Modular offensive tooling for embedded targets, written in Rust and inspired by RouterSploit/Metasploit. One binary exposes the same module library through four interfaces β an interactive shell, a command-line runner, a post-quantum-encrypted REST/WebSocket API, and an MCP server β over an ever-growing library of exploits, scanners, and credential modules for routers, cameras, appliances, and general network services, with Recog service fingerprinting and JARM/JA3 TLS fingerprinting built in.
Latest release: see
RELEASE_NOTES.txtβ officialrmcpMCP SDK, Recog + JARM/JA3/JA3S fingerprinting, a SecLists wordlist catalog, per-run output auto-save, HTTP connection pooling, and mass-scan fixes.
Full documentation lives in the Rustsploit Wiki. Below is a quick index β click through for detailed guides, examples, and reference material.
| Document | Description |
|---|---|
| Getting Started | Installation, build, quick-start, Docker deployment |
| Interactive Shell | Shell walkthrough, command palette, chaining, shortcuts |
| CLI Reference | Command-line flags, non-shell usage, output formats |
| API Server | REST + WebSocket API, PQ encryption, endpoints, rate limiting |
| API Usage Examples | Practical curl workflows, request/response samples |
| Module Catalog | All modules by category β exploits, scanners, creds |
| Module Development | How to author new modules, lifecycle, dispatcher |
| Bad Patterns Catalogue | 133-regex grep matrix every module must pass β banned .unwrap, swallow, panic, blocking-IO, lossy casts, crypto, injection, etc. Re-runnable via scripts/audit-bad-patterns.sh |
| Bad Patterns Audit Report | Latest whole-tree snapshot β strict-mode result on the 100 authored modules (zero hits) and observational counts on the rest of the framework |
| Security & Validation | Input validation, security patterns, honeypot detection |
| Credential Modules Guide | Best practices for brute-force / cred modules |
| Exploit Modules Guide | Best practices for exploit modules |
| Utilities & Helpers | utils.rs public API, target normalization, honeypot check |
| Testing & QA | Build checks, smoke tests, wordlist validation |
| Changelog | Release notes and version history |
| Contributing | Fork guide, PR checklist, code style |
| Credits | Authors, acknowledgements, legal notice |
- Self-registering modules: modules register at compile time via the
inventorycrate β add the file, aregister_native_module!call, and apub mod <name>;line in the parentmod.rs; no build-script indexer - Interactive shell: 40+ commands with shortcuts, command chaining (
&), tab completion, and command history - Module metadata:
info()per module β CVE references, author, rank. The framework is exploitation-only: modules run an exploit and report findings (there is nocheck()/ non-destructive verification phase) - Global options (
setg): Persistent key-value settings that apply across all modules β like Metasploit's datastore - Credential store: Track discovered credentials across sessions with
credscommands and JSON persistence - Host/service tracking: Workspace-based engagement tracking with
hosts,services,notescommands - Loot management: Structured evidence collection with file storage and metadata indexing
- Resource scripts: Automate workflows from files, auto-load startup scripts, save command history with
makerc - Background jobs: Run modules asynchronously with
run -j, manage withjobscommands - Export/reporting: Export all engagement data to JSON, CSV, or human-readable summary reports
- Console logging & auto-save:
spoolcaptures all output to a file on demand; in addition, every console/CLI module run is auto-saved (append mode) to~/.rustsploit/loot/<module> <time> results.txtβ stdout and stderr both captured, multi-host sweeps accumulate into one per-run file - Comprehensive credential tooling: FTP(S), SSH, Telnet, POP3(S), SMTP, IMAP, RDP, RTSP, SNMP, L2TP, MQTT, VNC, MySQL, PostgreSQL, Redis, CouchDB, Elasticsearch, Memcached, HTTP Basic, Proxy, Fortinet β with IPv6 and TLS support
- Exploit coverage: CVEs for VNC (LibVNC, TigerVNC, TightVNC, x11vnc), honeypots (Cowrie, Dionaea, HoneyTrap, SNARE), WAFs (SafeLine), Apache Camel, Kubernetes ingress-nginx, Commvault, MISP, Zimbra, Next.js, Vite, and 100+ more
- Scanners & utilities: Port scanner, ping sweep, SSDP, HTTP title grabber, DNS recursion tester, directory bruteforcer, sequential fuzzer, proxy scanner, reflect scanner, vulnerability checker
- Service & TLS fingerprinting: Rapid7 Recog banner β product/version/CPE matching folded into service detection, plus Salesforce JARM + JA3/JA3S active TLS server fingerprinting (
scanners/jarm_scan) - Wordlist catalog: checksum-pinned SecLists wordlists fetched + SHA-256-verified on demand into
~/.rustsploit/wordlists/(utils::wordlist::resolve) - Performance: shared, cached HTTP client β TLS config + connection pool reused across runs instead of rebuilt per request, with a bounded idle timeout for internet-scale sweeps
- API server: PQ-encrypted WebSocket transport β post-quantum cryptography, full CRUD for credentials, hosts, services, loot, jobs
- MCP server: Model Context Protocol server on the official
rmcpSDK (v1.7) β 29 tools + 7 resources for AI-assisted pentesting via stdio - Plugin system: Third-party modules via
src/modules/plugins/with compile-timeinventoryself-registration and startup safety warnings - Security hardened: Input validation, path traversal protection, honeypot detection, root privilege checks, spool symlink protection, memory-safe operations
- IPv4/IPv6 ready: Both address families work out-of-the-box across all modules
One command (Debian/Ubuntu/Kali):
sudo apt update && sudo apt install -y build-essential pkg-config libssl-dev libdbus-1-dev cmake && (command -v cargo > /dev/null 2>&1 || (curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && . "$HOME/.cargo/env")) && git clone https://github.com/s-b-repo/rustsploit.git && cd rustsploit && cargo runcargo build --no-default-features
cargo run --no-default-features
cargo build --features bluetooth
cargo run --features bluetooth
What each dependency does
| Package | Required by | Why |
|---|---|---|
build-essential |
Native crate compilation | gcc, make, libc headers |
pkg-config |
native-tls, ssh2 |
Finds system libraries at build time |
libssl-dev |
native-tls, ssh2 |
OpenSSL headers for TLS and SSH |
libdbus-1-dev |
btleplug |
D-Bus IPC for Bluetooth scanning |
cmake |
ssh2 (libssh2-sys) |
Builds libssh2 from source |
For other distros (Arch, Gentoo, Fedora), Docker deployment, and one-liner installs, see Getting Started.
- New user? β Getting Started
- Writing a module? β Module Development
- Using the API? β API Server + API Usage Examples
- Running from CLI? β CLI Reference
- Full module list? β Module Catalog
The PQ-encrypted API is what external integrations and web panels talk to. Bind it to whichever interface you want β the bootstrap path is gated by a one-time enrollment token printed at startup, not by the bind address.
# Local-only (default, useful for development)
cargo run --release -- --api
# Reachable on a LAN
cargo run --release -- --api --interface 192.0.2.10:8080
# Reachable from anywhere (bind to all interfaces)
cargo run --release -- --api --interface 0.0.0.0:8080On startup the server prints something like:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ENROLLMENT TOKEN (one-time, prints once): tWQ9sIz3kZGdHc4w7g8hPxJrAaPN1c0v
Bootstrap a client by POSTing its PQ public keys + this
token to POST /pq/register-key:
{ token, name, x25519_pub, mlkem_ek }
After first successful registration the token is consumed; further
key changes must go through the established PQ session.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Hand that token to whichever client you want to enroll. The client POSTs
its X25519 + ML-KEM-768 public keys to /pq/register-key over the
network β no shared filesystem required, client and server can be on
different hosts. The token is consumed on first use; restart the server
to issue a new one.
Endpoints exposed by --api:
| Path | Auth | Purpose |
|---|---|---|
GET /health |
none | Liveness |
POST /pq/handshake |
identity allowlist | PQXDH session establishment |
POST /pq/register-key |
enrollment token (one-time) | Bootstrap a new client identity |
GET /pq/ws |
PQ session | Bi-directional event/RPC channel |
ALL /api/* |
PQ session | REST surface (auto-generated from JSON-RPC dispatcher) |
The built-in proxy system has been removed in favor of system-level VPN solutions. We recommend Mullvad VPN for its no-registration, audited no-logs policy, WireGuard support, and excellent Linux CLI. Simply connect your VPN before running the tool β all traffic routes through the tunnel.
Contributions welcome! See the Contributing Guide for the full process. In short:
- Fork + branch from
main - Add your module under the appropriate category
- Run
cargo fmtandcargo checkbefore opening a PR
- Project Lead: s-b-repo
- Language: 100% Rust
- Inspired by: RouterSploit, Metasploit Framework, pwntools
β οΈ Rustsploit is intended for authorized security testing and research purposes only. Obtain explicit permission before targeting any system you do not own.
Support this project
If this tool saved you time, consider tossing $1 in Monero:
478Lb78LDscQ8ukEDTZqXgEtjoBX1jMuVGvgfy2RagxZZk89YuyVYsganfLUKnwggz8YiBxhG25yWWiHUppG9uarSiseseY
XMR β private, untraceable, appreciated.

