Penetration Testing

A Detailed Guide on RustScan

In the realm of cybersecurity, network scanning tools play a vital role in reconnaissance and vulnerability assessment. Among the array of options available, Rustscan has emerged as a formidable contender, offering speed, efficiency, and versatility that distinguish it from traditional tools like Nmap.

Table of Contents

  • What sets Rustscan apart?
  • Advantages of Rustscan over Nmap
  • Usage (Docker)
  • Installation and Usage (Standalone)
  • Rustscan flags
  • Conclusion

What sets Rustscan apart?

Rustscan is an open-source network scanner developed in the Rust programming language. Its lightweight design, optimized algorithms, and user-friendly interface make it a preferred choice for both penetration testers and security professionals.

Advantages of Rustscan over Nmap:

Speed: It is renowned for its rapid scanning capabilities. Its multithreaded architecture and optimized algorithms enable it to scan large networks significantly faster than traditional scanners like Nmap.

Efficiency: It prioritizes efficiency, utilizing resources intelligently and minimizing overhead. This ensures that scanning tasks are completed swiftly without excessive resource consumption.

Ease of Use: With its intuitive interface and simplified command structure, Rustscan is accessible to users of all levels of expertise. Its design minimizes the learning curve typically associated with network scanning tools.

Versatility: It offers a broad range of features and customization options, allowing users to tailor their scans to specific requirements. Whether performing basic port scanning or comprehensive service enumeration, Rustscan delivers.

 Usage (Docker)

Rustscan can run by pulling an image using docker. The installation guide is available here  

To install docker use the command:

apt install

After the docker installation, rustscan can run from the following command:

docker run -it --rm --name rustscan rustscan/rustscan:2.1.1 -a

Installation and Usage (Standalone)

Installation of Rustscan can be performed using cargo, the following command can be used:

apt install cargo

cargo install rustscan

Make sure to add the /root/.cargo/bin to the path

echo $SHELL
nano .zshrc

Add the /root/.cargo/bin as export PATH.

After installation success, Rustscan is now ready to run.

Rustscan flags

There are a number of operations which can be performed using Rustscan, below listed are the flags to perform respective operation in Rustscan.

-a : To perform a comprehensive scan of all TCP ports.

rustscan -a

–ulimit : To adjust the ulimit for file descriptors to handle large-scale scans. If the scan is running slow adding this flag with a value of 5000 will make it run faster.

rustscan -a --ulimit 5000

-p : To define specific ports to be scanned.

rustscan -a -p 21,22,23

-r : To perform a range scan, specific range of ports will be scanned.

rustscan -a -r 21-50

-sC -sV : To perform default script scan and service version scan.

rustscan -a -- -sC -sV

Results of service version and default script scan can be seen below.

Rustscan can also be used to scan the entire subnet IP addresses by just adding a /24 after the IP address.

rustscan -a

-g : To enable the “greppable” output format for easy parsing and analysis.

rustscan -a -g

–accessible : Turn on accessible mode, does not print ASCII art. Also does not print very large blocks of text, as this can cause some pain with screenreaders. This reduces the information you get.

rustscan -a --accessible


Rustscan represents a significant advancement in network scanning technology. Its speed, efficiency, and versatility make it an invaluable tool for cybersecurity professionals. Whether conducting routine network audits or hunting for vulnerabilities, Rustscan is a must-have in your toolkit.

Author: Vinayak Chauhan is an InfoSec researcher and Security Consultant. Contact here