RustScan — The Modern Port Scanner Built in Rust

Introduction

RustScan is an open-source port scanner designed to find open ports quickly and then hand off to Nmap for deeper analysis. It leverages Rust's async runtime to scan all 65,535 TCP ports in under 10 seconds on fast networks, making it a practical wrapper that accelerates traditional Nmap-based workflows.

What RustScan Does

• Performs asynchronous TCP connect scans across all ports at configurable batch sizes
• Automatically pipes discovered open ports into Nmap for version detection and script scanning
• Supports adaptive timing that adjusts scan speed based on network conditions
• Provides a scripting engine for extending scan behavior with custom Python or Shell scripts
• Runs inside Docker containers for isolated, reproducible scanning environments

Architecture Overview

RustScan is built on Tokio for async I/O, spawning thousands of concurrent TCP connection attempts while respecting OS file descriptor limits. The scanner batches connection attempts (default 4500) and uses a configurable timeout per connection. Once open ports are identified, RustScan constructs an Nmap command string and executes it as a subprocess, passing the discovered ports via the -p flag.

Self-Hosting & Configuration

• Install via cargo, Homebrew, AUR, or download prebuilt binaries from GitHub releases
• Run in Docker: docker run -it --rm rustscan/rustscan:latest -a target
• Configure batch size with -b flag to balance speed vs. network stability
• Set timeout per port with -t (default 1500ms) for high-latency networks
• Use .rustscan.toml config file for persistent settings like default scripts and Nmap arguments

Key Features

• Scans all 65,535 ports in 3-10 seconds depending on network and batch size
• Adaptive learning adjusts scan rate to avoid overwhelming targets
• Scripting engine supports Python and Shell for custom post-scan logic
• Accessible mode with human-friendly output and progress indicators
• Full Nmap integration preserves existing NSE scripts and workflows

Comparison with Similar Tools

• Nmap — gold standard for service detection but slow on full-port scans; RustScan uses Nmap as a backend after fast port discovery
• Masscan — raw SYN scanner that is faster but requires root privileges and custom packet crafting; RustScan works unprivileged
• Naabu — similar async Go port scanner by ProjectDiscovery; RustScan offers built-in Nmap piping and scripting engine
• Zmap — designed for internet-wide scanning research; overkill for targeted assessments where RustScan excels

FAQ

Q: Does RustScan require root or sudo privileges? A: No. RustScan uses TCP connect scans that work at user level, unlike raw SYN scanners that need elevated permissions.

Q: Can I use RustScan without Nmap installed? A: Yes. RustScan will still discover open ports; it simply skips the Nmap phase if the binary is not found.

Q: How do I avoid triggering rate limits or IDS alerts? A: Lower the batch size with -b 1000 and increase the timeout with -t 2000 to reduce connection flood signatures.

Q: Is RustScan suitable for production network auditing? A: Yes, with tuned batch sizes. Many security teams use it for internal asset discovery and pre-engagement reconnaissance in authorized pentests.

Sources

• https://github.com/bee-san/RustScan
• https://rustscan.github.io/RustScan/