.nse
There are other options available in rustscan, which you can try on your own. Also, you can create your custom commands.
That’s all about this post. Please share this post with your co-workers and friends if you found it helpful. Please provide valuable comments and let us know if you have any suggestions. Now, you can also collaborate with us. Please check our collaboration page. Thank you!
