コンテンツにスキップ

Naabu Port Scanner Cheat Sheet

Overview

Naabu is a fast port scanner written in Go by Project Discovery. It's designed with a focus on reliability and simplicity, making it an excellent tool for attack surface discovery. Naabu can scan thousands of hosts and ports in minutes, providing a quick way to identify open ports and potential entry points into target systems.

What sets Naabu apart from other port scanners is its integration capabilities with other security tools. It's designed to be used in combination with tools like httpx, nuclei, and other Project Discovery tools to create powerful security testing workflows. Naabu supports various scanning techniques, including SYN, CONNECT, and UDP scans, and can be customized to fit different scanning requirements.

Naabu is commonly used in the reconnaissance phase of security assessments and bug bounty hunting to identify open ports that could potentially host vulnerable services. Its speed and accuracy make it a valuable tool for security professionals who need to quickly map the attack surface of target organizations.

Installation

Using Go

# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest

# Verify installation
naabu -version

Using Docker

# Pull the latest Docker image
docker pull projectdiscovery/naabu:latest

# Run Naabu using Docker
docker run -it projectdiscovery/naabu:latest -h

Using Homebrew (macOS)

# Install using Homebrew
brew install naabu

# Verify installation
naabu -version

Using PDTM (Project Discovery Tools Manager)

# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest

# Install Naabu using PDTM
pdtm -i naabu

# Verify installation
naabu -version

On Kali Linux

# Install using apt
sudo apt install naabu

# Verify installation
naabu -version

Basic Usage

Scanning Hosts

# Scan a single host (default: top 100 ports)
naabu -host example.com

# Scan multiple hosts
naabu -host example.com,hackerone.com

# Scan from a list of hosts
naabu -list hosts.txt

# Scan from STDIN
cat hosts.txt|naabu

Port Selection

# Scan specific ports
naabu -host example.com -p 80,443,8080,8443

# Scan port ranges
naabu -host example.com -p 1-1000

# Scan top ports
naabu -host example.com -top-ports 100

# Scan all ports
naabu -host example.com -p -

Output Options

# Save results to a file
naabu -host example.com -o results.txt

# Output in JSON format
naabu -host example.com -json -o results.json

# Output in CSV format
naabu -host example.com -csv -o results.csv

# Silent mode (only host:port)
naabu -host example.com -silent

Advanced Usage

Scan Types

# SYN scan (default, requires root/sudo)
sudo naabu -host example.com -scan-type s

# CONNECT scan (no root required)
naabu -host example.com -scan-type c

# UDP scan (requires root/sudo)
sudo naabu -host example.com -scan-type u

Host Discovery

# Ping scan for host discovery
naabu -host 192.168.1.0/24 -ping

# Skip host discovery
naabu -host 192.168.1.0/24 -skip-host-discovery

Network Options

# Set source IP
sudo naabu -host example.com -source-ip 192.168.1.2

# Set source port
sudo naabu -host example.com -source-port 53

# Set interface
sudo naabu -host example.com -interface eth0

Scan Optimization

# Set timeout (milliseconds)
naabu -host example.com -timeout 1000

# Set retries
naabu -host example.com -retries 3

# Set rate limit (packets per second)
naabu -host example.com -rate 1000

Performance Optimization

Concurrency and Rate Limiting

# Set host concurrency (default: 25)
naabu -host example.com -c 50

# Set port concurrency (default: 25)
naabu -host example.com -port-concurrency 50

# Set rate limit
naabu -host example.com -rate 1000

Timeout Options

# Set timeout for port scans (milliseconds)
naabu -host example.com -timeout 1000

# Set timeout for host discovery (milliseconds)
naabu -host example.com -ping-timeout 1000

Optimization for Large Scans

# Use warm-up for large scans
naabu -host example.com -warm-up-time 2

# Increase concurrency for faster scanning
naabu -host example.com -c 100 -port-concurrency 100

Integration with Other Tools

Pipeline with Subfinder

# Find subdomains and scan for open ports
subfinder -d example.com -silent|naabu -silent

# Find subdomains, scan for open ports, and probe for HTTP services
subfinder -d example.com -silent|naabu -silent|httpx -silent

Pipeline with HTTPX

# Scan for open ports and probe for HTTP services
naabu -host example.com -silent|httpx -silent

# Scan for specific ports and probe for HTTP services
naabu -host example.com -p 80,443,8080,8443 -silent|httpx -silent

Pipeline with Nuclei

# Scan for open ports, probe for HTTP services, and scan for vulnerabilities
naabu -host example.com -silent|httpx -silent|nuclei -t cves/

# Scan for specific ports and scan for vulnerabilities
naabu -host example.com -p 80,443,8080,8443 -silent|httpx -silent|nuclei -t cves/

Output Customization

Custom Output Format

# Output only host:port
naabu -host example.com -silent

# Output with additional information
naabu -host example.com -v

# Count open ports
naabu -host example.com -silent|wc -l

# Sort output by port
naabu -host example.com -silent|sort -t: -k2 -n

Filtering Output

# Filter by port
naabu -host example.com -silent|grep ":80$"

# Filter by host
naabu -list hosts.txt -silent|grep "example.com"

# Find unique ports
naabu -list hosts.txt -silent|cut -d: -f2|sort -u

Advanced Filtering

Port Filtering

# Exclude specific ports
naabu -host example.com -exclude-ports 80,443

# Scan only common web ports
naabu -host example.com -p 80,81,443,591,2082,2087,2095,2096,3000,8000,8001,8008,8080,8083,8443,8834,8888

Host Filtering

# Exclude specific hosts
naabu -list hosts.txt -exclude-hosts excluded-hosts.txt

# Scan only specific CIDR ranges
naabu -host 192.168.1.0/24,10.0.0.0/24

Service Detection

# Enable service detection
naabu -host example.com -s

# Enable service detection with version
naabu -host example.com -sv

Proxy and Network Options

# Use SOCKS5 proxy
naabu -host example.com -proxy socks5://127.0.0.1:1080

# Use HTTP proxy
naabu -host example.com -proxy http://127.0.0.1:8080

# Set DNS resolvers
naabu -host example.com -resolvers 1.1.1.1,8.8.8.8

Nmap Integration

# Enable Nmap integration
naabu -host example.com -nmap

# Pass additional Nmap flags
naabu -host example.com -nmap -nmap-flags "-sV -A"

# Use Nmap for service detection
naabu -host example.com -nmap-cli "nmap -sV"

Miscellaneous Features

CDN/WAF Detection

# Skip CDN/WAF IPs
naabu -host example.com -exclude-cdn

IP Version Selection

# Scan using IPv4
naabu -host example.com -ip-version 4

# Scan using IPv6
naabu -host example.com -ip-version 6

Passive Port Enumeration

# Enable passive port enumeration
naabu -host example.com -passive

Troubleshooting

Common Issues

  1. Permission Issues ```bash # Use sudo for SYN and UDP scans sudo naabu -host example.com -scan-type s

# Use CONNECT scan if you don't have root privileges naabu -host example.com -scan-type c ```

  1. Rate Limiting by Target ```bash # Reduce rate limit naabu -host example.com -rate 100

# Increase timeout naabu -host example.com -timeout 2000 ```

  1. False Negatives ```bash # Increase retries naabu -host example.com -retries 5

# Use multiple scan types naabu -host example.com -scan-type s,c ```

  1. Firewall/IDS Detection ```bash # Use slower scan rate naabu -host example.com -rate 50

# Use random port order naabu -host example.com -scan-random-port ```

Debugging

# Enable verbose mode
naabu -host example.com -v

# Show debug information
naabu -host example.com -debug

# Show only open ports
naabu -host example.com -silent

Configuration

Configuration File

Naabu uses a configuration file located at $HOME/.config/naabu/config.yaml. You can customize various settings in this file:

# Example configuration file
concurrency: 25
port-concurrency: 25
rate: 1000
timeout: 1000
retries: 3
verify: false
scan-type: s
ports: "80,443,8080,8443"

Environment Variables

# Set Naabu configuration via environment variables
export NAABU_CONCURRENCY=25
export NAABU_PORT_CONCURRENCY=25
export NAABU_RATE=1000
export NAABU_TIMEOUT=1000
export NAABU_RETRIES=3

Reference

Command Line Options

Flag Description
-host Target host(s) to scan
-list, -l File containing list of hosts to scan
-p, -port Ports to scan (comma-separated, range, or - for all)
-top-ports Top ports to scan (default: 100)
-exclude-ports Ports to exclude from scan
-o, -output File to write output to
-json Write output in JSON format
-csv Write output in CSV format
-silent Show only host:port in output
-v, -verbose Show verbose output
-scan-type Type of scan to perform (s=SYN, c=CONNECT, u=UDP)
-ping Use ping for host discovery
-skip-host-discovery Skip host discovery
-source-ip Source IP to use for scanning
-interface Network interface to use
-rate Rate of packet sending (packets per second)
-timeout Timeout in milliseconds
-retries Number of retries for failed requests
-c, -concurrency Number of concurrent hosts to scan
-port-concurrency Number of concurrent ports to scan
-warm-up-time Time in seconds to wait before scanning
-s Enable service detection
-sv Enable service detection with version
-nmap Enable Nmap integration
-nmap-flags Additional Nmap flags
-exclude-cdn Skip CDN/WAF IPs
-proxy HTTP/SOCKS5 proxy to use
-resolvers DNS resolvers to use
-ip-version IP version to use (4, 6, or both)
-passive Enable passive port enumeration
-version Show Naabu version

Port Lists

Option Description
top-10 Top 10 most common ports
top-100 Top 100 most common ports
top-1000 Top 1000 most common ports
full All 65535 ports
80,443,8080 Custom port list
1-1000 Port range
- All ports (1-65535)

Scan Types

Type Description Root Required
s SYN scan Yes
c CONNECT scan No
u UDP scan Yes

Resources


This cheat sheet provides a comprehensive reference for using Naabu, from basic port scanning to advanced techniques and integration with other tools. For the most up-to-date information, always refer to the official documentation.