Version: 1.0.0 Status: Production Ready Platform: Linux x86_64 (AMD64) Language: Rust 1.90+
Tribute: RustNmap pays tribute to Nmap -- the gold standard of network scanning for over two decades. Nmap's design philosophy and implementation deeply inspired this project.
RustNmap is a modern, high-performance network scanning tool written in Rust, trying to provide 100% functional parity with Nmap while leveraging Rust's memory safety and async capabilities. During development, we extensively referenced Nmap's design (timing engine, congestion control, fingerprint matching, NSE architecture, etc.) and continuously validated results against Nmap on real-world targets.
Key Features:
- 12 Scan Types: SYN, Connect, UDP, FIN, NULL, XMAS, ACK, Maimon, Window, IP Protocol, Idle, FTP Bounce
- Service & OS Detection: 6000+ service probes, 5000+ OS signatures
- NSE Scripting: Full Lua 5.4 engine with Nmap library compatibility
- 5 Output Formats: Normal, XML, JSON, Grepable, Script Kiddie
- Advanced Evasion: Fragmentation, decoys, spoofing, timing control
git clone https://github.com/greatwallisme/rust-nmap.git
cd rust-nmap
cargo build --release
sudo ./target/release/rustnmap --help# TCP SYN scan (requires root)
sudo rustnmap -sS 192.168.1.1
# TCP Connect scan (no root required)
rustnmap -sT 192.168.1.1
# Scan specific ports
sudo rustnmap -p 22,80,443 192.168.1.1
# Service detection
sudo rustnmap -sV 192.168.1.1
# OS detection
sudo rustnmap -O 192.168.1.1
# Full aggressive scan
sudo rustnmap -A 192.168.1.1RustNmap embeds all required Nmap data files (service probes, OS fingerprints, NSE scripts, etc.) into the binary. Before first use, extract them to ~/.rustnmap/:
rustnmap initThis is idempotent -- existing files are skipped. Use --force to overwrite:
rustnmap init --forceIf the data directory is missing when a scan is run, RustNmap will prompt you to run rustnmap init.
| Document | Description |
|---|---|
| User Manual | Complete command reference and usage guide |
| User Guide | Comprehensive scanning tutorials |
| Architecture | System design and crate structure |
- Quick Reference - One-page command cheat sheet
- Options Reference - Complete CLI options
- Scan Types - Detailed scan documentation
- Output Formats - Format specifications
- NSE Scripts - Scripting guide
- Exit Codes - Error handling reference
- Environment Variables - Configuration via env vars
- Configuration File - Config file format
# Single IP, CIDR, range, hostname
rustnmap 192.168.1.1
rustnmap 192.168.1.0/24
rustnmap 192.168.1.1-100
rustnmap example.com
# From file
rustnmap -iL targets.txtsudo rustnmap -sS 192.168.1.1 # TCP SYN (stealth)
rustnmap -sT 192.168.1.1 # TCP Connect (no root)
sudo rustnmap -sU 192.168.1.1 # UDP
sudo rustnmap -sF 192.168.1.1 # FIN scan
sudo rustnmap -sA 192.168.1.1 # ACK (firewall mapping)sudo rustnmap -oN results.nmap 192.168.1.1 # Normal
sudo rustnmap -oX results.xml 192.168.1.1 # XML
sudo rustnmap -oJ results.json 192.168.1.1 # JSON
sudo rustnmap -oG results.gnmap 192.168.1.1 # Grepable
sudo rustnmap -oA results 192.168.1.1 # All formatssudo rustnmap -sC 192.168.1.1 # Default scripts
sudo rustnmap --script http-title 192.168.1.1 # Specific script
sudo rustnmap --script "vuln" 192.168.1.1 # Category
sudo rustnmap --script "http-*" 192.168.1.1 # Pattern# Build
cargo build --release
# Run tests
cargo test --workspace
# Run clippy (zero warnings required)
cargo clippy --workspace -- -D warnings
# Format check
cargo fmt --all -- --check
# Generate docs
cargo doc --workspace --no-deps --all-features- Memory Safety: Rust ownership prevents buffer overflows
- Safe Concurrency: Compile-time data race prevention
- 31 unsafe blocks (all FFI/system calls with SAFETY comments)
| Crate | Count | Purpose |
|---|---|---|
rustnmap-core |
11 | libc::close, freeifaddrs, ARP/ioctl |
rustnmap-packet (mmap) |
8 | PACKET_MMAP ring buffer, zero-copy |
rustnmap-scan |
3 | Packet adapter FFI |
rustnmap-packet (recvfrom) |
2 | libc::send raw socket |
rustnmap-target |
2 | libc::close, freeifaddrs |
rustnmap-nse |
1 | setrlimit (process isolation) |
rustnmap-sdk |
1 | libc::geteuid (root detection) |
| Feature | RustNmap | Nmap |
|---|---|---|
| Scan Types | 12 | 12 |
| Service Detection | 6000+ probes | 6000+ probes |
| OS Detection | 5000+ signatures | 5000+ signatures |
| NSE Scripts | Full Lua 5.4 | Full Lua 5.4 |
| Output Formats | 5 | 5 |
| Memory Safety | Guaranteed | No |
| Concurrency | Async/await | Event-driven |
RustNmap is continuously validated against Nmap on real-world targets to ensure scanning accuracy and functional parity.
| Target | Type | Usage |
|---|---|---|
scanme.nmap.org (45.33.32.156) |
Internet host (Nmap project) | Default comparison target, 41 scan-type parity tests |
153.3.238.0/24 |
Public /24 network segment | Multi-target parallelism, cwnd scaling, T0-T5 timing |
| Local network /24 segments | Private LAN | ARP host discovery, batch accuracy, ICMP ping |
- 41 comparison tests (rustnmap vs nmap): all 12 scan types, timing templates T0-T5, output formats, evasion, service/OS detection
- 104 CLI validation tests: all 85 CLI options across 12 categories
- Criterion benchmarks: packet engine, scan engine, fingerprint matching, NSE hot paths
See benchmarks/README.md for full test suite details, configuration, and how to run them.
RustNmap is licensed under the GNU General Public License v3.0 or later (GPL-3.0-or-later).
| Component | License |
|---|---|
| RustNmap Source Code | GPL-3.0-or-later |
| Nmap Fingerprint Databases | NPSL (when used) |
RustNmap uses Nmap's fingerprint databases (nmap-service-probes, nmap-os-db, nmap-mac-prefixes, nmap-services, nmap-protocols, nmap-rpc) which are licensed under the Nmap Public Source License (NPSL). See COPYING for details.
Disclaimer: This tool is for authorized security testing only. Always obtain proper authorization before scanning networks you do not own.