RustScan - Basic Commands


A full port scan take can up to 20–30 minutes, and after Nmap then comes the  Masscan, a fast tool that can scan any target so easily and can be so fast. We have seen people, starting with a Masscan and then use that result for a Nmap scan but still, you have to do the manual work of starting a Nmap. That’s where RustScan is so useful. 

Basic Syntax

rustscan -a <IP>

Normally, after rustscan finishes the scan it starts a Nmap scan against the target by specifying the flag -vvv (maximum verbosity) by default. But many of you may want to run other flags. In our case we want to run -sC and -sV also -T4. So rustscan has this feature where you can specify -- flag and then the flags that you want to add as per Nmap. For example.
rustscan -b 600 -a 192.168.1.1 -- -A -sC -sV -T4
  • -b denotes the batch size. Normally, we use 600. It means scan 600 ports/second. You can use a higher value here. To be more fast and accurate, you can try to scan a machine in your private area with 600 batch size. Then. gradually increase the number till 65355. If at any point rustscan stops detecting the open port then that means that is the breaking point of your system. Do not use a batch size greater than that number. This will also give the maximum speed you can use. 
  • -- denotes that after this, all flags need to treated as Nmap flags. Do not parse these commands as RustScan flags this (--) is the end of RustScan flags and the start of Nmap flags.

Nmap Custom Flags

  • RustScan automatically runs nmap -vvv -p $PORTS $IP.
  • To make it run -A, execute the command rustscan 127.0.0.1 -- -A.
  • If you want to runs commands such as --script (vuln and safe). These commands need to be enclosed in quotation marks like --script '"(vuln or safe) or default"'.

Multiple IP Scanning

You can scan multiple IPs using a comma-separated list like so:
rustscan -a 127.0.0.1,0.0.0.0

Host Scanning

RustScan can also scan hosts, like so:
rustscan -a www.google.com,127.0.0.1

CIDR support

RustScan supports CIDR(Classless inter-domain routing):
rustscan -a 192.168.0.0/30

Hosts file as input

The file is a new line separated list of IPs / Hosts to scan:

hosts.txt
The argument is:
rustscan -a 'hosts.txt'

Individual Port Scanning

RustScan can scan individual ports, like so:
rustscan -a 127.0.0.1 -p 53

Multiple selected port scanning

You can input a comma-separated list of ports to scan:
rustscan -a 127.0.0.1 -p 53,80,121,65535

Ranges of ports

To scan a range of ports:
rustscan -a 127.0.0.1 --range 1-1000

Adjusting the Nmap arguments

RustScan, at the moment, runs Nmap by default. You can adjust the arguments like so:
rustscan -a 127.0.0.1 -- -A -sC

To run:
nmap -Pn -vvv -p $PORTS -A -sC 127.0.0.1

Random Port Ordering

If you want to scan ports in a random order (which will help with not setting off firewalls) run RustScan like this:
rustscan -a 127.0.0.1 --range 1-1000 --scan-order "Random"

Additional Features

This program, by default, scans 3000 ports at a time (3000 per second). So make sure you are not targeting real websites that you don’t own. There are 2 ways to slow down rustscan:
  • Decrease batch size rustscan -b 10 will run 10 port scans for 1 second, and then another 10 for 1 second, and so on.
  • Increase timeout rustscan -T 5000 will mean RustScan waits 5 seconds until it scans the next ports.

To get your hands-on, Practice TryHackMe's RustScan Room

RustScan is still a good tool. It’s especially useful for local environments where you need extra speed on your scans like in CTFs. But if you need more complex configurations, such as changing the technique used to discover ports or to work on different protocols such as UDP, it might be better to the familiar, Nmap.
We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment