Press "Enter" to skip to content

Bug Bounty Recon: Perform Faster Port Scan

RootSploit Bug Bounty Recon Faster Port Scan
Bug Bounty Recon Faster Port Scan

Most of the Bug Hunters follow different methods to perform Bug Bounty recon it starts with enumerating subdomains of the target scope and scans them for common misconfigurations and vulnerabilities but what most of the methodologies lack in is the ability to perform port scan faster. In this blog, we’re going to cover various workflows of Port scanning list of subdomains and choose the possible faster method.

Different Port Scanning Tools:

1. Nmap:

Nmap, short for Network Mapper, is a free, open-source tool for vulnerability scanning and network discovery.

2. Masscan:

Masscan is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine.

3. Naabu:

Naabu is a port scanning tool from Project Discovery written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner.

4. Rustscan:

Rustscan is a fast port scanning tool written in Rust and is built to work in Sync with Nmap for providing reliable results.

Amongst all the tools every Pentester would be familiar with Nmap and Masscan, nmap is the best tool for network pentesting and it supports various scripts from its NSE (Nmap Scripting Engine) but when we have hundreds of IP/Hosts to scan it would yield results slower and on the other hand masscan will scan the fastest but we cannot rely on the accuracy.

Naabu is a great tool from project discovery that is used to scan ports with fair accuracy and speed and with its ease of usability we can easily run it along with other tools from project discovery like subfinder or httpx. The basic host scanning command looks like this:

 naabu -host scanme.nmap.org -o output.txt
Nabbu Port Scan
Naabu Port Scan

It also supports nmap however I have faced issues while scanning it with Nmap

Rustscan is a flexible port scanner built in Rust and is both faster and provides accurate results its support for Nmap is seamless and it provides better customizations such as changing flags for Nmap scan, saving the output in Nmap’s XML format.

Installing Rustscan is simple all you need to download the binary from the releases page https://github.com/RustScan/RustScan/releases/ and install it with

dpkg -i rustscan_1.10.0_amd64.deb

We can use basic scanning commands:

rustscan scanme.nmap.org --ulimit 5000
Rustscan for faster scanning
Rustscan comes with Humor

If you observe the time taken with Rustscan its negligible compared to any other scanners now lets try scanning it with nmap flags and scripts by adding “–” in the end and adding nmap flags after it.

rustscan scanme.nmap.org --ulimit 5000 -- -sV -sC 
Rustscan for Service Enumeration and Default Nmap scripts
Service Enumeration and Scanning default scripts with Rustscan

Comparison:

For comparison I’ve scanned all ports with Rustscan and Naabu and here are the timings:

Naabu with default ports without nmap scan: 21 seconds

Rustscan on all ports with nmap and -sV: 12 seconds

Do note all the scans were performed from a VPS and testing speed can vary from the home network and on the target IP/Host.

How to Integrate Rustscan in Bug Bounty Recon?

With the help of Bash scripts we can include Rustscan in our Recon Flow by creating a Bash Code snippet and save all the results in the preferred folder for later analysis:

#Scan Subdomains and remove https string from httpx results

subfinder -d redacted.com -silent | httpx -silent > alive.txt ;cat alive.txt | sed 's/https\?:\/\///' > scan-ip.txt

#Run on scan-ip.txt

rustscan 'scan-ip.txt' -p --ulimit 5000 -- -n -sV -Pn -oA scan-result

Using similar bash scripts we can perform faster port scanning in Bug Bounty Recon.

Conclusion:

  • Nmap is most accurate but slow for a large scope
  • Masscan can be the fastest but lacks accuracy
  • Naabu can be fast and useful when scanning for default ports if you are not scanning with Nmap
  • Rustscan is both faster and accurate for all port scan
  • Rustscan supports Nmap Scripting Engine which can be used for scanning vulnerabilities

Thanks for reading, hope this blog helped in improving your recon game.

Follow @RootSploit for more awesome blogs.

3 Comments

  1. h4z3dic h4z3dic October 11, 2020

    When running script I get this error message:
    error: Invalid value for ‘–ports …’: invalid digit found in string

    • Rootsploit Rootsploit October 11, 2020

      Hi h4z3dic,

      You can use the below command:
      rustscan -p –ulimit 5000 — -n -sV -Pn

Leave a Reply

Your email address will not be published. Required fields are marked *