naabu
Fast port scanner with SYN/CONNECT scanning. ProjectDiscovery.
Quickstart
# Scan single host
naabu -host target.com
# Top 100 ports
naabu -host target.com -top-ports 100
# Full port scan
naabu -host target.com -p -
# Scan list, pipe to httpx
naabu -l hosts.txt -silent | httpx -silent
Core Concepts
| Concept |
Description |
| SYN scan |
Fast, stealthy (needs root) |
| CONNECT scan |
Full TCP connect (no root) |
| Service discovery |
Combine with httpx for services |
Syntax
naabu -host <target> [options]
naabu -l <file> [options]
Options
Input
| Option |
Description |
-host <target> |
Single target |
-l <file> |
Host list |
- |
Read from stdin |
-exclude-hosts <h> |
Exclude hosts |
-iL <file> |
Input list (nmap style) |
Ports
| Option |
Description |
-p <ports> |
Port range (-p 80,443,8080) |
-p - |
All ports (1-65535) |
-top-ports <n> |
Top N ports (100, 1000) |
-ep <ports> |
Exclude ports |
-pt <type> |
Port type (tcp, udp) |
Scan Type
| Option |
Description |
-sn |
Host discovery only |
-Pn |
Skip host discovery |
-s |
SYN scan (needs root) |
-sc |
CONNECT scan |
Output
| Option |
Description |
-o <file> |
Output file |
-json |
JSON output |
-csv |
CSV output |
-silent |
Silent mode |
-v |
Verbose |
-nc |
No color |
Performance
| Option |
Description |
-c <n> |
Concurrency (default 25) |
-rate <n> |
Packets per second |
-timeout <ms> |
Timeout in ms |
-retries <n> |
Retries |
-warm-up-time <sec> |
Warm up time |
Integration
| Option |
Description |
-nmap |
Run nmap on results |
-nmap-cli <args> |
Nmap arguments |
Recipes
Basic Scanning
# Quick scan (top 100)
naabu -host target.com -top-ports 100
# Common web ports
naabu -host target.com -p 80,443,8080,8443
# Full scan
naabu -host target.com -p -
# Multiple hosts
naabu -l hosts.txt -top-ports 100
Port Ranges
# Specific ports
naabu -host target.com -p 22,80,443,3389
# Port range
naabu -host target.com -p 1-1000
# Common + high ports
naabu -host target.com -p 1-1000,8000-9000
# All ports
naabu -host target.com -p -
Scan Types
# SYN scan (fast, needs root)
sudo naabu -host target.com -s
# CONNECT scan (no root)
naabu -host target.com -sc
# Host discovery only
naabu -host target.com -sn
# Skip discovery (scan anyway)
naabu -host target.com -Pn
Pipeline Integration
# naabu → httpx
naabu -host target.com -silent | httpx -silent
# subfinder → naabu → httpx
subfinder -d target.com -silent | naabu -silent | httpx -silent
# naabu → nmap (detailed)
naabu -host target.com -nmap-cli "-sV -sC"
# Mass scanning
naabu -l hosts.txt -top-ports 100 -silent | httpx -silent -o live.txt
Performance Tuning
# Fast scan
naabu -host target.com -c 50 -rate 1000
# Careful scan (avoid detection)
naabu -host target.com -c 5 -rate 100
# Large scale
naabu -l hosts.txt -c 100 -rate 5000
Service Discovery
# Web services
naabu -host target.com -p 80,443,8080,8443 | httpx -silent
# All services with nmap
naabu -host target.com -p - -nmap-cli "-sV"
# Format for nmap input
naabu -host target.com -silent -o ports.txt
Network Range
# CIDR scanning
naabu -host 10.10.10.0/24 -top-ports 100
# Exclude hosts
naabu -host 10.10.10.0/24 -exclude-hosts 10.10.10.1,10.10.10.2
Output & Parsing
# JSON output
naabu -host target.com -json -o results.json
# CSV output
naabu -host target.com -csv -o results.csv
# Parse JSON
cat results.json | jq -r '.port'
# Format: host:port
naabu -host target.com -silent
# Unique ports
naabu -l hosts.txt -silent | cut -d: -f2 | sort -u
Troubleshooting
| Issue |
Solution |
| SYN scan fails |
Need root/sudo |
| Slow scan |
Increase -c and -rate |
| Missing ports |
Increase -retries, check firewall |
| Permission denied |
Use -sc for CONNECT scan |
References