Modular offensive tooling for embedded targets, written in Rust and inspired by RouterSploit/Metasploit. Rustsploit ships an interactive shell, a command-line runner, and an ever-growing library of exploits, scanners, and credential modules for routers, cameras, appliances, and general network services.
Full documentation lives in the Rustsploit Wiki. Below is a quick index — click through for detailed guides, examples, and reference material.
| Document | Description |
|---|---|
| Getting Started | Installation, build, quick-start, Docker deployment |
| Interactive Shell | Shell walkthrough, command palette, chaining, shortcuts |
| CLI Reference | Command-line flags, non-shell usage, output formats |
| API Server | REST + WebSocket API, PQ encryption, endpoints, rate limiting |
| API Usage Examples | Practical curl workflows, request/response samples |
| Module Catalog | All modules by category — exploits, scanners, creds |
| Module Development | How to author new modules, lifecycle, dispatcher |
| Security & Validation | Input validation, security patterns, honeypot detection |
| Credential Modules Guide | Best practices for brute-force / cred modules |
| Exploit Modules Guide | Best practices for exploit modules |
| Utilities & Helpers | utils.rs public API, target normalization, honeypot check |
| Testing & QA | Build checks, smoke tests, wordlist validation |
| Changelog | Release notes and version history |
| Contributing | Fork guide, PR checklist, code style |
| Credits | Authors, acknowledgements, legal notice |
- Auto-discovered modules:
build.rsindexessrc/modules/**— drop in new code, no manual registration needed - Interactive shell: 40+ commands with shortcuts, command chaining (
&), tab completion, and command history - Module metadata: Optional
info()andcheck()functions per module — CVE references, author, rank, non-destructive vulnerability verification - Global options (
setg): Persistent key-value settings that apply across all modules — like Metasploit's datastore - Credential store: Track discovered credentials across sessions with
credscommands and JSON persistence - Host/service tracking: Workspace-based engagement tracking with
hosts,services,notescommands - Loot management: Structured evidence collection with file storage and metadata indexing
- Resource scripts: Automate workflows from files, auto-load startup scripts, save command history with
makerc - Background jobs: Run modules asynchronously with
run -j, manage withjobscommands - Export/reporting: Export all engagement data to JSON, CSV, or human-readable summary reports
- Console logging:
spoolcommand captures all output to file for documentation - Comprehensive credential tooling: FTP(S), SSH, Telnet, POP3(S), SMTP, IMAP, RDP, RTSP, SNMP, L2TP, MQTT, VNC, MySQL, PostgreSQL, Redis, CouchDB, Elasticsearch, Memcached, HTTP Basic, Proxy, Fortinet — with IPv6 and TLS support
- Exploit coverage: CVEs for VNC (LibVNC, TigerVNC, TightVNC, x11vnc), honeypots (Cowrie, Dionaea, HoneyTrap, SNARE), WAFs (SafeLine), Apache Camel, Kubernetes ingress-nginx, Commvault, MISP, Zimbra, Next.js, Vite, and 100+ more
- Scanners & utilities: Port scanner, ping sweep, SSDP, HTTP title grabber, DNS recursion tester, directory bruteforcer, sequential fuzzer, proxy scanner, reflect scanner, vulnerability checker
- API server: PQ-encrypted WebSocket transport — post-quantum cryptography, full CRUD for credentials, hosts, services, loot, jobs
- MCP server: 38-tool Model Context Protocol server for AI-assisted pentesting via stdio
- Plugin system: Third-party modules via
src/modules/plugins/with build-time discovery and startup safety warnings - Security hardened: Input validation, path traversal protection, honeypot detection, root privilege checks, spool symlink protection, memory-safe operations
- IPv4/IPv6 ready: Both address families work out-of-the-box across all modules
One command (Debian/Ubuntu/Kali):
sudo apt update && sudo apt install -y build-essential pkg-config libssl-dev libdbus-1-dev cmake && (command -v cargo > /dev/null 2>&1 || (curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && . "$HOME/.cargo/env")) && git clone https://github.com/s-b-repo/rustsploit.git && cd rustsploit && cargo runcargo build --no-default-features
cargo run --no-default-features
cargo build --features bluetooth
cargo run --features bluetooth
What each dependency does
| Package | Required by | Why |
|---|---|---|
build-essential |
Native crate compilation | gcc, make, libc headers |
pkg-config |
native-tls, ssh2 |
Finds system libraries at build time |
libssl-dev |
native-tls, ssh2 |
OpenSSL headers for TLS and SSH |
libdbus-1-dev |
btleplug |
D-Bus IPC for Bluetooth scanning |
cmake |
ssh2 (libssh2-sys) |
Builds libssh2 from source |
For other distros (Arch, Gentoo, Fedora), Docker deployment, and one-liner installs, see Getting Started.
- New user? → Getting Started
- Writing a module? → Module Development
- Using the API? → API Server + API Usage Examples
- Running from CLI? → CLI Reference
- Full module list? → Module Catalog
The built-in proxy system has been removed in favor of system-level VPN solutions. We recommend Mullvad VPN for its no-registration, audited no-logs policy, WireGuard support, and excellent Linux CLI. Simply connect your VPN before running the tool — all traffic routes through the tunnel.
Contributions welcome! See the Contributing Guide for the full process. In short:
- Fork + branch from
main - Add your module under the appropriate category
- Run
cargo fmtandcargo checkbefore opening a PR
- Project Lead: s-b-repo
- Language: 100% Rust
- Inspired by: RouterSploit, Metasploit Framework, pwntools
⚠️ Rustsploit is intended for authorized security testing and research purposes only. Obtain explicit permission before targeting any system you do not own.
Support this project
If this tool saved you time, consider tossing $1 in Monero:
478Lb78LDscQ8ukEDTZqXgEtjoBX1jMuVGvgfy2RagxZZk89YuyVYsganfLUKnwggz8YiBxhG25yWWiHUppG9uarSiseseY
XMR — private, untraceable, appreciated.