Most of the Bug Hunters follow different methods to perform Bug Bounty recon it starts with enumerating subdomains of the target scope and scans them for common misconfigurations and vulnerabilities but what most of the methodologies lack in is the ability to perform port scan faster. In this blog, we’re going to cover various workflows of Port scanning list of subdomains and choose the possible faster method.
Different Port Scanning Tools:
Nmap, short for Network Mapper, is a free, open-source tool for vulnerability scanning and network discovery.
Masscan is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine.
Naabu is a port scanning tool from Project Discovery written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner.
Rustscan is a fast port scanning tool written in Rust and is built to work in Sync with Nmap for providing reliable results.
Amongst all the tools every Pentester would be familiar with Nmap and Masscan, nmap is the best tool for network pentesting and it supports various scripts from its NSE (Nmap Scripting Engine) but when we have hundreds of IP/Hosts to scan it would yield results slower and on the other hand masscan will scan the fastest but we cannot rely on the accuracy.
Naabu is a great tool from project discovery that is used to scan ports with fair accuracy and speed and with its ease of usability we can easily run it along with other tools from project discovery like subfinder or httpx. The basic host scanning command looks like this:
naabu -host scanme.nmap.org -o output.txt
It also supports nmap however I have faced issues while scanning it with Nmap
Rustscan is a flexible port scanner built in Rust and is both faster and provides accurate results its support for Nmap is seamless and it provides better customizations such as changing flags for Nmap scan, saving the output in Nmap’s XML format.
Installing Rustscan is simple all you need to download the binary from the releases page https://github.com/RustScan/RustScan/releases/ and install it with
dpkg -i rustscan_1.10.0_amd64.deb
We can use basic scanning commands:
rustscan scanme.nmap.org --ulimit 5000
If you observe the time taken with Rustscan its negligible compared to any other scanners now lets try scanning it with nmap flags and scripts by adding “–” in the end and adding nmap flags after it.
rustscan scanme.nmap.org --ulimit 5000 -- -sV -sC
For comparison I’ve scanned all ports with Rustscan and Naabu and here are the timings:
Naabu with default ports without nmap scan: 21 seconds
Rustscan on all ports with nmap and -sV: 12 seconds
Do note all the scans were performed from a VPS and testing speed can vary from the home network and on the target IP/Host.
How to Integrate Rustscan in Bug Bounty Recon?
With the help of Bash scripts we can include Rustscan in our Recon Flow by creating a Bash Code snippet and save all the results in the preferred folder for later analysis:
#Scan Subdomains and remove https string from httpx results
subfinder -d redacted.com -silent | httpx -silent > alive.txt ;cat alive.txt | sed 's/https\?:\/\///' > scan-ip.txt
#Run on scan-ip.txt
rustscan 'scan-ip.txt' -p --ulimit 5000 -- -n -sV -Pn -oA scan-result
Using similar bash scripts we can perform faster port scanning in Bug Bounty Recon.
- Nmap is most accurate but slow for a large scope
- Masscan can be the fastest but lacks accuracy
- Naabu can be fast and useful when scanning for default ports if you are not scanning with Nmap
- Rustscan is both faster and accurate for all port scan
- Rustscan supports Nmap Scripting Engine which can be used for scanning vulnerabilities
Thanks for reading, hope this blog helped in improving your recon game.