Rustsploit

Modular offensive tooling for embedded targets, written in Rust and inspired by RouterSploit/Metasploit. Rustsploit ships an interactive shell, a command-line runner, and an ever-growing library of exploits, scanners, and credential modules for routers, cameras, appliances, and general network services.

• Developer Docs: Full guide covering module lifecycle,shell flow, and dispatcher

• Interactive Shell: Ergonomic command palette with shortcuts (e.g., f1 ssh, u exploits/heartbleed, go)

• IPv4/IPv6 Ready: Credential modules and sockets normalize targets so both address families work out-of-the-box

---

Table of Contents

1. Highlights
2. Module Catalog
3. Quick Start
4. Docker Deployment
5. Interactive Shell Walkthrough
6. CLI Usage
7. API Server Mode
8. How Modules Are Discovered
9. Contributing
10. Credits

---

Highlights

• Auto-discovered modules: build.rs indexes src/modules/** so new code drops in without manual registration

• Interactive shell with color and shortcuts: Quick command palette, target/module state tracking, alias commands (help/?, modules/m, run/go, etc.)

• Comprehensive credential tooling: FTP(S), SSH, Telnet, POP3(S), SMTP, RDP, RTSP, SNMP, L2TP, MQTT, Fortinet brute force modules with IPv6 and TLS support where applicable

• Enhanced Telnet module: Full IAC (Interpret As Command) negotiation, advanced error classification, verbose quick-check mode, robust buffer handling

• Improved RDP module: Streaming failover for large password files (>150MB), comprehensive error classification, multiple security level support (NLA/TLS/RDP/Negotiate/Auto)

• L2TP/IPsec Bruteforce: Multi-platform support (strongswan, xl2tpd, NetworkManager, rasdial, networksetup), proper IPsec Phase 1/2 handling

• Framework-level honeypot detection: Automatic detection before scans using 200 common ports (warns if 11+ ports open)

• Advanced target normalization: Supports IPv4, IPv6, hostnames, URLs, CIDR notation with comprehensive validation

• Exploit coverage: GNU inetutils-telnetd Auth Bypass (CVE-2026-24061), Apache Tomcat, Abus security cameras, Ivanti Connect Secure, TP-Link, Zabbix, Avtech cameras, Spotube, OpenSSH race condition, and more

• Scanners & utilities: Port scanner, ping sweep, SSDP discovery, HTTP title grabber, DNS recursion tester, HTTP method scanner, StalkRoute traceroute (root), Directory Bruteforcer, Sequential Fuzzer

• Payload generation: Batch malware dropper (narutto_dropper), BAT payload generator, custom credential checkers

• Readable output: Colored prompts, structured status messages, optional verbose logs and result persistence

• REST API Server: Launch a secure API server with authentication, rate limiting, IP tracking, and dynamic key rotation

• Security hardened: Comprehensive input validation, path traversal protection, length limits, and memory-safe operations throughout

• Honeypot detection: Framework-level automatic detection before module execution to warn about potentially deceptive targets

• Enhanced target handling: Advanced normalization supporting IPv4, IPv6 (with brackets), hostnames, URLs, CIDR notation, and port extraction

• IP exclusion ranges (EXCLUDED_RANGES): Camxploit, Telnet bruteforce, and exploit modules now skip bogon, private, reserved, documentation, and public DNS IPs during mass scans

• DoS / Stress testing suite: Connection Exhaustion Flood (semaphore-bounded FDs), Null SYN Exhaustion (>1M PPS, IP spoofing), TCP Connection Flood (connect & drop, infinite mode)

---

🚀 New Features:

• CLI Error Handling - Added proper warning messages for invalid flag combinations:
  • ⚠ Warning when -m is used without -t (suggests proper usage)
  • ℹ Note when -t is used without -m (target available in shell)
  • Error when --harden is used without --api
  • Helpful usage hints printed for common mistakes
• Improved CLI Experience - Added --list-modules to browse tools without entering the shell, and --verbose for detailed operation logs. Fuzzy matching now suggests corrections for typos (e.g., sample_xploit -> sample_exploit).
• Colored CLI output - Warnings in yellow, hints in cyan, success in green

** Documentation:**

• Updated developer guide with v0.4.6 changes
• Added CLI error handling examples

Rustsploit ships categorized modules under src/modules/, automatically exposed to the shell/CLI. A non-exhaustive snapshot:

| Category | Highlights | |----------|------------| | creds/generic | FTP anonymous & FTPS brute force (5 operation modes, JSON config), SSH brute force, SSH user enumeration (timing attack), SSH password spray, Telnet brute force (with IAC negotiation), POP3(S) brute force, SMTP brute force, RTSP brute force (path + header bruting), RDP auth-only brute (streaming mode, multiple security levels), MQTT brute force, SNMP community string brute force, L2TP/IPsec brute force (multi-platform), Fortinet SSL VPN brute force | | creds/camxploit | Camxploit camera scanner with masscan-style parallel scanning, EXCLUDED_RANGES (bogons/private/reserved/DNS), port-based service filtering (ignores SSH/Telnet/RDP-only hosts), output file support | | exploits/dos | Connection Exhaustion Flood (FD-bounded semaphore, connect & drop), Null SYN Exhaustion (raw packet, IP spoofing, XorShift128+ RNG, >1M PPS), TCP Connection Flood (pre-resolved DNS, high-concurrency handshake stress) | | exploits/* | GNU inetutils-telnetd Auth Bypass (CVE-2026-24061), Apache Tomcat (CVE-2025-24813 RCE, CatKiller CVE-2025-31650), TP-Link VN020 / WR740N DoS, TP-Link Tapo C200 CVE-2021-4045, Abus camera CVE-2023-26609 variants, Ivanti Connect Secure stack buffer overflow, Zabbix 7.0.0 SQLi, Avtech CVE-2024-7029, Spotube zero-day, OpenSSH 9.8p1 race condition, Uniview password disclosure, ACTi camera RCE, Flowise CVE-2025-59528 RCE, HTTP/2 Rapid Reset DoS, Jenkins LFI, PAN-OS Auth Bypass, Heartbleed, React2Shell CVE-2025-55182, SSHPWN Framework (SFTP symlink/setuid/traversal, SCP injection/DoS, Session env injection) | | scanners | Port scanner (TCP/UDP/SYN/ACK), ping sweep (ICMP/TCP/UDP/SYN/ACK), SSDP M-SEARCH enumerator, HTTP title fetcher, HTTP method scanner, DNS recursion/amplification tester, StalkRoute traceroute (firewall evasion), SSH scanner (banner grabbing, CIDR support), Directory Bruteforcer (recursive, extensions), Sequential Fuzzer (multi-encoding, custom charsets) | | payloadgens | narutto_dropper, BAT payload generator | | lists | RTSP wordlists, telnet default credentials, and helper files |

Run modules or find <keyword> in the shell for the authoritative list.

---

Quick Start

Requirements

Debian/Ubuntu/Kali:

sudo apt update
sudo apt install pkg-config libssl-dev freerdp2-x11 libdbus-1-dev    # Required for RDP and Bluetooth modules

Arch Linux:

sudo pacman -S pkgconf openssl freerdp

Gentoo:

sudo emerge dev-libs/openssl dev-util/pkgconf net-misc/freerdp

Fedora/RHEL:

sudo dnf install pkgconf-pkg-config openssl-devel freerdp

Installing Rust & Cargo

General (Recommended for all Linux/macOS):

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env

Debian/Ubuntu/Kali:

sudo apt install rustc cargo

Arch Linux:

sudo pacman -S rust

Fedora/RHEL:

sudo dnf install rust cargo

Clone + Build

git clone https://github.com/s-b-repo/rustsploit.git
cd rustsploit
cargo build

Run (Interactive Shell)

cargo run

Global Installation (Run from Terminal)

To run rustsploit from anywhere in your terminal:

Option 1: Cargo Install (Easiest)

cargo install --path .
rustsploit

Option 2: Manually Build Release Binary

# 1. Build optimized release version
cargo build --release

# 2. Move binary to your path (e.g., /usr/local/bin)
sudo cp target/release/rustsploit /usr/local/bin/

# 3. Run from anywhere
rustsploit

---

Docker Deployment

Rustsploit ships with a standalone provisioning script that builds and launches the API inside Docker (mirroring the multi-stage workflow used in vxcontrol/pentagi).

Requirements

• Docker Engine 24+ (or Docker Desktop)
• Docker Compose plugin (docker compose) or legacy docker-compose
• Python 3.8+

Interactive Setup

python3 scripts/setup_docker.py

The helper will:

1. Confirm you are in the repository root (Cargo.toml present).
2. Ask how the API should bind (127.0.0.1, 0.0.0.0, detected LAN IP, or custom host:port).
3. Let you enter or auto-generate an API key (printable ASCII, 128 chars max).
4. Toggle hardening mode and tune the IP limit if desired.
5. Generate:
   • docker/Dockerfile.api (build + serve stages)
   • docker/entrypoint.sh (passes CLI flags / hardening state)
   • .env.rustsploit-docker (API key, bind address, hardening settings)
   • docker-compose.rustsploit.yml
6. Optionally run docker compose up -d --build with BuildKit enabled.

Existing files are never overwritten without confirmation (use --force for scripted deployments).

Non-Interactive / CI Usage

All prompts have CLI equivalents:

python3 scripts/setup_docker.py \
 --bind 0.0.0.0:8443 \
 --generate-key \
 --enable-hardening \
 --ip-limit 5 \
 --skip-up \
 --force \
 --non-interactive

This produces the D