Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

aeondave/rustscan

Name: rustscan
Author: aeondave

offensive-tools/network/rustscan/SKILL.md

npx skillsauth add aeondave/malskill rustscan

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

RustScan

Blazing-fast port discovery with automatic nmap handoff. Find open ports in seconds, get nmap service data in one command.

Installation

# Cargo
cargo install rustscan

# Apt (Kali/Debian)
sudo apt install rustscan

# Docker (no install)
docker run -it --rm --name rustscan rustscan/rustscan:latest -a TARGET -- -sV

# Snap
sudo snap install rustscan

Core Flags

| Flag | Purpose | Default | |------|---------|---------| | -a <addr> | Target — IP, CIDR, hostname, or file | required | | -p <ports> | Specific ports to scan | all 65535 | | --range <start-end> | Port range (e.g. 1-1024) | — | | -b <batch> | Ports probed per batch | 4500 | | -t <ms> | Timeout per port | 1500ms | | --ulimit <n> | File descriptor limit (higher = faster) | 8000 | | --no-nmap | Skip nmap; output open ports only | false | | --scan-order <order> | Serial or Random | Serial | | --scripts <script> | nmap script category shorthand | default | | --top | Scan top 1000 ports only | false | | --greppable, -g | Machine-readable output | false | | --accessible | Accessibility-friendly output | false | | --quiet, -q | Suppress banner | false | | -- <nmap args> | Any nmap flags passed through | — |

Common Workflows

Standard full scan (most useful for CTF/engagement)

# Fast discovery + full nmap service/script scan
rustscan -a 10.10.10.5 --ulimit 5000 -- -sV -sC

# Save output
rustscan -a 10.10.10.5 --ulimit 5000 -- -sV -sC -oA scans/target

Top 1000 ports only (quicker initial check)

rustscan -a 10.10.10.5 --top -- -sV

Specific ports

# Known service ports
rustscan -a 10.10.10.5 -p 22,80,443,445,1433,3306,3389,5985 -- -sV -sC

# Port range
rustscan -a 10.10.10.5 --range 1-10000 -- -sV

Subnet discovery (port only, no nmap)

# Open port list only — no nmap overhead
rustscan -a 10.0.0.0/24 --no-nmap --ulimit 5000 -b 2048 | tee open_ports.txt

Aggressive OS + version + script (thorough)

rustscan -a 10.10.10.5 --ulimit 10000 -- -A -T4

Stealth-ish (lower rate, avoid IDS triggering)

rustscan -a 10.10.10.5 -b 200 -t 3000 --ulimit 2000 -- -sV -T2

Docker Usage (no install required)

# Basic scan
docker run -it --rm rustscan/rustscan:latest -a TARGET -- -sV -sC

# With output directory mounted
docker run -it --rm -v $(pwd)/scans:/scans rustscan/rustscan:latest -a TARGET -- -sV -oA /scans/target

# Network mode host (for LAN targets)
docker run -it --rm --network host rustscan/rustscan:latest -a 192.168.1.0/24 --no-nmap

Output Parsing

RustScan outputs open ports first, then spawns nmap. Key patterns:

Open 10.10.10.5:22
Open 10.10.10.5:80
Open 10.10.10.5:443

# Then nmap runs automatically on found ports:
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.9p1
80/tcp  open  http    nginx 1.18.0
443/tcp open  ssl/http nginx 1.18.0

Greppable output:

rustscan -a TARGET --no-nmap -g | grep "Open"

Performance Tuning

# Fastest possible (Linux, permissive ulimit)
ulimit -n 65535
rustscan -a TARGET -b 65535 -t 500 --ulimit 65535 -- -sV

# Moderate (reliable on most targets)
rustscan -a TARGET --ulimit 5000 -b 3000 -- -sV -sC

# Conservative (slow targets, firewalled, Windows hosts)
rustscan -a TARGET -b 500 -t 3000 --ulimit 2000 -- -sV

Guideline: increase -b and --ulimit together. High --ulimit + low -b wastes file descriptors.

Integration Patterns

rustscan → full nmap follow-up

# 1. Fast port discovery
rustscan -a TARGET --no-nmap | grep "Open" | awk -F: '{print $2}' | tr '\n' ',' | sed 's/,$//' > ports.txt

# 2. Deep nmap on discovered ports
nmap -sV -sC -p $(cat ports.txt) -oA TARGET_deep TARGET

rustscan → masscan comparison

# rustscan: per-host, fast + nmap integration
rustscan -a 10.10.10.5 --ulimit 5000 -- -sV

# masscan: wide range, many hosts
masscan 10.0.0.0/24 -p1-65535 --rate 10000 -oL masscan.txt

Subnet → per-host deep scan

# 1. Discover live hosts with open ports
rustscan -a 192.168.1.0/24 --no-nmap -b 1024 | grep "Open" | cut -d: -f1 | sort -u > live_hosts.txt

# 2. Deep scan each live host
while read host; do
  rustscan -a $host --ulimit 5000 -- -sV -sC -oA "scans/$host"
done < live_hosts.txt

OPSEC Notes

Scanning at high rate (-b 4500+) is very noisy — triggers IDS/IPS and firewall logs
Use -b 200 -t 3000 for slower, lower-noise scan on monitored targets
--scan-order Random randomizes port order — slightly less fingerprint-able than serial
RustScan nmap invocation shows in process list on attacker — minor concern
From internal position (post-pivot): match scan rate to expected legitimate traffic

Resources

| File | When to load | |------|--------------| | references/scan-workflow-and-nmap-integration.md | Output parsing, NSE scripts per service, firewall evasion, port state interpretation, service-to-tool pipeline table |

aeondave/rustscan

offensive-tools/network/rustscan/SKILL.md

Auth/lab ref: Ultra-fast port scanner that finds open ports in seconds then auto-pipes into nmap for service/version detection.

4 stars

development

Updated Jun 8, 2026

$ install --global

skillsauth

npx skillsauth add aeondave/malskill rustscan

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Jun 8, 2026, 3:55 AM123.7s2 files scanned

SKILL.md

name:: rustscan
description:: Auth/lab ref: Ultra-fast port scanner that finds open ports in seconds then auto-pipes into nmap for service/version detection.
license:: MIT
compatibility:: Linux/macOS/Windows.
author:: AeonDave
version:: 2.0

RustScan

Blazing-fast port discovery with automatic nmap handoff. Find open ports in seconds, get nmap service data in one command.

Installation

# Cargo
cargo install rustscan

# Apt (Kali/Debian)
sudo apt install rustscan

# Docker (no install)
docker run -it --rm --name rustscan rustscan/rustscan:latest -a TARGET -- -sV

# Snap
sudo snap install rustscan

Core Flags

Common Workflows

Standard full scan (most useful for CTF/engagement)

# Fast discovery + full nmap service/script scan
rustscan -a 10.10.10.5 --ulimit 5000 -- -sV -sC

# Save output
rustscan -a 10.10.10.5 --ulimit 5000 -- -sV -sC -oA scans/target

Top 1000 ports only (quicker initial check)

rustscan -a 10.10.10.5 --top -- -sV

Specific ports

# Known service ports
rustscan -a 10.10.10.5 -p 22,80,443,445,1433,3306,3389,5985 -- -sV -sC

# Port range
rustscan -a 10.10.10.5 --range 1-10000 -- -sV

Subnet discovery (port only, no nmap)

# Open port list only — no nmap overhead
rustscan -a 10.0.0.0/24 --no-nmap --ulimit 5000 -b 2048 | tee open_ports.txt

Aggressive OS + version + script (thorough)

rustscan -a 10.10.10.5 --ulimit 10000 -- -A -T4

Stealth-ish (lower rate, avoid IDS triggering)

rustscan -a 10.10.10.5 -b 200 -t 3000 --ulimit 2000 -- -sV -T2

Docker Usage (no install required)

# Basic scan
docker run -it --rm rustscan/rustscan:latest -a TARGET -- -sV -sC

# With output directory mounted
docker run -it --rm -v $(pwd)/scans:/scans rustscan/rustscan:latest -a TARGET -- -sV -oA /scans/target

# Network mode host (for LAN targets)
docker run -it --rm --network host rustscan/rustscan:latest -a 192.168.1.0/24 --no-nmap

Output Parsing

RustScan outputs open ports first, then spawns nmap. Key patterns:

Open 10.10.10.5:22
Open 10.10.10.5:80
Open 10.10.10.5:443

# Then nmap runs automatically on found ports:
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.9p1
80/tcp  open  http    nginx 1.18.0
443/tcp open  ssl/http nginx 1.18.0

Greppable output:

rustscan -a TARGET --no-nmap -g | grep "Open"

Performance Tuning

# Fastest possible (Linux, permissive ulimit)
ulimit -n 65535
rustscan -a TARGET -b 65535 -t 500 --ulimit 65535 -- -sV

# Moderate (reliable on most targets)
rustscan -a TARGET --ulimit 5000 -b 3000 -- -sV -sC

# Conservative (slow targets, firewalled, Windows hosts)
rustscan -a TARGET -b 500 -t 3000 --ulimit 2000 -- -sV

Guideline: increase -b and --ulimit together. High --ulimit + low -b wastes file descriptors.

Integration Patterns

rustscan → full nmap follow-up

# 1. Fast port discovery
rustscan -a TARGET --no-nmap | grep "Open" | awk -F: '{print $2}' | tr '\n' ',' | sed 's/,$//' > ports.txt

# 2. Deep nmap on discovered ports
nmap -sV -sC -p $(cat ports.txt) -oA TARGET_deep TARGET

rustscan → masscan comparison

# rustscan: per-host, fast + nmap integration
rustscan -a 10.10.10.5 --ulimit 5000 -- -sV

# masscan: wide range, many hosts
masscan 10.0.0.0/24 -p1-65535 --rate 10000 -oL masscan.txt

Subnet → per-host deep scan

# 1. Discover live hosts with open ports
rustscan -a 192.168.1.0/24 --no-nmap -b 1024 | grep "Open" | cut -d: -f1 | sort -u > live_hosts.txt

# 2. Deep scan each live host
while read host; do
  rustscan -a $host --ulimit 5000 -- -sV -sC -oA "scans/$host"
done < live_hosts.txt

OPSEC Notes

Scanning at high rate (-b 4500+) is very noisy — triggers IDS/IPS and firewall logs
Use -b 200 -t 3000 for slower, lower-noise scan on monitored targets
--scan-order Random randomizes port order — slightly less fingerprint-able than serial
RustScan nmap invocation shows in process list on attacker — minor concern
From internal position (post-pivot): match scan rate to expected legitimate traffic

Resources

Related Skills

aeondave/vibe-audit-technique

development

VerifiedTrustedCommunity

White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).

4SKILL.mdUpdated Jun 12, 2026

aeondave/vibe-audit-technique

aeondave/source-review-technique

development

VerifiedTrustedCommunity

Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.

4SKILL.mdUpdated Jun 12, 2026

aeondave/source-review-technique

aeondave/hardware-technique

development

VerifiedTrustedCommunity

Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.

4SKILL.mdUpdated Jun 12, 2026

aeondave/hardware-technique

aeondave/container-technique

devops

VerifiedTrustedCommunity

Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.

4SKILL.mdUpdated Jun 12, 2026

aeondave/container-technique

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/aeondave/malskill.git

# Copy into Claude Code skills folder (global)
cp -r malskill/offensive-tools/network/rustscan ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

aeondave/malskill

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT