-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Usage
$ rustscan -h
Fast Port Scanner built in Rust. WARNING Do not use this program against sensitive infrastructure since the specified
server may not be able to handle this many socket connections at once. - Discord https://discord.gg/GFrQsGy - GitHub
https://github.com/RustScan/RustScan
USAGE:
rustscan [FLAGS] [OPTIONS] [addresses]... [-- <command>...]
FLAGS:
--accessible Accessible mode. Turns off features which negatively affect screen readers
-h, --help Prints help information
-n, --no-config Whether to ignore the configuration file or not
--no-nmap Turns off Nmap
-q, --quiet Quiet mode. Only output the ports. No Nmap. Useful for grep or outputting to a file
-V, --version Prints version information
OPTIONS:
-b, --batch-size <batch-size> The batch size for port scanning, it increases or slows the speed of scanning.
Depends on the open file limit of your OS. If you do 65535 it will do every port
at the same time. Although, your OS may not support this [default: 4500]
-p, --ports <ports>... A list of comma separed ports to be scanned. Example: 80,443,8080
-r, --range <range> A range of ports with format start-end. Example: 1-1000
--scan-order <scan-order> The order of scanning to be performed. The "serial" option will scan ports in
ascending order while the "random" option will scan ports randomly [default:
serial] [possible values: Serial, Random]
-t, --timeout <timeout> The timeout in milliseconds before a port is assumed to be closed [default: 1500]
-u, --ulimit <ulimit> Automatically ups the ULIMIT with the value you provided
ARGS:
<addresses>... A list of comma separated CIDRs, IPs, or hosts to be scanned
<command>... The Nmap arguments to run. To use the argument -A, end RustScan's args with '-- -A'. Example:
'rustscan -T 1500 127.0.0.1 -- -A -sC'. This command adds -Pn -vvv -p $PORTS automatically to
nmap. For things like --script '(safe and vuln)' enclose it in quotations marks \"'(safe and
vuln)'\"")The format is rustscan -b 500 -T 1500 192.168.0.1 to scan 192.168.0.1 with 500 batch size with a timeout of 1500ms. The timeout is how long RustScan waits for a response until it assumes the port is closed.
The batch size determines how fast RustScan is. Set it to 65k, and it will scan all 65k ports at the same time. This means at at 65k batch size, RustScan will take TIMEOUT long to scan all ports. Essentially, if timeout is 1000ms, RustScan can scan in 1 second.
Your operating system may not support this, but it is worth it to play around and see where your open file limit is. Shortly I will be releasing a dockerised version with a much larger open file limit, so this will be possible.
This program, by default, scans 5000 ports at a time (5000 per second).
This may cause damage to a server, or may make it incredibly obvious you are scanning the server.
There are 2 ways to deal with this;
- Decrease batch size
rustscan -b 10will run 10 port scans for 1 second, and then another 10 for 1 second and so on. - Increase timeout
rustscan -T 5000will mean RustScan waits 5 seconds until it scans the next ports.
You can also use both of these at the same time, to make it as slow or as fast as you want. A fun favourite is 65535 batch size with 1 second timeout. Theoretically, this scans all 65535 ports in 1 second.
Please do not use this tool against sensitive servers. It is designed mainly for Capture the Flag events, not real world servers with sensitive data.