Find all open ports fast with RustScan, automatically pipe them into Nmap.

Fast Port Scanner built in Rust. WARNING Do not use this program against sensitive infrastructure since the specified server may not be able to handle this many socket connections at once. - Discord - GitHub


Download newest release from

sudo dpkg -i rustscan_x.x.x_amd64.deb


rustscan [FLAGS] [OPTIONS] <ips-or-hosts>... [-- <command>...]


    -a, --accessible
    -h, --help          Prints help information
    -q, --quiet         Quiet mode. Only output the ports. No Nmap. Useful for grep or outputting to a file
    -V, --version       Prints version information

    -b, --batch-size <batch-size>    The batch size for port scanning, it increases or slows the speed of scanning.
                                     Depends on the open file limit of your OS.  If you do 65535 it will do every port
                                     at the same time. Although, your OS may not support this [default: 4500]
    -p, --ports <ports>...           A list of comma separed ports to be scanned. Example: 80,443,8080
    -r, --range <range>              A range of ports with format start-end. Example: 1-1000
        --scan-order <scan-order>    The order of scanning to be performed. The "serial" option will scan ports in
                                     ascending order while the "random" option will scan ports randomly [default:
                                     serial]  [possible values: Serial, Random]
    -t, --timeout <timeout>          The timeout in milliseconds before a port is assumed to be closed [default: 1500]
    -u, --ulimit <ulimit>            Automatically ups the ULIMIT with the value you provided

    <ips-or-hosts>...    A list of comma separated IP addresses or hosts to be scanned
    <command>...         The Nmap arguments to run. To use the argument -A, end RustScan's args with '-- -A'.
                         Example: 'rustscan -t 1500 -- -A -sC'. This command adds -Pn -vvv -p $PORTS
                         automatically to nmap. For things like --script '(safe and vuln)' enclose it in quotations
                         marks \"'(safe and vuln)'\"")


Normal run with extra NMAP flag (-Pn)

$ rustscan -a -- -Pn
[~] Starting Nmap
[>] The Nmap command to be run is nmap -Pn -vvv -p 22,53

Starting Nmap 7.80 ( ) at 2020-09-07 16:18 CEST
Scanned at 2020-09-07 16:18:27 CEST for 0s

22/tcp open  ssh     syn-ack
53/tcp open  domain  syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

URL List