RustScan, a blazing-fast Rust-based port scanner, discovers open ports in seconds and pipelines results to Nmap. Explore features, install, and pro tips inside.
In the field of cybersecurity, speed often determines success or failure. RustScan, with its revolutionary scanning speed, is becoming a secret weapon in the hands of penetration testers.
⚙️ 1. Tool Positioning: Nmap's "Supersonic Wingman"
RustScan is a modern high-speed port scanner built on the Rust language. Unlike traditional scanners, it doesn't try to replace classic tools like Nmap—instead, it acts as a high-performance "vanguard": it discovers open ports at lightning speed, then seamlessly hands off the results to Nmap for deep service identification. This collaborative model compresses what used to take 17 minutes down to under 19 seconds, boosting efficiency by 98%.
RustScan's design philosophy is "Do One Thing and Do It Well"—focus on port discovery and push speed to the extreme.
🚀 2. Disruptive Features
Extreme scanning speed:
- Processes 3000 ports per second by default, completing a full-port (1-65535) scan in as little as 3 seconds.
- Use the
-bflag to adjust batch size (e.g.,-b 10000) for further acceleration.
Adaptive intelligent engine:
- Dynamically optimizes scanning strategy based on basic math (not machine learning).
- Automatically adjusts timeout based on network latency, balancing speed and accuracy.
Seamless Nmap piping:
- Automatically forwards open ports to Nmap for deep scanning—no manual copy-paste needed.
- Supports custom Nmap arguments:
rustscan IP -- -A -sCenables OS detection and script scanning.
Cross-platform with minimal dependencies:
- Deploys as a single binary, or runs isolated via Docker.
- Supports IPv6, CIDR ranges, domain names, IP list files, and other target formats.
Stealth scanning strategy:
--scan-order Randomrandomizes port scanning order to avoid triggering firewall alerts.
📥 3. Installation Guide: Multi-Platform Deployment
Native Installation (Linux/macOS)
# Debian/Kali
wget https://github.com/RustScan/RustScan/releases/download/2.1.1/rustscan_2.1.1_amd64.deb
sudo dpkg -i rustscan*.deb
# Arch Linux
yay -S rustscan
# macOS
brew install rustscanDocker Method (Recommended 🌟)
# Pull image
docker pull rustscan/rustscan:latest
# Set alias to simplify commands
alias rustscan='docker run -it --rm rustscan/rustscan:latest'
# Verify installation
rustscan --version💡 The Docker approach avoids dependency conflicts, and the image has optimized file descriptor limits.
🎯 4. Practical Usage in Detail
Basic Scanning
# Scan all ports on a single IP
rustscan -a 192.168.1.1
# Scan a network range
rustscan -a 192.168.1.0/24
# Scan a domain name
rustscan -a example.comPrecise Port Control
# Specify port range (1-1000)
rustscan -a 10.0.0.1 -p 1-1000
# Multi-port scanning
rustscan -a 10.0.0.1 -p 80,443,22
# Random scanning order for anti-detection
rustscan -a 10.0.0.1 --scan-order "Random"Advanced Parameter Tuning
# Balance speed and accuracy
rustscan -a 192.168.1.1 -t 2000 -T 1500
# -t: thread count (default 1000)
# -T: timeout (ms), recommended 250 for LAN / 1500+ for WAN
# Deep scan combo (pipe results to Nmap)
rustscan -a 192.168.1.1 -- -A -sV -oN result.txt
# Arguments after -- are passed to Nmap:
# -A: aggressive scan -sV: service version detection📊 5. Comparison with Similar Tools
| Feature | RustScan | Nmap | Masscan | NimScan |
|---|---|---|---|---|
| 65535 ports time | 3-8s (Linux) | ~25min | ~8s (Linux) | ~7s |
| Dependencies | Requires Nmap | Npcap driver | libpcap driver | None |
| Learning curve | Low | High | Medium | Medium-high |
| Nmap integration | ✅ Auto-pipe | ❌ Standalone | ❌ Manual | ❌ Manual |
| UDP support | ❌ TCP only | ✅ Full | ✅ Full | ✅ Full |
Comparison conclusion: RustScan clearly leads in scanning speed and Nmap integration, but deep service identification still requires pairing with Nmap.
🛠️ 6. Advanced Tips for Power Users
- Break through system limits for higher speed
Temporarily raise the file descriptor limit to enable concurrent full-port scanning:
ulimit -n 70000 # Raise descriptor limit
rustscan -a 192.168.1.1 -b 65535 # Set batch size to maximum- Evade firewall strategies
# Use segmented scanning to avoid IP bans
rustscan -a 203.0.113.0/24 --scan-order "Random" -p 80,443- Port troubleshooting in Docker environments
Quickly locate port conflicts on a NAS or Docker host:
docker run -it --rm rustscan/rustscan -a host.docker.internal -p 8080-9090- Automate output processing
Combine grep/awk to extract open ports and feed them into custom scripts:
rustscan -a 10.1.1.1 | grep "Open" | awk '{print $2}' > ports.txt
python custom_scanner.py -f ports.txt🧯 7. Typical Use Cases
- Red team penetration blitz
Quickly locate open services on the internal network, such as unauthorized Redis or MySQL instances:rustscan -a 10.10.10.0/24 -p 3306,6379 -- -sV - Security incident response
After a server is compromised, rapidly scan all machines on the network to locate high-risk ports being monitored by malicious processes. - DevOps continuous monitoring
Combine with Cron to periodically scan critical servers and generate alerts on port changes. - Cloud environment asset management
Scan AWS/Azure subnets to automatically build port-mapping topology diagrams.
💎 Conclusion: A Blade of the Efficiency Revolution
RustScan, with its "speed first, depth follow-up" tiered scanning strategy, has redefined the port detection workflow. Although it still relies on Nmap for protocol support (such as UDP scanning) and OS fingerprinting, its breakthrough of compressing scan time from "a cup of coffee" to "a single deep breath" has made it an indispensable blade in any penetration testing toolkit.
Project address: RustScan GitHub Repository
Notice: This program is intended for security testing only. Malicious scanning of others' networks may constitute a criminal offense.
Note: This is the English translation of the original Chinese version.