naabu

Run a SYN scan against default (top 100) ports of remote host

$ sudo naabu -host [host]

$ naabu [[-il|-interface-list]]

$ naabu [[-p|-port]] - -host [host]

$ naabu [[-tp|-top-ports]] 1000 -host [host]

$ naabu [[-p|-port]] 80,443,u:53 -host [host]

$ naabu [[-p|-port]] 80,443 -cdn -host [host]

$ sudo naabu [[-v|-verbose]] -host [host] -nmap-cli 'nmap [-v -T5 -sC]'

naabu [OPTIONS] -h <hosts/IPs> | -l <hosts_file>
naabu [OPTIONS] -p <ports> -h <host>
naabu -iL <input_file> -silent

-h, --host
    Input hosts to scan (IPs, CIDRs, hostnames, or hosts file).

-l, --list
    Input list of hosts from a file.

-p, --port
    Ports to scan (e.g., 80,443,1-1024,top-100).

-t, --threads
    Number of concurrent host scan threads (default: 25).

-rate
    Packets to send per second (default: 1500).

-sS, --syn-scan
    Perform SYN scan (default, requires root).

-sC, --connect-scan
    Perform Connect scan (userspace TCP).

-o, --output
    File to write output to.

-json
    Write output in JSON format.

-v, --verbose
    Show verbose output.

-silent
    Show only hosts with open ports.

-exclude
    Exclude hosts from scan (comma-separated or file).

-exclude-ports
    Exclude specific ports from scan (e.g., 22,139).

-top-ports
    Scan top N common ports.

-ports-file
    File containing ports to scan.

-interface
    Network interface to use for scanning.

-resume
    Resume scan from a file.

-retries
    Number of retries for failed packets (default: 3).

-timeout
    Timeout for network requests in seconds (default: 5).

-no-fallback
    Disable connect scan fallback on SYN scan failure.

-stats
    Show statistics during scan.

Naabu is an open-source port scanner developed by ProjectDiscovery, designed for speed and reliability in network reconnaissance. It leverages a custom raw packet engine to send packets directly from the network interface, bypassing the operating system's TCP/IP stack. This unique approach enables it to scan millions of ports across hundreds of thousands of hosts in minutes, making it highly efficient for large-scale operations.

Naabu supports various scan types, including SYN (default) and Connect scans, allowing users to specify target hosts, IP ranges, or input files. It offers extensive options for customizability, such as defining port ranges, concurrency, rate limiting, and retries. Its output can be easily integrated with other security tools like httpx for HTTP probing or nuclei for vulnerability scanning. Naabu is a go-to tool for security professionals seeking rapid and comprehensive port enumeration.

1. Root Privileges: Performing SYN scans (default) requires root or sudo privileges due to direct raw packet manipulation.
2. Network Impact: Its high speed can generate significant network traffic, potentially causing congestion or triggering intrusion detection/prevention systems (IDS/IPS).
3. Firewall Interference: Local firewalls on the scanning machine might interfere with raw packet sending or receiving, leading to inaccurate results unless properly configured.
4. False Positives/Negatives: While efficient, network instability, target misconfiguration, or aggressive rate limits can lead to occasional false positives or negatives.

Naabu's design facilitates easy piping of its output to other ProjectDiscovery tools. For instance, the output (list of host:port) can be directly fed into httpx for HTTP service detection or nuclei for template-based vulnerability scanning, creating a powerful automated reconnaissance chain.

Thanks to its raw packet engine and Go's concurrency model, Naabu is incredibly fast and memory-efficient. It can scan millions of IPs in minutes using relatively few resources, making it suitable for both local system usage and cloud-based scanning infrastructure.

Naabu is an integral part of the ProjectDiscovery open-source ecosystem, a suite of tools focused on simplifying and enhancing the reconnaissance phase for security researchers and bug bounty hunters. Developed primarily in Go, Naabu was designed to overcome the performance limitations of traditional port scanners when dealing with large IP ranges and extensive port lists. Its development emphasizes raw performance, minimal resource usage, and seamless integration with other ProjectDiscovery tools like httpx and nuclei, making it a cornerstone for automated security workflows.

nmap(1), masscan(1), httpx(1), nuclei(1), netcat(1)