loading
loading
Network
The modern port scanner that finds ports quickly and pipes them into a scripting engine.
overview
rustscan finds open ports fast, often in a few seconds on a single host, then hands them to a scripting engine that supports Python, Lua, and Shell. The split is deliberate: rustscan does high-speed discovery, and the scripting layer handles deeper inspection such as service and version detection.
Speed comes from tunable --batch-size and --ulimit, which govern how many ports it probes at once. Target the top 1000 ports with --top, an explicit --ports list, or a --range; switch to --udp for datagram listeners; exclude ports and addresses when needed. Inputs accept CIDRs, IPs, and hostnames from --addresses or from files.
Run it early in a Trickest Network workflow to map the live port surface, then route open ports into nmap, fingerprintx, or vulnerability checks. Pair rustscan with a deep scanner; do not treat it as a full replacement for service detection.
source github.com/RustScan/RustScan
use cases
Feed CIDRs, IPs, or hostnames and let rustscan sweep them quickly, producing the open-port list that downstream service detection consumes.
Use --top, an explicit --ports list, or a --range to bound the scan to the ports a given assessment cares about.
Raise or lower --batch-size and --ulimit to push throughput while staying inside your OS open-file limit and the target's tolerance.
Enable --udp to find ports that answer over UDP, which a default TCP-only sweep would miss.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| addresses | STRING | --addresses | Comma-delimited list of CIDRs, IPs, or hosts to scan. |
| addresses-file | FILE | --addresses | Newline-delimited file of CIDRs, IPs, or hosts to scan. |
| ports | STRING | --ports | Comma-separated ports to scan. Example: 80,443,8080. |
| range | STRING | --range | Port range in start-end format. Example: 1-1000. |
| top | BOOLEAN | --top | Use the top 1000 ports. |
| udp | BOOLEAN | --udp | UDP scanning mode for ports that respond over UDP. |
| batch-size | STRING | --batch-size | Batch size for port scanning; controls speed. Default: 4500. |
| timeout | STRING | --timeout | Timeout in milliseconds before a port is assumed closed. Default: 1500. |
Showing key inputs. rustscan exposes 18 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| top | BOOLEAN | --top | Use the top 1000 ports |
| udp | BOOLEAN | --udp | UDP scanning mode, finds UDP ports that send back responses |
| ports | STRING | --ports | A list of comma separated ports to be scanned. Example: 80,443,8080 |
| range | STRING | --range | A range of ports with format start-end. Example: 1-1000 |
| tries | STRING | --tries | The number of tries before a port is assumed to be closed. If set to 0, rustscan will correct it to 1 [default: 1] |
| ulimit | STRING | --ulimit | Automatically ups the ULIMIT with the value you provided |
| timeout | STRING | --timeout | The timeout in milliseconds before a port is assumed to be closed [default: 1500] |
| resolver | STRING | --resolver | A comma-delimited list of DNS resolvers |
| addresses | STRING | --addresses | A comma-delimited list of separated CIDRs, IPs, or hosts to be scanned |
| no-config | BOOLEAN | --no-config | Whether to ignore the configuration file or not |
| accessible | BOOLEAN | --accessible | Accessible mode. Turns off features which negatively affect screen readers |
| batch-size | STRING | --batch-size | The batch size for port scanning, it increases or slows the speed of scanning. Depends on the open file limit of your OS. If you do 65535 it will do every port at the same time. Although, your OS may not support this [default: 4500] |
| scan-order | STRING | --scan-order | The order of scanning to be performed. The "serial" option will scan ports in ascending order while the "random" option will scan ports randomly [default: serial] [possible values: serial, random] |
| config-path | FILE | --config-path | Custom path to config file |
| exclude-ports | STRING | --exclude-ports | A list of comma separated ports to be excluded from scanning. Example: 80,443,8080 |
| resolver-file | FILE | --resolver | A file of DNS resolvers |
| addresses-file | FILE | --addresses | A newline-delimited file of separated CIDRs, IPs, or hosts to be scanned |
| exclude-addresses | STRING | --exclude-addresses | list of comma separated CIDRs, IPs, or hosts to be excluded from scanning |
example
# fast top-1000 sweep of a lab host, then raise ulimit for wider batchesrustscan --addresses 198.51.100.10 --top --ulimit 5000 --batch-size 4500 --timeout 1500Open 198.51.100.10:22Open 198.51.100.10:80Open 198.51.100.10:443Open 198.51.100.10:8080Open 203.0.113.88:22Open 203.0.113.88:443Open example.com:80Open example.com:443guidance
Reach for RustScan when you want the fastest path from a host range to an open-port list, then hand those ports to deeper analysis. nmap does the rich service and script detection RustScan defers; masscan and naabu are other fast discovery options. Pair RustScan with nmap, do not replace it.
The deep scanner RustScan feeds: service detection, version probing, and NSE scripts.
Fast Go port scanner from the ProjectDiscovery suite, similar discovery role.
Outsources port scans to third-party websites when you want no direct traffic.
faq
related
Quickly map an organization's network ranges using ASN information.
Maximize your resolver count by combining the target's DNS servers with public resolvers.
Expand CIDR ranges into a list of IP addresses easily.
Expand CIDR ranges into a list of IP addresses easily, from a file.
Maintain a list of IPv4 DNS servers verified against baseline servers for accurate responses.
Patched dnsvalidator that keeps only IPv4 resolvers verified against baseline servers.
A host list feeds RustScan, which finds open ports fast and hands them to nmap for service detection before they land as a queryable output.
Facts on this page come from the live Trickest tool library.