rustscan

Scan all ports of one or more comma-delimited addresses using the default values

$ rustscan [[-a|--addresses]] [ip_or_hostname]

$ rustscan --top [[-a|--addresses]] [address_or_addresses]

$ rustscan [[-p|--ports]] [port1,port2,...] [[-a|--addresses]] [address_or_addresses]

$ rustscan [[-r|--range]] [start]-[end] [[-a|--addresses]] [address_or_addresses]

$ rustscan [[-a|--addresses]] [address_or_addresses] -- -O [[-sC|--script=default]]

$ rustscan [[-b|--batch-size]] [batch_size] [[-t|--timeout]] [timeout] [[-a|--addresses]] [address_or_addresses]

$ rustscan --scan-order [serial|random] [[-a|--addresses]] [address_or_addresses]

$ rustscan [[-g|--greppable]] [[-a|--addresses]] [address_or_addresses]

rustscan [OPTIONS] -a TARGETS|FILE
Example: rustscan -a 192.168.1.1/24 --ulimit 5000 -p 1-65535 --nmap-args "-sC -sV"

-a, --targets TARGET[,TARGET...]|FILE
    Specifies the target hosts for scanning. Can be IP addresses, CIDR ranges, hostnames, or a path to a file containing targets (one per line).

-p, --ports PORTS
    Defines the ports to scan. Can be a comma-separated list (e.g., '80,443,8080'), a range (e.g., '1-1024'), or 'full' for all 65535 ports. 'top-ports' can also be used with '--top-ports'.

--ulimit NUMBER
    Sets the maximum number of concurrent connections (file descriptors) rustscan can open. A higher number means faster scans but consumes more system resources. Default is 5000.

--nmap-args "ARGS"
    Allows passing additional arguments directly to the nmap command that rustscan invokes for deep scanning. Useful for specifying Nmap scripts (-sC), service version detection (-sV), etc.

--scan-order ORDER
    Determines the order in which targets are scanned. Options include 'random' (default) and 'sequential'.

--timeout MILLISECONDS
    Sets the connection timeout for each port probe in milliseconds. Default is 1500 (1.5 seconds).

--batch-size NUMBER
    Specifies how many IP addresses rustscan processes in a single batch before potentially handing them over to Nmap. Default is 10000.

--no-nmap
    Prevents rustscan from invoking nmap after identifying open ports. It will only output the discovered open ports.

--config PATH
    Specifies a path to a TOML configuration file to load default settings and Nmap arguments.

--top-ports NUMBER
    Scans the N most common ports as defined by nmap's top-ports list. Can be used in conjunction with -p.

-v, --verbose
    Increases the verbosity level of rustscan's output, showing more details about the scan process.

-q, --quiet
    Suppresses all output except for the final results, providing a clean and concise summary.

rustscan is a modern, extremely fast port scanner written in Rust. It aims to improve upon traditional scanners like nmap by focusing on speed, especially when scanning a large number of hosts for open ports. It achieves this speed by using an asynchronous I/O model and intelligently piping its results directly into nmap for deeper, more comprehensive scanning of open ports. This unique workflow allows users to quickly identify open ports across a vast network, then leverage nmap's powerful script engine and service detection capabilities only on the ports that are actually open, significantly reducing overall scan time. It's a popular tool in penetration testing, vulnerability assessment, and network discovery workflows.

For its full capabilities, rustscan requires nmap to be installed on the system (unless --no-nmap is used).
Using a very high --ulimit can consume significant system resources and may be detected by Intrusion Detection/Prevention Systems (IDS/IPS) due to the large number of simultaneous connections.
While fast, the accuracy of open port detection can still be influenced by network latency, firewalls, and target responsiveness.

rustscan's core strength is its speed. This is achieved through asynchronous I/O and the configurable --ulimit parameter. Users can fine-tune this value along with --batch-size to balance scan speed with system resource usage and network impact. Experimentation is often needed to find the optimal settings for a given network environment.

The ability to pass arguments directly to nmap using --nmap-args is a powerful feature. This allows users to leverage nmap's extensive capabilities, such as service version detection (-sV), OS detection (-O), and script execution (-sC or --script), only on the ports identified as open by rustscan. This significantly reduces the overall scan time for comprehensive network assessments.

rustscan supports loading default settings and Nmap arguments from a TOML configuration file (specified with --config). This is highly useful for creating reusable scan profiles, ensuring consistent scan parameters across multiple engagements, and simplifying complex Nmap argument setups.

rustscan was developed by Brandon Randall (RustProofLabs) and first publicly released around late 2019/early 2020. It rapidly gained popularity within the cybersecurity community for its innovative approach to combining extreme scanning speed with the deep analysis capabilities of nmap. Its development in the Rust programming language is a key factor in its performance, offering memory safety and high concurrency, which are crucial for network scanning applications.

nmap(1), masscan(8), netcat(1), hping3(8)