Cyber Security

RustScan VS Nmap

Find all open ports fast with Rustscan, automatically pipe them into Nmap. Built with Rust.

Note: You must have Nmap installed.


debian package terminal gifs

What is this?

If you are a competitive CTF player and often find yourself running masscan / a basic nmap scan before running a more comprehensive scan, this tool is for you.

  1. Find ports quickly using Rustscan (27 seconds on average).
  2. Automatically runs nmap --sV -$ports -vvv on those ports.
  3. Profit???


Rustscans only job is to reduce the friction between finding open ports and inputting them into nmap.

RustScan vs Nmap vs MassScan

Name RustScan Nmap Masscan
Actually useful
Realises it’s not useful, and pipes the only useful data into the only useful port scanner


Increasing speed/accuracy

  • Batch size This increases speed, by allowing us to process more at once. Something experimental I am working on is changing the open file limit. You can do this manually with ulimit -n 70000 and then running rustscan with -B 65535. This should scan all 65535 ports at the exact same time. But this is extremely experimental.

For non-experimental speed increases, slowly increase the batch size until it no longer gets open ports, or it breaks.

Accuracy (and some speed) To increase accuracy, the easiest way is to increase the timeout. The default is 1.5 seconds, by setting it to 4 seconds (4000) we are telling RustScan “if we do not hear back from a port in 4 seconds, assume it is closed”.

Related Articles