ARES — Authorized Reconnaissance & Exploitation Suite
What is ARES? ARES is a modular penetration testing toolkit built in Rust, designed for authorized security auditors and red teams. It combines fast async port scanning, service fingerprinting, vulnerability detection, CVE cross-referencing, and professional reporting into a single CLI + TUI tool.
Features FeatureDescriptionPort ScanningTCP connect, SYN (raw socket), and UDP scanningService DetectionBanner grabbing + 20-rule fingerprinter (SSH, HTTP, FTP, SMTP, Redis, etc.)OS FingerprintingTTL, TCP window size, and SSH/HTTP banner heuristicsVulnerability Checks18 structural rules + 9 banner patterns + HTTP security header analysisCVE DatabaseCross-reference detected versions against a bundled local CVE databasePlugin SystemImplement CheckPlugin trait to add custom checksReportingJSON, human-readable text, and self-contained HTML reportsJSONL StreamingReal-time JSON-lines output for pipeline integrationTUIInteractive 3-tab terminal UI with live scan resultsConfig Fileconfig/ares.toml for persistent defaults
Installation Requirements
Linux (x86_64) Rust 1.75+ (curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh)
One-Command Install bashbash install.sh This will:
Check Rust is installed Create dist/, scans/, config/ directories Copy the bundled CVE database Build the release binary to dist/ares
Add to PATH bashecho 'export PATH="$PATH:$HOME/ares/dist"' >> ~/.bashrc && source ~/.bashrc
Quick Start bash# Port scan ares scan 192.168.1.1 --ports 1-1024 --save scan.json
ares service-detect 192.168.1.1 --ports 22,80,443 --vuln
ares vuln-scan scan.json --min-severity medium
ares report scan.json --format html --output report.html --vuln
ares --tui
Commands ares scan Perform async port scanning on a target. ares scan [OPTIONS]
Arguments: IP address, hostname, or CIDR range (e.g. 192.168.1.0/24)
Options: -p, --ports Port range [default from config: 1-1024] Examples: 80, 1-1024, 22,80,443, all -s, --scan-type tcp | syn | udp [default: tcp] -c, --concurrency Max concurrent connections [default: 500] -t, --timeout Per-port timeout in milliseconds [default: 1000] --rate Max probes per second (0 = unlimited) --save Save results to JSON file --no-progress Suppress progress bar --stream Stream results as JSONL to stdout Examples: bash# Fast scan of common ports ares scan 10.0.0.1 --ports 22,80,443,3306,5432,6379,8080
ares scan 10.0.0.1 --ports 1-65535 --concurrency 1000 --save full.json
sudo ares scan 10.0.0.1 --scan-type syn --ports 1-1024
ares scan 192.168.1.0/24 --ports 22,80,443 --save subnet.json
ares scan 10.0.0.1 --stream | jq 'select(.type == "open_port")'
ares service-detect Grab banners and fingerprint services on discovered ports. ares service-detect --ports [OPTIONS]
Options: -p, --ports Ports to probe (required) -t, --timeout Per-probe timeout [default: 2000] -c, --concurrency Max concurrent grabs [default: 50] --vuln Also run vulnerability checks on findings --json Output as JSON Examples: bash# Detect services and run vuln checks ares service-detect 10.0.0.1 --ports 22,80,443,3306 --vuln
ares service-detect 10.0.0.1 --ports 22,80 --json
ares vuln-scan Run vulnerability checks against a previously saved scan JSON file. ares vuln-scan <SCAN_FILE> [OPTIONS]
Options: --min-severity info | low | medium | high | critical [default: info] --json Output findings as JSON -o, --output Write findings to file Examples: bash# Show all findings ares vuln-scan scan.json
ares vuln-scan scan.json --min-severity high
ares vuln-scan scan.json --json --output findings.json
ares report Generate a formatted report from a saved scan JSON file. ares report [OPTIONS]
Options: -f, --format text | json | html [default: text] -o, --output Output file (default: stdout) --vuln Run vulnerability checks and include in report Examples: bash# Human-readable text report ares report scan.json --format text --vuln
ares report scan.json --format html --output report.html --vuln xdg-open report.html
ares report scan.json --format json --output report.json --vuln
TUI Mode Launch the interactive terminal UI: bashares --tui Tabs TabDescriptionScanEnter target and port range, live resultsSettingsAdjust concurrency, timeout, rate limit, scan typeHelpKey reference and CLI quick-start Keybindings KeyActionTab / Shift+TabCycle between tabsSStart scan (Scan tab)CClear results↑↓Navigate settings←→Adjust setting valueRReset settings to defaultsQQuit
Complete Workflow Example bash# 1. Scan the target ares scan 192.168.1.100 --ports 1-1024 --save scans/target.json
ares service-detect 192.168.1.100 --ports 22,80,443 --vuln
ares vuln-scan scans/target.json --min-severity low
ares report scans/target.json --format html --output scans/report.html --vuln
xdg-open scans/report.html
Configuration Edit config/ares.toml to set persistent defaults: toml[scan] default_ports = "1-1024" default_scan_type = "tcp" default_concurrency = 500 default_timeout_ms = 1000
[service_detect] default_concurrency = 50 default_timeout_ms = 2000
[vuln] min_severity = "info"
[reporting] default_format = "text" output_dir = "./scans"
[logging] level = "warn" Use a custom config file: bashares --config /path/to/custom.toml scan 10.0.0.1
CVE Database ARES ships with a bundled CVE database at config/cve_db.json. It includes entries for:
vsftpd 2.3.4 backdoor (CVE-2011-2523) Apache path traversal (CVE-2021-41773, CVE-2021-42013) Log4Shell (CVE-2021-44228) OpenSSH vulnerabilities (CVE-2018-15473, CVE-2023-38408) OpenSSL (CVE-2022-1292)
To add your own entries, extend config/cve_db.json following the schema: json{ "id": "CVE-YYYY-NNNNN", "description": "Description of the vulnerability.", "severity": "CRITICAL", "cvss_score": 9.8, "affected": [ { "product": "ProductName", "version_pattern": "< 2.4.50" } ], "references": ["https://nvd.nist.gov/vuln/detail/CVE-YYYY-NNNNN"] } Version pattern syntax: PatternMeaning"2.3.4"Exact version match"< 2.4.50"Less than"<= 7.7"Less than or equal">= 2.0, < 2.15.0"Range"/regex/"Regex match
Plugin System Add custom vulnerability checks by implementing the CheckPlugin trait: rustuse ares::vuln::plugin::{CheckPlugin, CheckContext, PluginRegistry}; use ares::vuln::checks::Finding;
struct MyCustomCheck;
impl CheckPlugin for MyCustomCheck { fn name(&self) -> &'static str { "my_check" } fn description(&self) -> &'static str { "My custom vulnerability check" }
fn applies_to(&self) -> Option<&[&'static str]> {
Some(&["http", "https"]) // Only run on HTTP ports
}
fn run_sync(&self, ctx: &CheckContext) -> Vec<Finding> {
if ctx.banner().contains("vulnerable-pattern") {
vec![Finding {
name: "My Finding".to_string(),
service: "http".to_string(),
port: ctx.port.port,
severity: "HIGH".to_string(),
description: "Found vulnerable pattern.".to_string(),
evidence: ctx.banner().to_string(),
}]
} else {
vec![]
}
}
}
SYN Scan SYN scanning sends raw TCP SYN packets without completing the handshake — faster and stealthier than TCP connect. Requires elevated privileges: bash# Option 1: sudo sudo ares scan 10.0.0.1 --scan-type syn --ports 1-1024
sudo setcap cap_net_raw+ep ~/ares/dist/ares ares scan 10.0.0.1 --scan-type syn --ports 1-1024 If CAP_NET_RAW is unavailable, ARES automatically falls back to TCP connect scanning with a warning.
JSONL Pipeline Integration Use --stream for real-time JSON-lines output compatible with jq, grep, and log aggregators: bash# Filter only open ports ares scan 10.0.0.0/24 --stream | jq 'select(.type == "open_port")'
ares scan 10.0.0.1 --stream | grep '"open_port"' > open_ports.jsonl
ares scan 10.0.0.1 --stream | jq 'select(.service == "docker")' Event types: TypeDescriptionscan_startScan begins — target, host count, port countopen_portAn open port was discoveredscan_doneScan complete — summary statsfindingA vulnerability findingerrorAn error occurred
Building from Source bashgit clone https://github.com/YOUR_USERNAME/ARES.git cd ARES bash install.sh
cargo build --release cp target/release/ares dist/ares Running Tests bashcargo test Benchmarks bashcargo bench
Project Structure ares/ ├── src/ │ ├── cli/ # CLI argument parsing and command dispatch │ ├── scanner/ # Port scanning engine (TCP/SYN/UDP), OS fingerprinting │ ├── service/ # Banner grabbing and service fingerprinting │ ├── vuln/ # Vulnerability checks, CVE database, plugin system │ ├── reporting/ # JSON, text, and HTML report renderers │ ├── tui/ # Terminal UI (ratatui) │ └── utils/ # Config, logging, progress bars, rate limiting, streaming ├── config/ │ ├── ares.toml # Default configuration │ └── cve_db.json # Bundled CVE database ├── scans/ # Default output directory for scan results ├── install.sh # One-command installer ├── run.sh # Wrapper script └── Makefile # Build, test, lint shortcuts
Makefile Shortcuts bashmake build # Release build → dist/ares make debug # Debug build make test # Run all tests make bench # Run benchmarks make lint # Run clippy make clean # Remove build artifacts make scan-local # Quick localhost scan make tui # Launch TUI
Legal ARES is provided for authorized security testing, auditing, and educational purposes only.
Only use against systems you own or have explicit written permission to test Unauthorized port scanning may be illegal in your jurisdiction The authors accept no liability for misuse
Tech Stack CratePurposetokioAsync runtimeclapCLI argument parsingratatui + crosstermTerminal UIsocket2Raw socket SYN scanningserde + serde_jsonSerializationregexBanner pattern matchingindicatifProgress barschronoTimestampstracingStructured loggingcriterionBenchmarking