rustscan
Fast port scanner that pipes to nmap for service detection.
Quickstart
# Scan single host
rustscan -a 10.10.10.10
# With nmap
rustscan -a 10.10.10.10 -- -sV -sC
# Specific ports
rustscan -a 10.10.10.10 -p 22,80,443
Core Concepts
| Concept |
Description |
| Speed |
Async Rust-based scanning |
| nmap integration |
Auto-pipes to nmap |
| Batch size |
Control concurrent connections |
Syntax
rustscan -a <target> [options] -- [nmap options]
Options
Target
| Option |
Description |
-a <addr> |
Target address(es) |
-p <ports> |
Port list/range |
-r <range> |
Port range (1-65535) |
--top |
Scan top 1000 ports |
Performance
| Option |
Description |
-b <n> |
Batch size (default 4500) |
-t <ms> |
Timeout (default 1500) |
-u <n> |
Ulimit |
--tries <n> |
Retry attempts |
Output
| Option |
Description |
-g |
Greppable output |
-o <file> |
Output file |
--no-nmap |
Skip nmap |
nmap
| Option |
Description |
-- |
Pass args to nmap |
--scripts <s> |
nmap scripts |
Recipes
Basic Scanning
# All ports, single host
rustscan -a 10.10.10.10
# Specific ports
rustscan -a 10.10.10.10 -p 22,80,443,8080
# Port range
rustscan -a 10.10.10.10 -r 1-10000
# Top 1000 ports
rustscan -a 10.10.10.10 --top
With nmap
# Service version
rustscan -a 10.10.10.10 -- -sV
# Default scripts
rustscan -a 10.10.10.10 -- -sC
# Full scan
rustscan -a 10.10.10.10 -- -sV -sC -A
# Vuln scripts
rustscan -a 10.10.10.10 -- --script vuln
Performance Tuning
# Faster (higher batch)
rustscan -a 10.10.10.10 -b 10000
# Slower/quieter
rustscan -a 10.10.10.10 -b 1000 -t 3000
# Increase ulimit for speed
rustscan -a 10.10.10.10 -u 5000
Multiple Targets
# Multiple IPs
rustscan -a 10.10.10.10,10.10.10.11,10.10.10.12
# CIDR (careful!)
rustscan -a 10.10.10.0/24
# From file
rustscan -a $(cat hosts.txt | tr '\n' ',')
Output
# Greppable
rustscan -a 10.10.10.10 -g
# Save to file
rustscan -a 10.10.10.10 -o results.txt
# Skip nmap (just ports)
rustscan -a 10.10.10.10 --no-nmap
Skip nmap (Fast Mode)
# Just find open ports
rustscan -a 10.10.10.10 --no-nmap
# Greppable for parsing
rustscan -a 10.10.10.10 -g --no-nmap
Docker
# Run via Docker
docker run -it --rm rustscan/rustscan:latest -a 10.10.10.10
# With nmap args
docker run -it --rm rustscan/rustscan:latest -a 10.10.10.10 -- -sV
Pipeline
# rustscan → detailed nmap
rustscan -a 10.10.10.10 --no-nmap -g | \
awk -F'[\\[\\],]' '{for(i=2;i<NF;i++) print $i}' | \
xargs -I {} nmap -sV -p {} 10.10.10.10
# Quick port list for scripting
rustscan -a 10.10.10.10 -g --no-nmap 2>/dev/null | \
grep -oP '\[\K[^\]]+' | tr ',' '\n'
Output & Parsing
# Greppable parsing
rustscan -a 10.10.10.10 -g --no-nmap 2>/dev/null | \
grep -oP '\[\K[^\]]+'
# Extract ports
rustscan -a 10.10.10.10 --no-nmap 2>&1 | \
grep "Open" | awk '{print $NF}'
Troubleshooting
| Issue |
Solution |
| Too many files |
Reduce -b batch size |
| Slow |
Increase -b, check network |
| Missing ports |
Add --tries, increase timeout |
| nmap errors |
Check nmap args after -- |
References