Black Hat Bash - Bash Scripting for Hackers and Pentesters (Early Access) (Dolev Farhi, Nick Aleks)

Use man nmap to find out more about Nmap’s scanning and

filtering capabilities.

Performing Rapid Scans with RustScan

RustScan is becoming more popular in the bug bounty and

penetration testing spaces because of its speed and extendibility. The

following command runs a port scan using the rustscan

command. The -a (address) argument accepts a single address or an

address range:

$ rustscan -a 172.16.10.0/24

Open 172.16.10.11:21

Open 172.16.10.1:22

Open 172.16.10.13:22

--snip--

RustScan’s output is fairly easy to parse with bash. Lines starting

with Open indicate that an open port was found on a specific IP

address. These are followed by the IP address and port separated by

a colon.

When you run RustScan, you may notice that the initial output

contains banners, author credits, and additional information not

directly related to the scan results. Use the -g (greppable) option to

show only the scanning information. The following command uses

the greppable output mode to scan 172.16.10.0/24 on the first 1024

ports (also called privileged ports) with the -r (range) option:

$ rustscan -g -a 172.16.10.0/24 -r 0-1024

172.16.10.11 -> [80]

172.16.10.12 -> [80]

Now the output is more grep friendly. If we wanted to parse it,

all we’d need to do is pass the delimiter ->, which separates the IP

address and port, with awk:

$ rustscan -g -a 172.16.10.0/24 -r 0-1024 | awk -F'->' '{print $1,$2}'

This command outputs two fields, the IP address and the port. If

we wanted to get rid of the [] surrounding the port number, we can

do this with the tr command and the -d (delete) argument followed

by the characters to delete:

$ rustscan -g -a 172.16.10.0/24 -r 0-1024 | awk -F'->' '{print $1,$2}' | tr -d '[]'

This should return a cleaner output.