nmapにかわるツールがあると聞いて ~Rustscan

聞いてしまったので、試してみるしかないでしょう・・・!

 

Rust自体見たことないんだけど。。。
 
とりあえずインスコして、ヘルプを見てみる

kali@kali:~/SyachinekoLab/workspace/Tools$ rustscan -h                                                 
RustScan 1.2.0                                                                                         
Bee https://github.com/brandonskerritt                                                                 
Fast Port Scanner built in Rust                                                                        
                                                                                                       
USAGE:                                                                                                 
    rustscan [OPTIONS] <ip> [command]...                                                               
                                                                                                                     
FLAGS:                                                                                                               
    -h, --help       Prints help information                                                                         
    -V, --version    Prints version information                                                                      
                                                                                                                     
OPTIONS:                                                                                                                 
    -T, --timeout <T>    The timeout before a port is assumed to be close. In MS. [default: 1500]
    -b, --batch <b>      Increases speed of scanning. The batch size for port scanning. Depends on your open file limit
                         of OS. If you do 65535 it will do every port at the same time. Although, your OS may not
                         support this. [default: 4500]

ARGS:
    <ip>            The IP address to scan
    <command>...    The Nmap arguments to run. To use the argument -A, end RustScan's args with '-- -A'. To run
                    EXAMPLE: 'rustscan -T 1500 127.0.0.1 -- -A -sC'. This argument auto runs nmap {your commands}
                    -vvv -p $PORTS 

なるほどなるほど、とりあえず回してみる!

kali@kali:~/SyachinekoLab/workspace/Tools$ rustscan 10.10.10.197

     _____           _    _____                                                                                           
    |  __ \         | |  / ____|                                                                                          
    | |__) |   _ ___| |_| (___   ___ __ _ _ __                                                                            
    |  _  / | | / __| __|\___ \ / __/ _` | '_ \                                                                           
    | | \ \ |_| \__ \ |_ ____) | (_| (_| | | | |                                                                          
    |_|  \_\__,_|___/\__|_____/ \___\__,_|_| |_|                                                                          
    Faster nmap scanning with rust.                                                                                       
 Automated Decryption Tool - https://github.com/ciphey/ciphey 
 Creator https://github.com/brandonskerritt
Os { code: 24, kind: Other, message: "Too many open files" }
thread 'main' panicked at 'Too many open files. Please reduce batch size. The default is 5000. Try -b 2500.', src/main.rs:179:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
kali@kali:~/SyachinekoLab/workspace/Tools$ rustscan -b 2500 10.10.10.197

     _____           _    _____                                                                                           
    |  __ \         | |  / ____|                                                                                          
    | |__) |   _ ___| |_| (___   ___ __ _ _ __                                                                            
    |  _  / | | / __| __|\___ \ / __/ _` | '_ \                                                                           
    | | \ \ |_| \__ \ |_ ____) | (_| (_| | | | |                                                                          
    |_|  \_\__,_|___/\__|_____/ \___\__,_|_| |_|                                                                          
    Faster nmap scanning with rust.                                                                                       
 Automated Decryption Tool - https://github.com/ciphey/ciphey 
 Creator https://github.com/brandonskerritt
Os { code: 24, kind: Other, message: "Too many open files" }
thread 'main' panicked at 'Too many open files. Please reduce batch size. The default is 5000. Try -b 2500.', src/main.rs:179:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

おや、Tが多くてダメみたい・・・
上限値を減らして動かしてみると、、、動いた!

kali@kali:~/SyachinekoLab/workspace/Tools$ rustscan -b 1000 10.10.10.197

     _____           _    _____                                                                                           
    |  __ \         | |  / ____|                                                                                          
    | |__) |   _ ___| |_| (___   ___ __ _ _ __                                                                            
    |  _  / | | / __| __|\___ \ / __/ _` | '_ \                                                                           
    | | \ \ |_| \__ \ |_ ____) | (_| (_| | | | |                                                                          
    |_|  \_\__,_|___/\__|_____/ \___\__,_|_| |_|                                                                          
    Faster nmap scanning with rust.                                                                                       
 Automated Decryption Tool - https://github.com/ciphey/ciphey 
 Creator https://github.com/brandonskerritt
Open 21
Open 22
Open 25
Open 80
Open 143
Open 8080
Starting nmap.
kali@kali:~/SyachinekoLab/workspace/Tools$ Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-24 10:20 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:20
Completed NSE at 10:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:20
Completed NSE at 10:20, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:20
Completed NSE at 10:20, 0.00s elapsed
Initiating Ping Scan at 10:20
Scanning 10.10.10.197 [2 ports]
Completed Ping Scan at 10:20, 0.33s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:20
Completed Parallel DNS resolution of 1 host. at 10:20, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 10:20
Scanning 10.10.10.197 [6 ports]
Discovered open port 25/tcp on 10.10.10.197
Discovered open port 21/tcp on 10.10.10.197
Discovered open port 143/tcp on 10.10.10.197
Discovered open port 22/tcp on 10.10.10.197
Discovered open port 80/tcp on 10.10.10.197
Discovered open port 8080/tcp on 10.10.10.197
Completed Connect Scan at 10:20, 0.31s elapsed (6 total ports)
Initiating Service scan at 10:20
Scanning 6 services on 10.10.10.197
Completed Service scan at 10:20, 10.92s elapsed (6 services on 1 host)
NSE: Script scanning 10.10.10.197.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:20
Completed NSE at 10:21, 11.64s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:21
Completed NSE at 10:21, 25.59s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:21
Completed NSE at 10:21, 0.00s elapsed
Nmap scan report for 10.10.10.197
Host is up, received syn-ack (0.32s latency).
Scanned at 2020-07-24 10:20:38 EDT for 49s

PORT     STATE SERVICE REASON  VERSION
21/tcp   open  ftp     syn-ack vsftpd 3.0.3
22/tcp   open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy6l2NxLZItm85sZuNKU/OzDEhlvYMmmrKpTD0+uxdQyySppZN3Lo6xOM2dC6pqG5DQjz+GPJl1/kbdla6qJXDZ1D5lnnCaImTqU++a1WceLck3/6/04B5RlTYUoLQFwRuy84CX8NDvs0mIyR7bpbd8W03+EAwTabOxXfukQG1MbgCY5V8QmLRdi/ZtsIqVxVZWOYI5rvuAQ+YM9D/Oa6mwAO5l2V3/h/A5nHDx2Vkl1++kfDqFNop2D2vssInvdwLKZ0M5RvXLQPlsqRLfqtcTBBLxYY6ZVcLHkvEA+gekHGcPRw0MV5U9vsx18+6O8wm9ZNI/a1Y4TyXIHMcbHi9
|   256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL62JJEI1N8SHtcSypj9IjyD3dm6CA5iyog1Rmi4P5N6VtA/5RxBxegMYv7bTFymmFm02+w9zXdKMUcSs5TbE=
|   256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZ/TeP6ZPj9zbHyFVfwZg48EElGqKCENQgPw+QCoC7x
25/tcp   open  smtp    syn-ack Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 
80/tcp   open  http    syn-ack nginx 1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://sneakycorp.htb
143/tcp  open  imap    syn-ack Courier Imapd (released 2018)
|_imap-capabilities: completed THREAD=ORDEREDSUBJECT QUOTA IDLE ACL2=UNION NAMESPACE SORT ACL IMAP4rev1 STARTTLS OK CAPABILITY CHILDREN UTF8=ACCEPTA0001 ENABLE THREAD=REFERENCES UIDPLUS
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US/localityName=New York/organizationalUnitName=Automatically-generated IMAP SSL key
| Subject Alternative Name: email:postmaster@example.com
| Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US/localityName=New York/organizationalUnitName=Automatically-generated IMAP SSL key
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-14T17:14:21
| Not valid after:  2021-05-14T17:14:21
| MD5:   3faf 4166 f274 83c5 8161 03ed f9c2 0308
| SHA-1: f79f 040b 2cd7 afe0 31fa 08c3 b30a 5ff5 7b63 566c
| -----BEGIN CERTIFICATE-----
| MIIE6zCCA1OgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjjESMBAGA1UEAxMJbG9j
| YWxob3N0MS0wKwYDVQQLEyRBdXRvbWF0aWNhbGx5LWdlbmVyYXRlZCBJTUFQIFNT
| TCBrZXkxHDAaBgNVBAoTE0NvdXJpZXIgTWFpbCBTZXJ2ZXIxETAPBgNVBAcTCE5l
| dyBZb3JrMQswCQYDVQQIEwJOWTELMAkGA1UEBhMCVVMwHhcNMjAwNTE0MTcxNDIx
| WhcNMjEwNTE0MTcxNDIxWjCBjjESMBAGA1UEAxMJbG9jYWxob3N0MS0wKwYDVQQL
| EyRBdXRvbWF0aWNhbGx5LWdlbmVyYXRlZCBJTUFQIFNTTCBrZXkxHDAaBgNVBAoT
| E0NvdXJpZXIgTWFpbCBTZXJ2ZXIxETAPBgNVBAcTCE5ldyBZb3JrMQswCQYDVQQI
| EwJOWTELMAkGA1UEBhMCVVMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIB
| gQDCzBP4iuxxLmXPkmi5jABQrywLJK0meyW49umfYhqayBH7qtuIjyAmznnyDIR0
| 543qHgWAfSvGHLFDB9B1wnkvAU3aprjURn1956X/4jEi9xmhRwvum5T+vp3TT96d
| JgW9SSLiPFQty5eVrKuQvg1bZg/Vjp7CUUQ0+7PmdylMOipohls5RDEppCDGFmiS
| HN0ZayXpjd/kwqZ/O9uTJGHOzagY+ruTYAx3tanO4oDwdrz9FPr3S2KNPTjjtzqf
| CPdcsi+6JTQJI03eMEftBKo3HZTp7Hx6FObZcvcNskTLqtsYZYuzHS7KQwiuTAJ5
| d/ZKowCeJDaVlS35tQleisu+pJCkwcStpM1BJ51UQRZ5IpvItTfnrChEa1uyTlAy
| ZIOQK2/+34K2ZrldYWyfKlYHxieGZgzQXLo/vyW/1gqzXy7KHx+Uuf4CAzzOP1p3
| 8QNmvsqkJrQMuH3XPXLswr9A1gPe7KTLEGNRJSxcGF1Q25m4e04HhZzK76KlBfVt
| IJ0CAwEAAaNSMFAwDAYDVR0TAQH/BAIwADAhBgNVHREEGjAYgRZwb3N0bWFzdGVy
| QGV4YW1wbGUuY29tMB0GA1UdDgQWBBTylxdM/AHlToKxNvmnPdXJCjjbnDANBgkq
| hkiG9w0BAQsFAAOCAYEAAo7NqfYlXSEC8q3JXvI5EeVpkgBDOwnjxuC/P5ziEU0c
| PRx6L3w+MxuYJdndC0hT9FexXzSgtps9Xm+TE81LgNvuipZ9bulF5pMmmO579U2Y
| suJJpORD4P+65ezkfWDbPbdKyHMeRvVCkZCH74z2rCu+OeQTGb6GLfaaB7v9dThR
| rfvHwM50hxNb4Zb4of7Eyw2OJGeeohoG4mFT4v7cu1WwimsDF/A7OCVOmvvFWeRA
| EjdEReekDJsBFpHa8uRjxZ+4Ch9YvbFlYtYi6VyXV1AFR1Mb91w+iIitc6ROzjJ2
| pVO69ePygQcjBRUTDX5reuBzaF5p9/6Ta9HP8NDI9+gdw6VGVTmYRJUbj7OeKSUq
| FWUmtZYC288ErDAZ7z+6VqJtZsPXIItZ8J6UZE3zBclGMcQ7peL9wEvJQ8oSaHHM
| AmgHIoMwKXSNEkHbBD24cf9KwVhcyJ4QCrSJBMAys98X6TzCwQI4Hy7XyifU3x/L
| XUFD0JSVQp4Rmcg5Uzuk
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http    syn-ack nginx 1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
Service Info: Host:  debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:21
Completed NSE at 10:21, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:21
Completed NSE at 10:21, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:21
Completed NSE at 10:21, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.10 seconds

kali@kali:~/SyachinekoLab/workspace/Tools$ 

なるほど、予想だけど、まずは超高速でポートスキャンだけして、
そのポートに対してダイレクトにnmap回している感じか・・・・?
であれば、確かに無駄なくnmapが打てるので、効率はいいかもしれない

なるほど・・・
実践でも試してみようかなぁ!
いいツールを見つけました


以上