Cybersecurity: Port Scanning with RustScan

You know, in the realm of network reconnaissance and scanning, finding the right tool can be a game-changer, especially when versatility is a must. Now, my trusty companion in the world of network scanning has always been good ol' Nmap. It's reliable, it's a classic, and it's been my go-to for years.

And here's the kicker: Nmap is like that reliable old friend who's always there when you need them. It comes pre-installed in Kali Linux, it's a breeze to install on most systems, and it's tried and tested. Nmap is dependable, and it's always right at your fingertips.

But let me tell you about a little something that might just find a place in your toolbox – RustScan. I mean, I'm not about to stop using Nmap; it's a fantastic tool that's stood the test of time. But I have to admit that I'm impressed by RustScan. I was introduced to RustScan when I was working on a project, and someone used it at the same time I was running Nmap. It finished scanning before my computer could even spit out an Nmap header!

Now, I get it; we're not talking about a production server here. The server he used it on wasn't meant for anything but pentesting. But the sheer power of RustScan, the ability to unleash that speed when you need it, it's just mind-blowing.

Ok, no more sales pitch, let's just dive in and take a closer look.

🪣

I got most of the information for this article from the RustScan documentation. For more detailed information and additional usage options, see the official RustScan documentation.

What is RustScan?

RustScan is a versatile and lightweight port scanning tool designed to simplify the process of network reconnaissance. It excels in swiftly identifying open ports on target hosts, making it invaluable for both beginners and experienced professionals.

Speed and Efficiency

One of RustScan's defining characteristics is its speed. It's optimized for quick port scans, making it an excellent choice for time-sensitive tasks. Whether you're scanning a single host or an entire network, RustScan gets the job done efficiently.

Simplicity

RustScan prides itself on its simplicity. Even if you're new to network scanning, its straightforward command-line interface allows you to initiate scans with ease. You don't need to be a seasoned pro to use RustScan effectively.

Versatility

RustScan's versatility is a standout feature. It can be a valuable tool for various scenarios, from security assessments to network administration. Whether you're a security researcher or a system administrator, RustScan is designed to enhance your toolkit.

Installation and Download

Getting started with RustScan is a breeze. You can download the tool from the official release page on GitHub: RustScan 2.0.1

After downloading, installation is a simple matter of using the following command:

sudo dpkg -i rustscan_2.0.1_amd64.deb

Basic Usage

Now, let's dive into the basics of using RustScan. We'll start with a simple scan of a single target IP address. Here's how you can do it:

Basic Scan

To perform a basic scan on a target IP address, use the following command:

rustscan -a 10.10.154.251

This straightforward command will scan the common ports on the specified target, providing you with an overview of the open ports.

Scanning Multiple IPs

RustScan is versatile, allowing you to scan multiple IP addresses by specifying them in a comma-separated list:

rustscan -a 10.10.154.251,10.10.154.252

Host Scanning

You can also use RustScan to scan hosts. For instance:

rustscan -a www.example.com

CIDR Support

RustScan supports CIDR notation for scanning a range of IP addresses:

rustscan -a 192.168.0.0/30

Hosts File as Input

If you have a list of IPs or hosts to scan, you can provide a file containing these entries. The file should be formatted as a newline-separated list. Here's an example:

hosts.txt:

192.168.0.1
192.168.0.2
www.example.com
192.168.0.0/30
10.10.154.251

To scan the IPs and hosts from the file, use the following command:

rustscan -a 'hosts.txt'

Individual Port Scanning

RustScan allows you to scan individual ports. For example:

rustscan -a 10.10.154.251 -p 53

Multiple Selected Port Scanning

You can specify a comma-separated list of ports to scan:

rustscan -a 10.10.154.251 -p 53,80,121,65535

Port Ranges

To scan a range of ports, use this command:

rustscan -a 10.10.154.251 --range 1-1000

Adjusting Nmap Arguments

By default, RustScan runs Nmap. You can adjust Nmap's arguments like this:

rustscan -a 10.10.154.251 -- -A -sC

Random Port Ordering

If you want to scan ports in a random order (useful for avoiding firewall detection), run RustScan like this:

rustscan -a 10.10.154.251 --range 1-1000 --scan-order "Random"

Increasing Speed and Accuracy

RustScan offers options to improve the speed and accuracy of your scans. Here are some strategies to consider:

Batch Size

Increasing the batch size allows RustScan to process more data at once, resulting in faster scans. You can experiment with changing the open file limit using ulimit -n 70000 and running RustScan with -b 65535 for simultaneous scanning of all 65,535 ports. However, this approach is experimental and might not be suitable for all scenarios.

For non-experimental speed improvements, gradually increase the batch size until you find the optimal setting where it no longer misses open ports or breaks.

Timeout for Accuracy

To enhance accuracy, consider increasing the timeout value. The default timeout is 1.5 seconds, but you can set it to a longer duration, such as 4 seconds (4000). This adjustment tells RustScan to assume a port is closed if there's no response within the specified timeout. Increasing the timeout can improve accuracy.

False Positives

RustScan's architecture is based on a full TCP 3-way handshake connection using Rust's built-in sockets module. This module has been extensively tested and is used by large companies like Google and Apple. Rust's networking features are known for their reliability and correctness. Therefore, claims of false positives in RustScan are highly unlikely and may result from the use of another scanner that doesn't guarantee against false positives.

False Negatives

In cases of false negatives, where ports are missed, it may be due to the operating system struggling with high-speed scanning. This can happen with any fast scanner or I/O-intensive program. To address false negatives, refer to the section on increasing speed and accuracy to find potential solutions.

Instead of restricting you with limited options, RustScan empowers you with control over the level of speed and accuracy you desire. The tool continues to evolve, with future plans to provide predefined levels of speed and accuracy.

Time to give it a try!

RustScan is a powerful asset for both beginners and experts in the field of network reconnaissance. Its speed, simplicity, and versatility make it an awesome adition to my tool bag.

So, the next time you need to scan a network for open ports or vulnerabilities, give RustScan a try. It might just become your preferred tool for all your network scanning needs. As we've seen, in the world of network reconnaissance and scanning, having the right tool can make all the difference. Whether you're going with RustScan or another trusted tool like Nmap, it's all about finding the perfect fit for your needs.

Stay vigilant, stay curious, and stay secure.

For more detailed information and additional usage options, you can refer to the official RustScan documentation.