🔍 Enumeration / RustScan

RustScan

Basic Usage

# Default scan (all ports)
rustscan -a <ip>

# Single port
rustscan -a <ip> -p <port>

# Multiple ports
rustscan -a <ip> -p 22,80,443,445

# Port range
rustscan -a <ip> -r 1-65535

# Scan multiple hosts
rustscan -a <ip>,192.168.1.2,192.168.1.3

# Scan CIDR range
rustscan -a 192.168.1.0/24

# Scan from file
rustscan -a <ip> --addresses-from-file targets.txt

Speed Tuning

# Increase ulimit for more open file descriptors (critical for speed)
ulimit -n 65535
rustscan -a <ip> --ulimit 65535

# Batch size (number of ports scanned per round)
rustscan -a <ip> -b 65535

# Timeout per port (ms)
rustscan -a <ip> -t 1500

# Max combined: fastest possible
rustscan -a <ip> -b 65535 --ulimit 65535 -t 2000

# Conservative for unstable targets
rustscan -a <ip> -b 500 --ulimit 500 -t 3000

# HTB/CTF standard
rustscan -a <ip> --ulimit 5000 -b 2000

Pipe to Nmap

# Pass discovered ports directly to nmap (default behavior with --)
rustscan -a <ip> -- -sCV

# Full service/version + scripts
rustscan -a <ip> -- -sCV -oN nmap_output.txt

# Vuln scripts via nmap
rustscan -a <ip> -- --script=vuln

# OS detection
rustscan -a <ip> -- -O -sCV

# Custom nmap flags
rustscan -a <ip> -- -sV --version-intensity 9 -oA scan_<ip>

# No ping + nmap
rustscan -a <ip> -b 65535 --ulimit 65535 -- -Pn -sCV -oA /tmp/scan_<ip>

# Domain controller recon
rustscan -a <ip> --ulimit 5000 -- -sCV -oA /tmp/dc_<ip>

Scanning Ranges

# /24 subnet
rustscan -a 192.168.1.0/24 -- -sV

# Multiple ranges
rustscan -a 10.10.10.0/24,10.10.11.0/24

# /16 (slower, use with care)
rustscan -a 10.10.0.0/16 -b 500 -t 3000

Specific Port Patterns

# Web ports only
rustscan -a <ip> -p 80,443,8000,8080,8443,8888,9090

# Windows common ports
rustscan -a <ip> -p 21,22,23,25,53,80,88,135,139,389,443,445,464,593,636,1433,3268,3269,3389,5985,9389

# Linux common ports
rustscan -a <ip> -p 21,22,25,53,80,110,111,143,443,445,2049,3306,5432,6379,8080,8443,27017

# HTB all ports fast
rustscan -a <ip> -b 65535 --ulimit 65535 -t 2000 -r 1-65535

Output Options

# Output to file
rustscan -a <ip> -o output.txt

# JSON output
rustscan -a <ip> --output-format json -o output.json

# JSON via greppable
rustscan -a <ip> --greppable

# Quiet (only ports, no banner)
rustscan -a <ip> -q

# No banner
rustscan -a <ip> --no-config

Common Usage Patterns

# HTB/CTF one-liner: fast discovery + nmap service scan
rustscan -a <ip> --ulimit 5000 -b 2000 -- -sCV -oA /tmp/scan_<ip>

# Stealth: slow batch to avoid rate limiting
rustscan -a <ip> -b 200 -t 5000 -- -sCV

# Network range host discovery then port scan
rustscan -a 10.10.10.0/24 -b 500 -- -sV --open

# Full pipeline: rustscan ports -> nmap deep dive
ports=$(rustscan -a <ip> --ulimit 5000 -b 2000 -q 2>/dev/null | grep "Open" | awk '{print $2}' | cut -d':' -f2 | tr '\n' ',')
nmap -sCV -p $ports <ip> -oA /tmp/deep_<ip>

# Wrapper function for HTB workflow
htbscan() {
    rustscan -a $1 --ulimit 10000 -b 5000 -t 2000 -- -sCV -Pn -oA /tmp/htb_$1
}
htbscan <ip>