🤖
RustScan: 次世代のNmap簡易まとめ
RustScan Install
# wget https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb
# dpkg -i rustscan_2.0.1_amd64.deb
RustScan Help 抜粋
# rustscan --help
...
USAGE:
rustscan [FLAGS] [OPTIONS] [-- <command>...]
FLAGS:
-h, --help ヘルプを表示
...
-V, --version バージョンを表示
OPTIONS:
-a, --addresses <addresses>... スキャンするIP
...
-r, --range <range> ポートの範囲. 例: 1-1000
...
--scripts <scripts> 実行するスクリプト [default: default] [possible values: None, Default, Custom]
None: スクリプトを実行しない
Curstom: scriptsフォルダー内のすべてのスクリプトを実行(例: https://github.com/RustScan/RustScan/tree/master/fixtures/.rustscan_scripts)
Default(初期値): Nmapスクリプト、または設定ファイルにある任意のスクリプトを実行
-u, --ulimit <ulimit> 起動するULIMIT(システムリソース)の数(5000がおすすめ)
ARGS:
<command>... 実行するNmapのコマンド
RustScan vs Nmap: ポートスキャンの速度比較
RustScan 330秒
# time rustscan -a 10.10.11.168 --range 0-65535 --ulimit 5000 -- -sCV -oN scrambled.rustscan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
...
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49699/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49704/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49713/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
...
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-time:
| date: 2022-12-30T15:08:34
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 42300/tcp): CLEAN (Timeout)
| Check 2 (port 11476/tcp): CLEAN (Timeout)
| Check 3 (port 58418/udp): CLEAN (Timeout)
| Check 4 (port 31813/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:09
Completed NSE at 10:09, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:09
Completed NSE at 10:09, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:09
Completed NSE at 10:09, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 200.58 seconds
Raw packets sent: 26 (1.120KB) | Rcvd: 23 (996B)
real 330.63s
Nmap 433秒
# nmap 10.10.11.168 -p0-65535 -Pn -T4 -sCV -oN scrambled.nmap
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-30 10:13 EST
Nmap scan report for scrambled.htb (10.10.11.168)
Host is up (0.17s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
...
Host script results:
| smb2-time:
| date: 2022-12-30T15:20:07
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 433.14 seconds
...
Host script results:
| smb2-time:
| date: 2022-12-30T15:20:07
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 433.14 seconds
結論
RustScanはポート列挙を先に行い、そのポートに対してNmapスクリプトを使用する。
対してNmapは、全ポートに指定したスクリプトを使用する。
そのため、RustScanがより効率的で高速になる。
Discussion