🤖

RustScan: 次世代のNmap簡易まとめ

2022/12/31に公開

RustScan Install

# wget https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb
# dpkg -i rustscan_2.0.1_amd64.deb

RustScan Help 抜粋

# rustscan --help
...
USAGE:
    rustscan [FLAGS] [OPTIONS] [-- <command>...]

FLAGS:
    -h, --help          ヘルプを表示
	  ...
    -V, --version       バージョンを表示
OPTIONS:
    -a, --addresses <addresses>...    スキャンするIP
	  ...
    -r, --range <range>               ポートの範囲. 例: 1-1000
	  ...
	--scripts <scripts>           実行するスクリプト [default: default]  [possible values: None, Default, Custom]
										None: スクリプトを実行しない
										Curstom: scriptsフォルダー内のすべてのスクリプトを実行(例: https://github.com/RustScan/RustScan/tree/master/fixtures/.rustscan_scripts)
										Default(初期値): Nmapスクリプト、または設定ファイルにある任意のスクリプトを実行
    -u, --ulimit <ulimit>             起動するULIMIT(システムリソース)の数(5000がおすすめ)

ARGS:
    <command>...    実行するNmapのコマンド

RustScan vs Nmap: ポートスキャンの速度比較

RustScan 330秒

# time rustscan -a 10.10.11.168 --range 0-65535 --ulimit 5000 -- -sCV -oN scrambled.rustscan
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
...
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49699/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49704/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49713/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
...
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-time: 
|   date: 2022-12-30T15:08:34
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 42300/tcp): CLEAN (Timeout)
|   Check 2 (port 11476/tcp): CLEAN (Timeout)
|   Check 3 (port 58418/udp): CLEAN (Timeout)
|   Check 4 (port 31813/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:09
Completed NSE at 10:09, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:09
Completed NSE at 10:09, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:09
Completed NSE at 10:09, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 200.58 seconds
           Raw packets sent: 26 (1.120KB) | Rcvd: 23 (996B)


real    330.63s

Nmap 433秒

# nmap 10.10.11.168 -p0-65535 -Pn -T4 -sCV -oN scrambled.nmap 
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-30 10:13 EST
Nmap scan report for scrambled.htb (10.10.11.168)
Host is up (0.17s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
...
Host script results:
| smb2-time: 
|   date: 2022-12-30T15:20:07
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
|_clock-skew: mean: 1s, deviation: 0s, median: 1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 433.14 seconds
                                                              
...
Host script results:
| smb2-time: 
|   date: 2022-12-30T15:20:07
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
|_clock-skew: mean: 1s, deviation: 0s, median: 1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 433.14 seconds

結論

RustScanはポート列挙を先に行い、そのポートに対してNmapスクリプトを使用する。
対してNmapは、全ポートに指定したスクリプトを使用する。
そのため、RustScanがより効率的で高速になる。

Discussion