# Cybersecurity: Port Scanning with RustScan

You know, in the realm of network reconnaissance and scanning, finding the right tool can be a game-changer, especially when versatility is a must. Now, my trusty companion in the world of network scanning has always been good ol' Nmap. It's reliable, it's a classic, and it's been my go-to for years.

And here's the kicker: Nmap is like that reliable old friend who's always there when you need them. It comes pre-installed in Kali Linux, it's a breeze to install on most systems, and it's tried and tested. Nmap is dependable, and it's always right at your fingertips.

But let me tell you about a little something that might just find a place in your toolbox – RustScan. I mean, I'm not about to stop using Nmap; it's a fantastic tool that's stood the test of time. But I have to admit that I'm impressed by RustScan. I was introduced to RustScan when I was working on a project, and someone used it at the same time I was running Nmap. It finished scanning before my computer could even spit out an Nmap header!

Now, I get it; we're not talking about a production server here. The server he used it on wasn't meant for anything but pentesting. But the sheer power of RustScan, the ability to unleash that speed when you need it, it's just mind-blowing.

Ok, no more sales pitch, let's just dive in and take a closer look.

<div data-node-type="callout">
<div data-node-type="callout-emoji">🪣</div>
<div data-node-type="callout-text"><em>I got most of the information for this article from the RustScan documentation. For more detailed information and additional usage options, see the </em><a target="_blank" rel="noopener noreferrer nofollow" href="https://github.com/RustScan/RustScan/wiki/Usage" style="pointer-events: none"><em>official RustScan documentation</em></a><em>.</em></div>
</div>

## **What is RustScan?**

RustScan is a versatile and lightweight port scanning tool designed to simplify the process of network reconnaissance. It excels in swiftly identifying open ports on target hosts, making it invaluable for both beginners and experienced professionals.

### **Speed and Efficiency**

One of RustScan's defining characteristics is its speed. It's optimized for quick port scans, making it an excellent choice for time-sensitive tasks. Whether you're scanning a single host or an entire network, RustScan gets the job done efficiently.

### **Simplicity**

RustScan prides itself on its simplicity. Even if you're new to network scanning, its straightforward command-line interface allows you to initiate scans with ease. You don't need to be a seasoned pro to use RustScan effectively.

### **Versatility**

RustScan's versatility is a standout feature. It can be a valuable tool for various scenarios, from security assessments to network administration. Whether you're a security researcher or a system administrator, RustScan is designed to enhance your toolkit.

## **Installation and Download**

Getting started with RustScan is a breeze. You can download the tool from the official release page on GitHub: [RustScan 2.0.1](https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb)

After downloading, installation is a simple matter of using the following command:

```plaintext
sudo dpkg -i rustscan_2.0.1_amd64.deb
```

## **Basic Usage**

Now, let's dive into the basics of using RustScan. We'll start with a simple scan of a single target IP address. Here's how you can do it:

### **Basic Scan**

To perform a basic scan on a target IP address, use the following command:

```plaintext
rustscan -a 10.10.154.251
```

This straightforward command will scan the common ports on the specified target, providing you with an overview of the open ports.

### **Scanning Multiple IPs**

RustScan is versatile, allowing you to scan multiple IP addresses by specifying them in a comma-separated list:

```plaintext
rustscan -a 10.10.154.251,10.10.154.252
```

### **Host Scanning**

You can also use RustScan to scan hosts. For instance:

```plaintext
rustscan -a www.example.com
```

### **CIDR Support**

RustScan supports CIDR notation for scanning a range of IP addresses:

```plaintext
rustscan -a 192.168.0.0/30
```

### **Hosts File as Input**

If you have a list of IPs or hosts to scan, you can provide a file containing these entries. The file should be formatted as a newline-separated list. Here's an example:

**hosts.txt:**

```plaintext
192.168.0.1
192.168.0.2
www.example.com
192.168.0.0/30
10.10.154.251
```

To scan the IPs and hosts from the file, use the following command:

```plaintext
rustscan -a 'hosts.txt'
```

### **Individual Port Scanning**

RustScan allows you to scan individual ports. For example:

```plaintext
rustscan -a 10.10.154.251 -p 53
```

### **Multiple Selected Port Scanning**

You can specify a comma-separated list of ports to scan:

```plaintext
rustscan -a 10.10.154.251 -p 53,80,121,65535
```

### **Port Ranges**

To scan a range of ports, use this command:

```plaintext
rustscan -a 10.10.154.251 --range 1-1000
```

### **Adjusting Nmap Arguments**

By default, RustScan runs Nmap. You can adjust Nmap's arguments like this:

```plaintext
rustscan -a 10.10.154.251 -- -A -sC
```

### **Random Port Ordering**

If you want to scan ports in a random order (useful for avoiding firewall detection), run RustScan like this:

```plaintext
rustscan -a 10.10.154.251 --range 1-1000 --scan-order "Random"
```

## **Increasing Speed and Accuracy**

RustScan offers options to improve the speed and accuracy of your scans. Here are some strategies to consider:

### **Batch Size**

Increasing the batch size allows RustScan to process more data at once, resulting in faster scans. You can experiment with changing the open file limit using `ulimit -n 70000` and running RustScan with `-b 65535` for simultaneous scanning of all 65,535 ports. However, this approach is experimental and might not be suitable for all scenarios.

For non-experimental speed improvements, gradually increase the batch size until you find the optimal setting where it no longer misses open ports or breaks.

### **Timeout for Accuracy**

To enhance accuracy, consider increasing the timeout value. The default timeout is 1.5 seconds, but you can set it to a longer duration, such as 4 seconds (4000). This adjustment tells RustScan to assume a port is closed if there's no response within the specified timeout. Increasing the timeout can improve accuracy.

### **False Positives**

RustScan's architecture is based on a full TCP 3-way handshake connection using Rust's built-in sockets module. This module has been extensively tested and is used by large companies like Google and Apple. Rust's networking features are known for their reliability and correctness. Therefore, claims of false positives in RustScan are highly unlikely and may result from the use of another scanner that doesn't guarantee against false positives.

### **False Negatives**

In cases of false negatives, where ports are missed, it may be due to the operating system struggling with high-speed scanning. This can happen with any fast scanner or I/O-intensive program. To address false negatives, refer to the section on increasing speed and accuracy to find potential solutions.

Instead of restricting you with limited options, RustScan empowers you with control over the level of speed and accuracy you desire. The tool continues to evolve, with future plans to provide predefined levels of speed and accuracy.

### **Time to give it a try!**

RustScan is a powerful asset for both beginners and experts in the field of network reconnaissance. Its speed, simplicity, and versatility make it an awesome adition to my tool bag.

So, the next time you need to scan a network for open ports or vulnerabilities, give RustScan a try. It might just become your preferred tool for all your network scanning needs. As we've seen, in the world of network reconnaissance and scanning, having the right tool can make all the difference. Whether you're going with RustScan or another trusted tool like Nmap, it's all about finding the perfect fit for your needs.

Stay vigilant, stay curious, and stay secure.

*For more detailed information and additional usage options, you can refer to the* [*official RustScan documentation*](https://github.com/RustScan/RustScan/wiki/Usage)*.*
