RustScanというポートスキャンが高速でできるツールを見つけたので検証してみました。
リポジトリ
インストール
- Kali Linuxのインストールコマンド
wget https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb
dpkg -i rustscan_2.0.1_amd64.deb
検証環境
- ローカルはVirtual BoxのKali linux
- スキャン対象はTryHackMe - Resで提供されているサーバ、ポート80と6379が空いている
検証①:Nmap
検証内容
- Nmapコマンドで以下のオプションを指定して実行時間を計測
| オプション | 説明 |
|---|---|
| -p- | 全ポート指定(デフォルトは1-1024) |
| -sV | バージョン検出 |
| -A | OS検出 |
| -oN | ファイル出力(output Normal) |
検証結果
- 1621.94秒(約27分)
実行ログ
└─# nmap -p- -sV -A -oN nmap.txt 10.10.216.174
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-30 22:52 UTC
Stats: 0:24:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
Nmap scan report for 10.10.216.174
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
6379/tcp open redis Redis key-value store 6.0.7
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/30%OT=80%CT=1%CU=41258%PV=Y%DS=4%DC=T%G=Y%TM=61A6B1
OS:70%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OP
OS:S(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST
OS:11NW7%O6=M506ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)EC
OS:N(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
Network Distance: 4 hops
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 115.52 ms 10.13.0.1
2 ... 3
4 252.41 ms 10.10.216.174
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1621.94 seconds
検証②:RustScan
検証内容
- RustScanで同じオプションを指定して実行時間を計測
検証結果
- ポートスキャン:3秒
- バージョン検出スキャン:25秒
実行ログ
└─# rustscan -a 10.10.216.174 --ulimit 5000 -- -sV -A -oN rustscan.txt
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.216.174:80
Open 10.10.216.174:6379
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-30 22:50 UTC
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:50
Completed NSE at 22:50, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:50
Completed NSE at 22:50, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:50
Completed NSE at 22:50, 0.00s elapsed
Initiating Ping Scan at 22:50
Scanning 10.10.216.174 [4 ports]
Completed Ping Scan at 22:50, 0.37s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:50
Completed Parallel DNS resolution of 1 host. at 22:50, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:50
Scanning 10.10.216.174 [2 ports]
Discovered open port 80/tcp on 10.10.216.174
Discovered open port 6379/tcp on 10.10.216.174
Completed SYN Stealth Scan at 22:50, 0.28s elapsed (2 total ports)
Initiating Service scan at 22:50
Scanning 2 services on 10.10.216.174
Completed Service scan at 22:51, 6.52s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.216.174
Retrying OS detection (try #2) against 10.10.216.174
Initiating Traceroute at 22:51
Completed Traceroute at 22:51, 3.03s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 22:51
Completed Parallel DNS resolution of 2 hosts. at 22:51, 2.10s elapsed
DNS resolution of 2 IPs took 2.10s. Mode: Async [#: 1, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0]
NSE: Script scanning 10.10.216.174.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 5.04s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 1.07s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
Nmap scan report for 10.10.216.174
Host is up, received reset ttl 61 (0.25s latency).
Scanned at 2021-11-30 22:50:58 UTC for 25s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
6379/tcp open redis syn-ack ttl 61 Redis key-value store 6.0.7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Android 5.1 (92%), Linux 3.13 (92%), Linux 3.2 - 3.16 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.92%E=4%D=11/30%OT=80%CT=%CU=37781%PV=Y%DS=4%DC=T%G=N%TM=61A6AAEB%P=x86_64-pc-linux-gnu)
SEQ(SP=101%GCD=1%ISR=101%TI=Z%CI=I%II=I%TS=8)
OPS(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST11NW7%O6=M506ST11)
WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)
ECN(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 0.021 days (since Tue Nov 30 22:21:07 2021)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 113.35 ms 10.13.0.1
2 ... 3
4 253.85 ms 10.10.216.174
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.09 seconds
Raw packets sent: 65 (4.396KB) | Rcvd: 41 (3.068KB)
考察
- Nmapの場合、全ポートに対してオプションで指定した動作を試みるので時間がかかる
- RustScanは全ポートをスキャンしてから、空いているポートに対してnmapで指定したオプションを試みるので時間が短縮される
- 全ポートスキャンする場合、RustScanを使ったほうが早い
最後に
- RustScanはOSCPで禁止されてなく普通に使われているツールと思われるので、これからもRustScanを使いこなしていこうと思います
追記
- Nmapの検証で、高速オプション「-T4」を使用してなかったので再度Nmapの時間を計測
- 1016.57秒(約17分)
- 作業ログ
└─# nmap -p- -T4 -sV -A -oN nmap.txt 10.10.216.174
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-30 23:21 UTC
Traceroute Timing: About 32.26% done; ETC: 23:38 (0:00:00 remaining)
Nmap scan report for 10.10.216.174
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
6379/tcp open redis Redis key-value store 6.0.7
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/30%OT=80%CT=1%CU=33336%PV=Y%DS=4%DC=T%G=Y%TM=61A6B5
OS:F4%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)SE
OS:Q(SP=103%GCD=1%ISR=10B%TI=Z%II=I%TS=8)OPS(O1=M506ST11NW7%O2=M506ST11NW7%
OS:O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST11NW7%O6=M506ST11)WIN(W1=68DF%W2
OS:=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M506NNS
OS:NW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%
OS:DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%
OS:RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 4 hops
TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 113.49 ms 10.13.0.1
2 ... 3
4 254.71 ms 10.10.216.174
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1016.57 seconds