# []()
Naabu is a [port scanning]( “port scanning” ) tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT scans on the host/list of hosts and lists all ports that return a reply.
# Features
* Fast And Simple **SYN/CONNECT** probe based scanning
* Passive [Port Enumeration]( “Port Enumeration” ) using Shodan [Internetdb API]( “Internetdb API” )
* Optimized for ease of use and **lightweight** on resources
* **Automatic IP deduplication for port scan**
* **NMAP** integration for service discovery
* Multiple input support – **STDIN/HOST/IP/CIDR**
* Multiple output format support – **JSON/TXT/STDOUT**
# Usage
naabu -h
This will display help for the tool. Here are all the switches it supports.
open ports using shodan internetdb api OPTIMIZATION: -retries int number of retries for the port scan (default 3) -timeout int millisecond to wait before timing out (default 1000) -warm-up-time int time in seconds between scan phases (default 2) -ping ping probes for verification of host -verify validate the ports again with TCP verification DEBUG: -debug display debugging information -verbose, -v display verbose output -no-color, -nc disable colors in CLI output -silent display only results in output -version display version of naabu -stats display stats of the running scan -si, -stats-interval int number of seconds to wait between showing a statistics update (default 5)”>
Usage:
./naabu [flags]
INPUT:
-host string[] hosts to scan ports for (comma-separated)
-list, -l string list of hosts to scan ports (file)
-exclude-hosts, -eh string hosts to exclude from the scan (comma-separated)
-exclude-file, -ef string list of hosts to exclude from scan (file)
PORT:
-port, -p string ports to scan (80,443, 100-200
-top-ports, -tp string top ports to scan (default 100)
-exclude-ports, -ep string ports to exclude from scan (comma-separated)
-ports-file, -pf string list of ports to exclude from scan (file)
-exclude-cdn, -ec skip full port scans for CDN’s (only checks for 80,443)
RATE-LIMIT:
-c int general internal worker threads (default 25)
-rate int packets to send per second (d efault 1000)
OUTPUT:
-o, -output string file to write output to (optional)
-json write output in JSON lines format
-csv write output in csv format
CONFIGURATION:
-scan-all-ips, -sa scan all the IP’s associated with DNS record
-scan-type, -s string type of port scan (SYN/CONNECT) (default “s”)
-source-ip string source ip
-interface-list, -il list available interfaces and public ip
-interface, -i string network Interface to use for port scan
-nmap invoke nmap scan on targets (nmap must be installed) – Deprecated
-nmap-cli string nmap command to run on found results (-nmap-cli ‘nmap -sV’)
-r string list of custom resolver dns resolution (comma separated or from file)
-proxy string socks5 proxy
-resume resume scan using resume.cfg
-stream stream mode (disab les resume, nmap, verify, retries, shuffling, etc)
-passive display passive open ports using shodan internetdb api
OPTIMIZATION:
-retries int number of retries for the port scan (default 3)
-timeout int millisecond to wait before timing out (default 1000)
-warm-up-time int time in seconds between scan phases (default 2)
-ping ping probes for verification of host
-verify validate the ports again with TCP verification
DEBUG:
-debug display debugging information
-verbose, -v display verbose output
-no-color, -nc disable colors in CLI output
-silent display only results in output
-version display version of naabu
-stats display stats of the running scan
-si, -stats-interval int number of seconds to wait between showing a statistics u pdate (default 5)
# Installation Instructions
Download the ready to run [binary]( “binary” ) / [docker]( “docker” ) or install with GO
Before installing naabu, make sure to install `libpcap` library:
sudo apt install -y libpcap-dev
Installing Naabu:
go install -v github.com/projectdiscovery/naabu/v2/cmd/[email protected]
# Running Naabu
To run the tool on a target, just use the following command.
naabu -host hackerone.com
This will run the tool against hackerone.com. There are a number of configuration options that you can pass along with this command. The verbose switch `-v` can be used to display verbose information.
naabu -host hackerone.com
__
___ ___ ___ _/ / __ __
/ _ / _ / _ / _ / // /
/_//_/_,_/_,_/_.__/_,_/ v2.0.3
projectdiscovery.io
[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running SYN scan with root privileges
[INF] Found 4 ports on host hackerone.com (104.16.100.52)
hackerone.com:80
hackerone.com:443
hackerone.com:8443
hackerone.com:8080
The ports to scan for on the host can be specified via `-p` parameter. It takes nmap format ports and runs [enumeration]( “enumeration” ) on them.
naabu -p 80,443,21-23 -host hackerone.com
By default, the Naabu checks for nmap’s `Top 100` ports. It supports following in-built port lists –
Flag | Description
—|—
`-top-ports 100` | Scan for nmap top **100** port
`-top-ports 1000` | Scan for nmap top **1000** port
`-p – ` | Scan for full ports from **1-65535**
You can also specify specific ports which you would like to exclude from the scan.
naabu -p – -exclude-ports 80,443
To run the naabu on a list of hosts, `-list` option can be used.
naabu -list hosts.txt
You can also get output in json format using `-json` switch. This switch saves the output in the JSON lines format.
naabu -host 104.16.99.52 -json
{“ip”:”104.16.99.52″,”port”:443}
{“ip”:”104.16.99.52″,”port”:80}
The ports discovered can be piped to other tools too. For example, you can pipe the ports discovered by naabu to [httpx]( “httpx” ) which will then find running http servers on the host.
echo hackerone.com | naabu -silent | httpx -silent
https://hackerone.com:8443
https://hackerone.com:443
https://hackerone.com:8080
https://hackerone.com:80
The speed can be controlled by changing the value of `rate` flag that represent the number of packets per second. Increasing it while processing hosts may lead to increased false-positive rates. So it is recommended to keep it to a reasonable amount.
# Configuration file
Naabu supports config file as default located at `$HOME/.config/naabu/config.yaml`, It allows you to define any flag in the config file and set default values to include for all scans.
# Nmap integration
We have integrated nmap support for [service discovery]( “service discovery” ) or any additional scans supported by nmap on the found results by Naabu, make sure you have `nmap` installed to use this feature.
To use,`nmap-cli` flag can be used followed by nmap command, for example:-
echo hackerone.com | naabu -nmap-cli ‘nmap -sV -oX nmap-output’
__
___ ___ ___ _/ / __ __
/ _ / _ / _ / _ / // /
/_//_/_,_/_,_/_.__/_,_/ v2.0.0
projectdiscovery.io
[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running TCP/ICMP/SYN scan with root privileges
[INF] Found 4 ports on host hackerone.com (104.16.99.52)
hackerone.com:443
hackerone.com:80
hackerone.com:8443
hackerone.com:8080
[INF] Running nmap command: nmap -sV -p 80,8443,8080,443 104.16.99.52
Starting Nmap 7.01 ( https://nmap.org ) at 2020-09-23 05:02 UTC
Nmap scan report for 104.16.99.52
Host is up (0.0021s latency).
PORT STATE SERVICE VERSION
80/tcp open http cloudflare
443/tcp open ssl/ht tps cloudflare
8080/tcp open http-proxy cloudflare
8443/tcp open ssl/https-alt cloudflare
# CDN Exclusion
Naabu also supports excluding CDN IPs being port scanned. If used, only `80` and `443` ports get scanned for those IPs. This feature can be enabled by using `exclude-cdn` flag.
Currently `cloudflare`, `akamai`, `incapsula` and `sucuri` IPs are supported for exclusions.
#
?
Notes
* Naabu is designed to scan ports on multiple hosts / mass port scanning.
* As default naabu is configured with a assumption that you are running it from VPS.
* We suggest tuning the flags / rate if running naabu from local system.
* For best results, run naabu as **root** user.
`naabu` is made with
?
by the [projectdiscovery]( “projectdiscovery” ) team. Community contributions have made the project what it is. See the **[Thanks.md]( “Thanks.md” )** file for more details.
**[Download Naabu]( “Download Naabu” )**Read More
References
Back to Main
