15
6

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

Linkbal(リンクバル)Advent Calendar 2021

Day 3

RustScanのポートスキャンが早すぎる件

Last updated at Posted at 2021-12-02

RustScanというポートスキャンが高速でできるツールを見つけたので検証してみました。

リポジトリ

RustScan@GitHub

インストール

  • Kali Linuxのインストールコマンド
wget https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb
dpkg -i rustscan_2.0.1_amd64.deb

検証環境

  • ローカルはVirtual BoxのKali linux
  • スキャン対象はTryHackMe - Resで提供されているサーバ、ポート80と6379が空いている

検証①:Nmap

検証内容

  • Nmapコマンドで以下のオプションを指定して実行時間を計測
オプション 説明
-p- 全ポート指定(デフォルトは1-1024)
-sV バージョン検出
-A OS検出
-oN ファイル出力(output Normal)

検証結果

  • 1621.94秒(約27分)

実行ログ

└─# nmap -p- -sV -A -oN nmap.txt 10.10.216.174                            
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-30 22:52 UTC
Stats: 0:24:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
Nmap scan report for 10.10.216.174
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
6379/tcp open  redis   Redis key-value store 6.0.7
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/30%OT=80%CT=1%CU=41258%PV=Y%DS=4%DC=T%G=Y%TM=61A6B1
OS:70%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OP
OS:S(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST
OS:11NW7%O6=M506ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)EC
OS:N(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Network Distance: 4 hops

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   115.52 ms 10.13.0.1
2   ... 3
4   252.41 ms 10.10.216.174

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1621.94 seconds

検証②:RustScan

検証内容

  • RustScanで同じオプションを指定して実行時間を計測

検証結果

  • ポートスキャン:3秒
  • バージョン検出スキャン:25秒

実行ログ

└─# rustscan -a 10.10.216.174 --ulimit 5000 -- -sV -A -oN rustscan.txt
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.216.174:80
Open 10.10.216.174:6379
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-30 22:50 UTC
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:50
Completed NSE at 22:50, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:50
Completed NSE at 22:50, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:50
Completed NSE at 22:50, 0.00s elapsed
Initiating Ping Scan at 22:50
Scanning 10.10.216.174 [4 ports]
Completed Ping Scan at 22:50, 0.37s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:50
Completed Parallel DNS resolution of 1 host. at 22:50, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:50
Scanning 10.10.216.174 [2 ports]
Discovered open port 80/tcp on 10.10.216.174
Discovered open port 6379/tcp on 10.10.216.174
Completed SYN Stealth Scan at 22:50, 0.28s elapsed (2 total ports)
Initiating Service scan at 22:50
Scanning 2 services on 10.10.216.174
Completed Service scan at 22:51, 6.52s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.216.174
Retrying OS detection (try #2) against 10.10.216.174
Initiating Traceroute at 22:51
Completed Traceroute at 22:51, 3.03s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 22:51
Completed Parallel DNS resolution of 2 hosts. at 22:51, 2.10s elapsed
DNS resolution of 2 IPs took 2.10s. Mode: Async [#: 1, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0]
NSE: Script scanning 10.10.216.174.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 5.04s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 1.07s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
Nmap scan report for 10.10.216.174
Host is up, received reset ttl 61 (0.25s latency).
Scanned at 2021-11-30 22:50:58 UTC for 25s

PORT     STATE SERVICE REASON         VERSION
80/tcp   open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
6379/tcp open  redis   syn-ack ttl 61 Redis key-value store 6.0.7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Android 5.1 (92%), Linux 3.13 (92%), Linux 3.2 - 3.16 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.92%E=4%D=11/30%OT=80%CT=%CU=37781%PV=Y%DS=4%DC=T%G=N%TM=61A6AAEB%P=x86_64-pc-linux-gnu)
SEQ(SP=101%GCD=1%ISR=101%TI=Z%CI=I%II=I%TS=8)
OPS(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST11NW7%O6=M506ST11)
WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)
ECN(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.021 days (since Tue Nov 30 22:21:07 2021)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   113.35 ms 10.13.0.1
2   ... 3
4   253.85 ms 10.10.216.174

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.09 seconds
           Raw packets sent: 65 (4.396KB) | Rcvd: 41 (3.068KB)                                                                                                                                         

考察

  • Nmapの場合、全ポートに対してオプションで指定した動作を試みるので時間がかかる
  • RustScanは全ポートをスキャンしてから、空いているポートに対してnmapで指定したオプションを試みるので時間が短縮される
  • 全ポートスキャンする場合、RustScanを使ったほうが早い

最後に

  • RustScanはOSCPで禁止されてなく普通に使われているツールと思われるので、これからもRustScanを使いこなしていこうと思います

追記

  • Nmapの検証で、高速オプション「-T4」を使用してなかったので再度Nmapの時間を計測
  • 1016.57秒(約17分)
  • 作業ログ
└─# nmap -p- -T4 -sV -A -oN nmap.txt 10.10.216.174
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-30 23:21 UTC
Traceroute Timing: About 32.26% done; ETC: 23:38 (0:00:00 remaining)
Nmap scan report for 10.10.216.174
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
6379/tcp open  redis   Redis key-value store 6.0.7
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/30%OT=80%CT=1%CU=33336%PV=Y%DS=4%DC=T%G=Y%TM=61A6B5
OS:F4%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)SE
OS:Q(SP=103%GCD=1%ISR=10B%TI=Z%II=I%TS=8)OPS(O1=M506ST11NW7%O2=M506ST11NW7%
OS:O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST11NW7%O6=M506ST11)WIN(W1=68DF%W2
OS:=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M506NNS
OS:NW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%
OS:DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%
OS:RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops

TRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   113.49 ms 10.13.0.1
2   ... 3
4   254.71 ms 10.10.216.174

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1016.57 seconds
15
6
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
15
6

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?