Naabu – A Fast Port Scanner Written In Go With A Focus On Reliability And Simplicity
Discription

# [![](https://blogger.googleusercontent.com/img/a/AVvXsEhYAxUjncicFucyO7_c-yjmZLs9bYs6A_ptamrwGroFQDYTdtX_T7bpPq2JCIiL_QA_iId-h6qmq4-OrNWTIpFaNsXT9pCrfAasXK0R2q92zdZO2JErgXfuwroResuMNTeTTMlyaZZsw171tgReqkm3qd-WHAYT7fWRFFxdObzkj0HxK2kOaT3NwgLC=w640-h288)%5D()

Naabu is a [port scanning]( “port scanning” ) tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT scans on the host/list of hosts and lists all ports that return a reply.

# Features

* Fast And Simple **SYN/CONNECT** probe based scanning
* Passive [Port Enumeration]( “Port Enumeration” ) using Shodan [Internetdb API]( “Internetdb API” )
* Optimized for ease of use and **lightweight** on resources
* **Automatic IP deduplication for port scan**
* **NMAP** integration for service discovery
* Multiple input support – **STDIN/HOST/IP/CIDR**
* Multiple output format support – **JSON/TXT/STDOUT**

# Usage

naabu -h

This will display help for the tool. Here are all the switches it supports.

open ports using shodan internetdb api OPTIMIZATION: -retries int number of retries for the port scan (default 3) -timeout int millisecond to wait before timing out (default 1000) -warm-up-time int time in seconds between scan phases (default 2) -ping ping probes for verification of host -verify validate the ports again with TCP verification DEBUG: -debug display debugging information -verbose, -v display verbose output -no-color, -nc disable colors in CLI output -silent display only results in output -version display version of naabu -stats display stats of the running scan -si, -stats-interval int number of seconds to wait between showing a statistics update (default 5)”>

Usage:
./naabu [flags]

INPUT:
-host string[] hosts to scan ports for (comma-separated)
-list, -l string list of hosts to scan ports (file)
-exclude-hosts, -eh string hosts to exclude from the scan (comma-separated)
-exclude-file, -ef string list of hosts to exclude from scan (file)

PORT:
-port, -p string ports to scan (80,443, 100-200
-top-ports, -tp string top ports to scan (default 100)
-exclude-ports, -ep string ports to exclude from scan (comma-separated)
-ports-file, -pf string list of ports to exclude from scan (file)
-exclude-cdn, -ec skip full port scans for CDN’s (only checks for 80,443)

RATE-LIMIT:
-c int general internal worker threads (default 25)
-rate int packets to send per second (d efault 1000)

OUTPUT:
-o, -output string file to write output to (optional)
-json write output in JSON lines format
-csv write output in csv format

CONFIGURATION:
-scan-all-ips, -sa scan all the IP’s associated with DNS record
-scan-type, -s string type of port scan (SYN/CONNECT) (default “s”)
-source-ip string source ip
-interface-list, -il list available interfaces and public ip
-interface, -i string network Interface to use for port scan
-nmap invoke nmap scan on targets (nmap must be installed) – Deprecated
-nmap-cli string nmap command to run on found results (-nmap-cli ‘nmap -sV’)
-r string list of custom resolver dns resolution (comma separated or from file)
-proxy string socks5 proxy
-resume resume scan using resume.cfg
-stream stream mode (disab les resume, nmap, verify, retries, shuffling, etc)
-passive display passive open ports using shodan internetdb api

OPTIMIZATION:
-retries int number of retries for the port scan (default 3)
-timeout int millisecond to wait before timing out (default 1000)
-warm-up-time int time in seconds between scan phases (default 2)
-ping ping probes for verification of host
-verify validate the ports again with TCP verification

DEBUG:
-debug display debugging information
-verbose, -v display verbose output
-no-color, -nc disable colors in CLI output
-silent display only results in output
-version display version of naabu
-stats display stats of the running scan
-si, -stats-interval int number of seconds to wait between showing a statistics u pdate (default 5)

# Installation Instructions

Download the ready to run [binary]( “binary” ) / [docker]( “docker” ) or install with GO

Before installing naabu, make sure to install `libpcap` library:

sudo apt install -y libpcap-dev

Installing Naabu:

go install -v github.com/projectdiscovery/naabu/v2/cmd/[email protected]

# Running Naabu

To run the tool on a target, just use the following command.

naabu -host hackerone.com

This will run the tool against hackerone.com. There are a number of configuration options that you can pass along with this command. The verbose switch `-v` can be used to display verbose information.

naabu -host hackerone.com

__
___ ___ ___ _/ / __ __
/ _ / _ / _ / _ / // /
/_//_/_,_/_,_/_.__/_,_/ v2.0.3

projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running SYN scan with root privileges
[INF] Found 4 ports on host hackerone.com (104.16.100.52)

hackerone.com:80
hackerone.com:443
hackerone.com:8443
hackerone.com:8080

The ports to scan for on the host can be specified via `-p` parameter. It takes nmap format ports and runs [enumeration]( “enumeration” ) on them.

naabu -p 80,443,21-23 -host hackerone.com

By default, the Naabu checks for nmap’s `Top 100` ports. It supports following in-built port lists –

Flag | Description
—|—
`-top-ports 100` | Scan for nmap top **100** port
`-top-ports 1000` | Scan for nmap top **1000** port
`-p – ` | Scan for full ports from **1-65535**

You can also specify specific ports which you would like to exclude from the scan.

naabu -p – -exclude-ports 80,443

To run the naabu on a list of hosts, `-list` option can be used.

naabu -list hosts.txt

You can also get output in json format using `-json` switch. This switch saves the output in the JSON lines format.

naabu -host 104.16.99.52 -json

{“ip”:”104.16.99.52″,”port”:443}
{“ip”:”104.16.99.52″,”port”:80}

The ports discovered can be piped to other tools too. For example, you can pipe the ports discovered by naabu to [httpx]( “httpx” ) which will then find running http servers on the host.

echo hackerone.com | naabu -silent | httpx -silent

http://hackerone.com:8443
http://hackerone.com:443
http://hackerone.com:8080
http://hackerone.com:80

The speed can be controlled by changing the value of `rate` flag that represent the number of packets per second. Increasing it while processing hosts may lead to increased false-positive rates. So it is recommended to keep it to a reasonable amount.

# Configuration file

Naabu supports config file as default located at `$HOME/.config/naabu/config.yaml`, It allows you to define any flag in the config file and set default values to include for all scans.

# Nmap integration

We have integrated nmap support for [service discovery]( “service discovery” ) or any additional scans supported by nmap on the found results by Naabu, make sure you have `nmap` installed to use this feature.

To use,`nmap-cli` flag can be used followed by nmap command, for example:-

echo hackerone.com | naabu -nmap-cli ‘nmap -sV -oX nmap-output’
__
___ ___ ___ _/ / __ __
/ _ / _ / _ / _ / // /
/_//_/_,_/_,_/_.__/_,_/ v2.0.0

projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running TCP/ICMP/SYN scan with root privileges
[INF] Found 4 ports on host hackerone.com (104.16.99.52)

hackerone.com:443
hackerone.com:80
hackerone.com:8443
hackerone.com:8080

[INF] Running nmap command: nmap -sV -p 80,8443,8080,443 104.16.99.52

Starting Nmap 7.01 ( https://nmap.org ) at 2020-09-23 05:02 UTC
Nmap scan report for 104.16.99.52
Host is up (0.0021s latency).
PORT STATE SERVICE VERSION
80/tcp open http cloudflare
443/tcp open ssl/ht tps cloudflare
8080/tcp open http-proxy cloudflare
8443/tcp open ssl/https-alt cloudflare

# CDN Exclusion

Naabu also supports excluding CDN IPs being port scanned. If used, only `80` and `443` ports get scanned for those IPs. This feature can be enabled by using `exclude-cdn` flag.

Currently `cloudflare`, `akamai`, `incapsula` and `sucuri` IPs are supported for exclusions.

#

Notes

* Naabu is designed to scan ports on multiple hosts / mass port scanning.
* As default naabu is configured with a assumption that you are running it from VPS.
* We suggest tuning the flags / rate if running naabu from local system.
* For best results, run naabu as **root** user.

`naabu` is made with

by the [projectdiscovery]( “projectdiscovery” ) team. Community contributions have made the project what it is. See the **[Thanks.md]( “Thanks.md” )** file for more details.

**[Download Naabu]( “Download Naabu” )**Read More

Back to Main

Subscribe for the latest news: