Jump to content

RustScan Guide for Ultra-Fast Port Scanning

From JOHNWICK
Revision as of 15:45, 14 November 2025 by PC (talk | contribs) (Created page with "What is RustScan? RustScan is an ultra-fast port scanner written in Rust, designed to overcome the slowness of traditional tools when detecting open ports. Its main advantage is that it combines the speed of Rust for scanning with the power of Nmap to perform more detailed analysis, such as service and version detection. The main benefit is that it acts as an ultra-fast pre-scanner, quickly finding open ports and then automatically piping them to Nmap. This allow...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

What is RustScan? RustScan is an ultra-fast port scanner written in Rust, designed to overcome the slowness of traditional tools when detecting open ports. Its main advantage is that it combines the speed of Rust for scanning with the power of Nmap to perform more detailed analysis, such as service and version detection.

The main benefit is that it acts as an ultra-fast pre-scanner, quickly finding open ports and then automatically piping them to Nmap. This allows cybersecurity professionals, such as Bug Bounty Hunters, Pentesters, and system administrators, to significantly speed up the reconnaissance phase and the discovery of exposed services.

Installation RustScan can be installed in several ways, depending on the user’s operating system. 
Important: You need to have nmap installed.

  • From package download (recommended method): The easiest way on Linux is by using Snap:

sudo snap install rustscan

  • From the source code on GitHub: To compile RustScan, the Rust language and its package manager cargo are required to be installed.

git clone https://github.com/RustScan/RustScan.git cd RustScan cargo build --release

Basic Syntax

The basic syntax of RustScan is simple and straightforward: rustscan -a <IP> [options]

Main Options |Option |Description |Example | |------------ |------------------------------------------------ |---------------------- | |-a |IP address or range of hosts |-a 192.168.1.1 | |-r |Port range to scan |-r 1-1000 | |-p |List of specific ports |-p 22,80,443 | |-b |Batch size (ports per second) |-b 5000 | |-t |Timeout in ms |-t 1500 | |--ulimit |Increases the number of open file descriptors |--ulimit 5000 | |--accessible |Accessible mode for better readability |--accessible | |-g |Graphic mode (shows ports in a table) |-g | |--range |Scan the entire range 1-65535 (combined with -r) |--range 1-65535 | |-u |Update RustScan |rustscan -u | |-q |Silent mode. Crucial for scripting. |rustscan -a 1.1.1.1 -q |

Integration with Nmap The true power of RustScan is revealed when integrated with Nmap. Once RustScan identifies the open ports, it passes them to Nmap for deeper analysis.

Important: The use of the double hyphen (--) is crucial, as it separates RustScan options from Nmap options.

  • Service and Version Scanning:

rustscan -a 10.10.10.5 -- -sC -sV

This command uses RustScan’s speed to quickly find open ports and then instructs Nmap to perform a deeper analysis:

  • -sV: Performs version detection to identify the exact software running on the open ports (e.g., Apache 2.4.41, OpenSSH 8.2).
  • -sC: Executes default Nmap scripts, useful for basic enumeration and collection of contextual information (e.g., HTTP titles, SSH keys).

Practical Examples

1. Quick Host Scan rustscan -a 192.168.1.1

2. Scan All Ports rustscan -a 192.168.1.1 -r 1-65535

3. Multiple IP Scan rustscan -a 192.168.1.1,192.168.1.2

4. Scan with Nmap Integration The use of -- is crucial to separate RustScan options from Nmap options. rustscan -a 10.10.10.5 -- -sC -sV

5. Silent Scan for Piping to Other Tools To pipe open ports directly to another tool without the decorative RustScan output, use silent mode (-q). rustscan -a target.com -q --range 1-10000 | tee open_ports.txt

Usage in Bug Bounty and Pentesting RustScan is fundamental for accelerating the reconnaissance phase.

  • Identification of Exposed Web Services: To quickly find websites or APIs, the most common HTTP/S ports can be scanned.

rustscan -a target.com -p 80,443,8080,8443 -- -sV --script http-title

  • Detection of Internal Ports in a Pentest:

rustscan -a 192.168.0.0/24 -r 1-65535 -- -sC -sV

  • Rapid Reconnaissance of Live Domains:

rustscan -a $(cat live_hosts.txt) -r 1-10000 -- -sV

Tips and Best Practices Adjusting RustScan’s configuration is key to optimizing its performance and accuracy.

  • Adjusting the Batch Size (-b): For local networks, a value of -b 8000 is recommended, while on the internet, a value between -b 1000 and -b 3000 is more appropriate to avoid saturating the connection.
  • Adjusting ulimit to Prevent Failures: Adding --ulimit is crucial to allow RustScan to open enough sockets (connections) for its ultra-fast scan without encountering "Too many open files" errors. A value of --ulimit 5000 or more helps prevent this.
  • Beware of False Negatives (Timeout): When scanning at very high speed, a low timeout (-t) can lead to open ports being incorrectly reported as closed (False Negatives). If an incomplete scan is suspected, consider increasing the timeout to -t 2000 or more, for slower networks or those prone to packet loss.
  • IP Blocking Mitigation (IDS/IPS): When scanning public network targets (Bug Bounty), a very high batch size (-b) can cause the source IP to be detected and temporarily blocked by the target's defense systems (Rate Limiting). If the scan fails, consider reducing the batch size to conservative values (e.g., -b 500).
  • Combine with Nmap: RustScan and Nmap are complementary. The integration with Nmap should always be used to obtain detailed service information, versions, and execute NSE scripts.
  • Common Ports in Bug Bounty: For vulnerability hunting, it is effective to focus on standard ports such as 80, 443, 8080, 8443, 22, 21, 25, 3306, 5432, 6379, and 27017.
Retrieved from "https://johnwick.cc/index.php?title=RustScan_Guide_for_Ultra-Fast_Port_Scanning&oldid=90"