RustScan Cheat Sheet

Fast port scanner that pipes discovered ports directly into Nmap for scripting and version detection.

Scanning & Enumerationfast-scanport-scanrustUpdated 2026-06-02

Overview

RustScan rapidly finds open ports and can automatically invoke Nmap on those ports. It bridges the gap between Masscan-style speed and Nmap-depth enumeration in one command.

Authorized testing only. Default settings can scan aggressively; confirm scope and rate limits before running against production assets.

Install

Debian/Kali package

sudo apt install -y rustscan

Cargo

cargo install rustscan

Docker

docker run -it --rm --net=host rustscan/rustscan:latest -a 10.10.10.5

rustscan --version

Essential commands

Default: fast scan + nmap on open ports

rustscan -a 10.10.10.5

Address range

rustscan -a 10.10.10.1-10.10.10.50

Custom port range

rustscan -a 10.10.10.5 -r 1-65535

Greppable output only (no nmap)

rustscan -a 10.10.10.5 --greppable

Common workflows

Custom Nmap arguments —

rustscan -a 10.10.10.5 -- -sC -sV -oA rust_nmap

rustscan -a 10.10.10.5 -- -sV -p- --script vuln

Batch from file —

rustscan -a hosts.txt -b 1000

UDP (when supported in your version) —

rustscan -a 10.10.10.5 --scan-order Random -u 53,161,500

Tune performance —

rustscan -a 10.10.10.0/24 -t 2000 -b 5000 --timeout 1500

Flags reference

`-a`	IP, CIDR, range, or file
`-p / -r`	Ports or range
`-t`	Timeout (ms)
`-b`	Batch size (concurrent IPs)
`--greppable`	Machine-friendly output
`--scan-order`	Serial / Random
`--`	Pass following args to Nmap
`-u`	UDP ports (version-dependent)
`--scripts`	Custom NSE script list

Tips

Everything after -- is forwarded to Nmap—memorize that pattern for repeatable workflows.
Use --greppable in CI/scripts, then run Nmap manually with saved port lists.
Combine with proxychains only when RoE permits and tooling supports it.
Update regularly; CLI flags evolve between major versions.