Naabu Port Scanner Cheat Sheet

Overview

Naabu is a fast port scanner written in Go by Project Discovery. It's designed with a focus on reliability and simplicity, making it an excellent tool for attack surface discovery. Naabu can scan thousands of hosts and ports in minutes, providing a quick way to identify open ports and potential entry points into target systems.

What sets Naabu apart from other port scanners is its integration capabilities with other security tools. It's designed to be used in combination with tools like httpx, nuclei, and other Project Discovery tools to create powerful security testing workflows. Naabu supports various scanning techniques, including SYN, CONNECT, and UDP scans, and can be customized to fit different scanning requirements.

Naabu is commonly used in the reconnaissance phase of security assessments and bug bounty hunting to identify open ports that could potentially host vulnerable services. Its speed and accuracy make it a valuable tool for security professionals who need to quickly map the attack surface of target organizations.

Installation

Using Go

# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest

# Verify installation
naabu -version

Using Docker

# Pull the latest Docker image
docker pull projectdiscovery/naabu:latest

# Run Naabu using Docker
docker run -it projectdiscovery/naabu:latest -h

Using Homebrew (macOS)

# Install using Homebrew
brew install naabu

# Verify installation
naabu -version

Using PDTM (Project Discovery Tools Manager)

# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest

# Install Naabu using PDTM
pdtm -i naabu

# Verify installation
naabu -version

On Kali Linux

# Install using apt
sudo apt install naabu

# Verify installation
naabu -version

Basic Usage

Scanning Hosts

# Scan a single host (default: top 100 ports)
naabu -host example.com

# Scan multiple hosts
naabu -host example.com,hackerone.com

# Scan from a list of hosts
naabu -list hosts.txt

# Scan from STDIN
cat hosts.txt | naabu

Port Selection

# Scan specific ports
naabu -host example.com -p 80,443,8080,8443

# Scan port ranges
naabu -host example.com -p 1-1000

# Scan top ports
naabu -host example.com -top-ports 100

# Scan all ports
naabu -host example.com -p -

Output Options

# Save results to a file
naabu -host example.com -o results.txt

# Output in JSON format
naabu -host example.com -json -o results.json

# Output in CSV format
naabu -host example.com -csv -o results.csv

# Silent mode (only host:port)
naabu -host example.com -silent

Advanced Usage

Scan Types

# SYN scan (default, requires root/sudo)
sudo naabu -host example.com -scan-type s

# CONNECT scan (no root required)
naabu -host example.com -scan-type c

# UDP scan (requires root/sudo)
sudo naabu -host example.com -scan-type u

Host Discovery

# Ping scan for host discovery
naabu -host 192.168.1.0/24 -ping

# Skip host discovery
naabu -host 192.168.1.0/24 -skip-host-discovery

Network Options

# Set source IP
sudo naabu -host example.com -source-ip 192.168.1.2

# Set source port
sudo naabu -host example.com -source-port 53

# Set interface
sudo naabu -host example.com -interface eth0

Scan Optimization

# Set timeout (milliseconds)
naabu -host example.com -timeout 1000

# Set retries
naabu -host example.com -retries 3

# Set rate limit (packets per second)
naabu -host example.com -rate 1000

Performance Optimization

Concurrency and Rate Limiting

# Set host concurrency (default: 25)
naabu -host example.com -c 50

# Set port concurrency (default: 25)
naabu -host example.com -port-concurrency 50

# Set rate limit
naabu -host example.com -rate 1000

Timeout Options

# Set timeout for port scans (milliseconds)
naabu -host example.com -timeout 1000

# Set timeout for host discovery (milliseconds)
naabu -host example.com -ping-timeout 1000

Optimization for Large Scans

# Use warm-up for large scans
naabu -host example.com -warm-up-time 2

# Increase concurrency for faster scanning
naabu -host example.com -c 100 -port-concurrency 100

Integration with Other Tools

Pipeline with Subfinder

# Find subdomains and scan for open ports
subfinder -d example.com -silent | naabu -silent

# Find subdomains, scan for open ports, and probe for HTTP services
subfinder -d example.com -silent | naabu -silent | httpx -silent

Pipeline with HTTPX

# Scan for open ports and probe for HTTP services
naabu -host example.com -silent | httpx -silent

# Scan for specific ports and probe for HTTP services
naabu -host example.com -p 80,443,8080,8443 -silent | httpx -silent

Pipeline with Nuclei

# Scan for open ports, probe for HTTP services, and scan for vulnerabilities
naabu -host example.com -silent | httpx -silent | nuclei -t cves/

# Scan for specific ports and scan for vulnerabilities
naabu -host example.com -p 80,443,8080,8443 -silent | httpx -silent | nuclei -t cves/

Output Customization

Custom Output Format

# Output only host:port
naabu -host example.com -silent

# Output with additional information
naabu -host example.com -v

# Count open ports
naabu -host example.com -silent | wc -l

# Sort output by port
naabu -host example.com -silent | sort -t: -k2 -n

Filtering Output

# Filter by port
naabu -host example.com -silent | grep ":80$"

# Filter by host
naabu -list hosts.txt -silent | grep "example.com"

# Find unique ports
naabu -list hosts.txt -silent | cut -d: -f2 | sort -u

Advanced Filtering

Port Filtering

# Exclude specific ports
naabu -host example.com -exclude-ports 80,443

# Scan only common web ports
naabu -host example.com -p 80,81,443,591,2082,2087,2095,2096,3000,8000,8001,8008,8080,8083,8443,8834,8888

Host Filtering

# Exclude specific hosts
naabu -list hosts.txt -exclude-hosts excluded-hosts.txt

# Scan only specific CIDR ranges
naabu -host 192.168.1.0/24,10.0.0.0/24

Service Detection

# Enable service detection
naabu -host example.com -s

# Enable service detection with version
naabu -host example.com -sv

Proxy and Network Options

# Use SOCKS5 proxy
naabu -host example.com -proxy socks5://127.0.0.1:1080

# Use HTTP proxy
naabu -host example.com -proxy http://127.0.0.1:8080

# Set DNS resolvers
naabu -host example.com -resolvers 1.1.1.1,8.8.8.8

Nmap Integration

# Enable Nmap integration
naabu -host example.com -nmap

# Pass additional Nmap flags
naabu -host example.com -nmap -nmap-flags "-sV -A"

# Use Nmap for service detection
naabu -host example.com -nmap-cli "nmap -sV"

Miscellaneous Features

CDN/WAF Detection

# Skip CDN/WAF IPs
naabu -host example.com -exclude-cdn

IP Version Selection

# Scan using IPv4
naabu -host example.com -ip-version 4

# Scan using IPv6
naabu -host example.com -ip-version 6

Passive Port Enumeration

# Enable passive port enumeration
naabu -host example.com -passive

Troubleshooting

Common Issues

1. Permission Issues

   # Use sudo for SYN and UDP scans
   sudo naabu -host example.com -scan-type s
   
   # Use CONNECT scan if you don't have root privileges
   naabu -host example.com -scan-type c

2. Rate Limiting by Target

   # Reduce rate limit
   naabu -host example.com -rate 100
   
   # Increase timeout
   naabu -host example.com -timeout 2000

3. False Negatives

   # Increase retries
   naabu -host example.com -retries 5
   
   # Use multiple scan types
   naabu -host example.com -scan-type s,c

4. Firewall/IDS Detection

   # Use slower scan rate
   naabu -host example.com -rate 50
   
   # Use random port order
   naabu -host example.com -scan-random-port

Debugging

# Enable verbose mode
naabu -host example.com -v

# Show debug information
naabu -host example.com -debug

# Show only open ports
naabu -host example.com -silent

Configuration

Configuration File

Naabu uses a configuration file located at $HOME/.config/naabu/config.yaml. You can customize various settings in this file:

# Example configuration file
concurrency: 25
port-concurrency: 25
rate: 1000
timeout: 1000
retries: 3
verify: false
scan-type: s
ports: "80,443,8080,8443"

Environment Variables

# Set Naabu configuration via environment variables
export NAABU_CONCURRENCY=25
export NAABU_PORT_CONCURRENCY=25
export NAABU_RATE=1000
export NAABU_TIMEOUT=1000
export NAABU_RETRIES=3

Reference

Command Line Options

Flag	Description
-host	Target host(s) to scan
-list, -l	File containing list of hosts to scan
-p, -port	Ports to scan (comma-separated, range, or - for all)
-top-ports	Top ports to scan (default: 100)
-exclude-ports	Ports to exclude from scan
-o, -output	File to write output to
-json	Write output in JSON format
-csv	Write output in CSV format
-silent	Show only host:port in output
-v, -verbose	Show verbose output
-scan-type	Type of scan to perform (s=SYN, c=CONNECT, u=UDP)
-ping	Use ping for host discovery
-skip-host-discovery	Skip host discovery
-source-ip	Source IP to use for scanning
-interface	Network interface to use
-rate	Rate of packet sending (packets per second)
-timeout	Timeout in milliseconds
-retries	Number of retries for failed requests
-c, -concurrency	Number of concurrent hosts to scan
-port-concurrency	Number of concurrent ports to scan
-warm-up-time	Time in seconds to wait before scanning
-s	Enable service detection
-sv	Enable service detection with version
-nmap	Enable Nmap integration
-nmap-flags	Additional Nmap flags
-exclude-cdn	Skip CDN/WAF IPs
-proxy	HTTP/SOCKS5 proxy to use
-resolvers	DNS resolvers to use
-ip-version	IP version to use (4, 6, or both)
-passive	Enable passive port enumeration
-version	Show Naabu version

Port Lists

Option	Description
top-10	Top 10 most common ports
top-100	Top 100 most common ports
top-1000	Top 1000 most common ports
full	All 65535 ports
80,443,8080	Custom port list
1-1000	Port range
-	All ports (1-65535)

Scan Types

Type	Description	Root Required
s	SYN scan	Yes
c	CONNECT scan	No
u	UDP scan	Yes

Resources

• Official Documentation
• GitHub Repository
• Project Discovery Discord

---

This cheat sheet provides a comprehensive reference for using Naabu, from basic port scanning to advanced techniques and integration with other tools. For the most up-to-date information, always refer to the official documentation.