RustScanというポートスキャンが高速でできるツールを見つけたので検証してみました。

リポジトリ

インストール

Kali Linuxのインストールコマンド

wget https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb
dpkg -i rustscan_2.0.1_amd64.deb

検証環境

ローカルはVirtual BoxのKali linux
スキャン対象はTryHackMe - Resで提供されているサーバ、ポート80と6379が空いている

検証①：Nmap

検証内容

Nmapコマンドで以下のオプションを指定して実行時間を計測

オプション	説明
-p-	全ポート指定（デフォルトは1-1024）
-sV	バージョン検出
-A	OS検出
-oN	ファイル出力（output Normal）

検証結果

1621.94秒（約27分）

実行ログ

└─# nmap -p- -sV -A -oN nmap.txt 10.10.216.174                            
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-30 22:52 UTC
Stats: 0:24:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
Nmap scan report for 10.10.216.174
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
6379/tcp open  redis   Redis key-value store 6.0.7
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/30%OT=80%CT=1%CU=41258%PV=Y%DS=4%DC=T%G=Y%TM=61A6B1
OS:70%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OP
OS:S(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST
OS:11NW7%O6=M506ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)EC
OS:N(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Network Distance: 4 hops

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   115.52 ms 10.13.0.1
2   ... 3
4   252.41 ms 10.10.216.174

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1621.94 seconds

検証②：RustScan

検証内容

RustScanで同じオプションを指定して実行時間を計測

検証結果

ポートスキャン：3秒
バージョン検出スキャン：25秒

実行ログ

└─# rustscan -a 10.10.216.174 --ulimit 5000 -- -sV -A -oN rustscan.txt
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.216.174:80
Open 10.10.216.174:6379
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-30 22:50 UTC
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:50
Completed NSE at 22:50, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:50
Completed NSE at 22:50, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:50
Completed NSE at 22:50, 0.00s elapsed
Initiating Ping Scan at 22:50
Scanning 10.10.216.174 [4 ports]
Completed Ping Scan at 22:50, 0.37s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:50
Completed Parallel DNS resolution of 1 host. at 22:50, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:50
Scanning 10.10.216.174 [2 ports]
Discovered open port 80/tcp on 10.10.216.174
Discovered open port 6379/tcp on 10.10.216.174
Completed SYN Stealth Scan at 22:50, 0.28s elapsed (2 total ports)
Initiating Service scan at 22:50
Scanning 2 services on 10.10.216.174
Completed Service scan at 22:51, 6.52s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.216.174
Retrying OS detection (try #2) against 10.10.216.174
Initiating Traceroute at 22:51
Completed Traceroute at 22:51, 3.03s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 22:51
Completed Parallel DNS resolution of 2 hosts. at 22:51, 2.10s elapsed
DNS resolution of 2 IPs took 2.10s. Mode: Async [#: 1, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0]
NSE: Script scanning 10.10.216.174.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 5.04s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 1.07s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
Nmap scan report for 10.10.216.174
Host is up, received reset ttl 61 (0.25s latency).
Scanned at 2021-11-30 22:50:58 UTC for 25s

PORT     STATE SERVICE REASON         VERSION
80/tcp   open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
6379/tcp open  redis   syn-ack ttl 61 Redis key-value store 6.0.7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Android 5.1 (92%), Linux 3.13 (92%), Linux 3.2 - 3.16 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.92%E=4%D=11/30%OT=80%CT=%CU=37781%PV=Y%DS=4%DC=T%G=N%TM=61A6AAEB%P=x86_64-pc-linux-gnu)
SEQ(SP=101%GCD=1%ISR=101%TI=Z%CI=I%II=I%TS=8)
OPS(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST11NW7%O6=M506ST11)
WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)
ECN(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.021 days (since Tue Nov 30 22:21:07 2021)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   113.35 ms 10.13.0.1
2   ... 3
4   253.85 ms 10.10.216.174

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.09 seconds
           Raw packets sent: 65 (4.396KB) | Rcvd: 41 (3.068KB)

考察

Nmapの場合、全ポートに対してオプションで指定した動作を試みるので時間がかかる
RustScanは全ポートをスキャンしてから、空いているポートに対してnmapで指定したオプションを試みるので時間が短縮される
全ポートスキャンする場合、RustScanを使ったほうが早い

最後に

RustScanはOSCPで禁止されてなく普通に使われているツールと思われるので、これからもRustScanを使いこなしていこうと思います

追記

Nmapの検証で、高速オプション「-T4」を使用してなかったので再度Nmapの時間を計測
1016.57秒（約17分）
作業ログ

└─# nmap -p- -T4 -sV -A -oN nmap.txt 10.10.216.174
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-30 23:21 UTC
Traceroute Timing: About 32.26% done; ETC: 23:38 (0:00:00 remaining)
Nmap scan report for 10.10.216.174
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
6379/tcp open  redis   Redis key-value store 6.0.7
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/30%OT=80%CT=1%CU=33336%PV=Y%DS=4%DC=T%G=Y%TM=61A6B5
OS:F4%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)SE
OS:Q(SP=103%GCD=1%ISR=10B%TI=Z%II=I%TS=8)OPS(O1=M506ST11NW7%O2=M506ST11NW7%
OS:O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST11NW7%O6=M506ST11)WIN(W1=68DF%W2
OS:=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M506NNS
OS:NW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%
OS:DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%
OS:RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops

TRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   113.49 ms 10.13.0.1
2   ... 3
4   254.71 ms 10.10.216.174

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1016.57 seconds

RustScanのポートスキャンが早すぎる件

リポジトリ

インストール

検証環境

検証①：Nmap

検証内容

検証結果

実行ログ

検証②：RustScan

検証内容

検証結果

実行ログ

考察

最後に

追記