June 28, 2022

Scanning IPv6 with RustScan

RustScan is a port scanning tool for scanning IPv6 networks. This article features a quick guide on setting up and using RustScan’s port scanning capabilities.

Table of Contents

Introduction

Before we begin

Setting up RustScan

Scanning IPv6 with RustScan

Conclusion

Other articles in this series

Introduction

RustScan is a fast port scanner capable of scanning both IPv4 and IPv6 networks. The tool also claims to use Adaptive Learning to improve itself over time. This article features a short guide on setting up and using the RustScans port scanning capabilities.

RustScan is the next tool on our list that can be used to scan for IPv6 addresses for open ports and to discover services running on them. RustScan internally uses nmap to do all the scanning and is more a multithreaded wrapper on top of nmap than an independent scanner in itself.

RustScan is an insanely fast scanner. The documentation pegs the scanning speed at all 65k ports in 3 seconds! All of this is possible using Rust’s threading capabilities that allows multiple instances of nmap to run in parallel and manage their socket connections.

This article will guide you through the installation of RustScan and how to use the tool to scan an IPv6 network.

Notes:

  1. RustScan has support for most Linux operating systems, though the tool does not officially support Windows. However, it is possible to run RustScan on Windows (and other OSes) using Docker.
  2. RustScan requires nmap since it is the scanning engine it uses.
  3. Make sure that the scans are conducted on the networks where you are allowed to do so with appropriate permissions.

Before we begin

Like any other IPv6 scanning tool, your system needs to support IPv6 in order to utilise RustScan’s scanning capabilities. To verify that your system and network are properly configured to have IPv6 access, you can run either of the following commands:

  1. ip -6 addr
verify that your system and network are properly configured to have IPv6 access
  1. ifconfig | grep inet6
verify that your system and network are properly configured to have IPv6 access

Setting up RustScan

According to the documentation, Docker is the recommended way of installing RustScan. The following advantages are highlighted in the documentation regarding the same:

  • Docker has a high open file descriptor limit, which is one of the main problems with RustScan.
  • Docker works on all systems, regardless of OS. Even Windows, which is not officially supported.
  • The Docker image uses the latest build from Cargo, which provides the latest version of RustScan.
  • No need to install Rust, Cargo, or Nmap

Using Docker, the following command can be used to run RustScan

docker run -it --rm --name rustscan rustscan/rustscan:latest --help

command to run RustScan

Scanning IPv6 with RustScan

The GitHub documentation is a little vague about how to operate RustScan with docker and IPv6 addresses. However, some experimentation led us to the following results:

  • Like all IPv6 scanners, RustScan also needs the host to support IPv6 addresses. The easiest way on Docker (although not the most secure way) is to share the host system’s networking stack with the container (assuming the host already supports IPv6). This can be achieved with the --net=host argument to docker run.
  • Also, since RustScan uses nmap as the underlying engine, all of nmap’s arguments are available by passing a -- to denote completion of RustScan arguments and to begin nmap arguments.
  • Additionally, the default ports per second that RustScan scans for is 4500, this can be controlled to slow or hasten up the scans by using the -b option (batch size). Theoretically, an option of -b 65535 will scan all ports in 1 second.

Let’s take an example, the following docker command will pull the latest image of RustScan, share the host networking stack with the container and perform an IPv6 scan on the address 2600:1f18:478:f700:f4b3:2721:c3fb:55be for TCP ports 22,80 and 443 by assuming the system is online (no ping scan confirmation before port scan - nmap specification).

docker run --net=host -it --rm --name rustscan rustscan/rustscan:latest -b 10 -p 22,80,443 -a 2600:1f18:478:f700:f4b3:2721:c3fb:55be -- -6 -Pn

command for rustscan

Conclusion

In this article we looked at RustScan, which is essentially a wrapper on top of nmap that is written to utilise the operating systems capabilities of sending many network probes without being restricted by nmap’s limitations.

The most recommended way of running RustScan is using its Docker image. RustScan supports all nmap flags and its reporting capabilities are the same as that of nmap.

This article is part of a series on scanning IPv6 addresses. Come back for our next article in the series in which we will take a look at another IPv6 scanner - masscan.

Other Articles in this series:

Tools for Scanning IPv6 networks

Scanning IPv6 with Nmap

Scanning IPv6 with fi6s

Scanning IPv6 with Masscan

Scanning IPv6 with v6disc

***

This article is brought to you by Kloudle Academy, a free e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security management platform that uses the power of automation and simplifies human requirements in cloud security. Receive alerts for Academy by subscribing here.

Written by:
Riyaz Walikar

Riyaz Walikar

Chief Hacker

Riyaz is a security evangelist, offensive security expert and researcher with over a decade of experience in the cyber security industry. His passion to break into some of the most well defended networks and systems in his career spanning 15 years has earned him a lot respect within the security industry. He has led Security Assessment and Penetration Testing teams at Pricewaterhouse Coopers (PwC) and Appsecco, and the Product Security Team at Citrix before co-founding Kloudle. Riyaz now specializes in cloud native, container and cloud security in general, helping build an easy to use security management platform to help companies enhance their visibility in the cloud, identify security misconfigurations and automate remediation for security gaps enabling compliance and operational security in multi-cloud environments. He is also an avid speaker and trainer and presents his research and findings at security conferences and community meetups around the world including BlackHat USA, BH Europe, BH Asia, nullcon and OWASP AppsecUSA.Specialties: Cloud (AWS, GCP, Azure, IBM, Others) Security, Cloud-Native Security, Kubernetes, Container Security, Web Application Security, Network and System Penetration Testing, Wireless Network Security, Malware Analysis and Reverse Engineering, Threat Modelling, Windows Forensics, Security Code Review, Vulnerability Research, Exploit Development and Reverse Engineering. Certifications: CKA, CKAD, OSCP

Read more