Naabu Cheat Sheet: Commands & Examples

What is Naabu?
Naabu vs Nmap
What does Naabu do:
Download & Install Naabu
- Naabu Linux Install
- Kali
Naabu Example Command Options
- Naabu Scan All Ports
Naabu Input File, Fast Scan + Verify Port 21
Naabu Fast Scan, Verify, Nmap Services
Document Changelog

The following Naabu cheat sheet aims to explain what Naabu is, what it does, and how to install it and use it by providing Nabuu command examples in a cheat sheet style documentation format.

What is Naabu?

Naabu is a simple port scanner written in Golang by Project Discovery, with a goal of being simple and fast.

Naabu vs Nmap

Why use Naabu over Nmap, the primary reason for me personally is the automatic IP deduplication. Meaning, when performing subdomain or domain enumeration of a target organisation, and you feed Naabu an input file of domain or subdomain it will resolve them and only scan unique IP addresses, so you are not wasting time and resources scanning the same target IP address twice.

Naabu Cheat Sheet

What does Naabu do:

Host discovery
Automatic IP Deduplication for DNS port scan
Port discovery / enumeration
SYN/CONNECT/UDP probe based scanning
Passive port scanning via Shodan
Performs IPv4/IPv6 port scanning
Can be configured to call Nmap to run NSE scripts post port detection
Multiple input support - STDIN/HOST/IP/CIDR/ASN
Multiple output format support - JSON/TXT/STDOUT

Download & Install Naabu

You can obtain Naabu via the Project Discovery Github.

Naabu Linux Install

go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest

Kali

Kali has a package for Naabu (caveat, it may not be the latest version):

sudo apt install naabu

Naabu File Input Options

Naabu input options, allowing Naabu to read and proccess data from input files.

Command	Description
`-host string[]`	hosts to scan ports for (comma-separated)
`-list, -l string`	list of hosts to scan ports (file)
`-exclude-hosts, -eh string`	hosts to exclude from the scan (comma-separated)
`-exclude-file, -ef string`	list of hosts to exclude from scan (file)

Naabu Port Options

Command	Description
`-port, -p string`	ports to scan (80,443, 100-200
`-top-ports, -tp string`	top ports to scan (default 100)
`-exclude-ports, -ep string`	ports to exclude from scan (comma-separated)
`-ports-file, -pf string`	list of ports to exclude from scan (file)
`-exclude-cdn, -ec`	skip full port scans for CDN's (only checks for 80,443)

Nabu Rate Limiting

Command	Description
`-c int`	general internal worker threads (default 25)
`-rate int`	packets to send per second (default 1000)

Naabu Scan Output Options

Command	Description
`-o, -output string`	file to write output to (optional)
`-json`	write output in JSON lines format
`-csv`	write output in csv format

Naabu Configuration Options

Command	Description
`-scan-all-ips, -sa`	scan all the IP's associated with DNS record
`-scan-type, -s string`	type of port scan (SYN/CONNECT) (default "s")
`-source-ip string`	source ip
`-interface-list, -il`	list available interfaces and public ip
`-interface, -i string`	network Interface to use for port scan
`-nmap`	invoke nmap scan on targets (nmap must be installed) - Deprecated
`-nmap-cli string`	nmap command to run on found results (example: -nmap-cli 'nmap -sV')
`-r string`	list of custom resolver dns resolution (comma separated or from file)
`-proxy string`	socks5 proxy
`-resume`	resume scan using resume.cfg
`-stream`	stream mode (disables resume, nmap, verify, retries, shuffling, etc)

Naabu Optimization Options

Command	Description
`-retries int`	number of retries for the port scan (default 3)
`-timeout int`	millisecond to wait before timing out (default 1000)
`-warm-up-time int`	time in seconds between scan phases (default 2)
`-ping`	ping probes for verification of host
`-verify`	validate the ports again with TCP verification

Naabu Debug Options

Command	Description
`-debug`	display debugging information
`-verbose, -v`	display verbose output
`-no-color, -nc`	disable colors in CLI output
`-silent`	display only results in output
`-version`	display version of naabu
`-stats`	display stats of the running scan
`-si, -stats-interval`	int number of seconds to wait between showing a statistics update (default 5)

Naabu Example Command Options

The following are real world examples of Naabu commands.

Naabu Scan All Ports

naabu -p 0-65535

Naabu Input File, Fast Scan + Verify Port 21

cat 21.txt | ~/go/bin/naabu -verify -ec -rate 9000 -retries 1 -p 21 -warm-up-time 0 -c 50 -silent -o ftp.txt

Naabu Fast Scan, Verify, Nmap Services

Naabu input file, scan all ports, output to text, fast scan, verify open ports, use Nmap to perform service enumeration

naabu -list subdomains.txt -verify -ec -rate 9000 -retries 1 -p 0-65535 -warm-up-time 0 -c 50 -nmap-cli "nmap -sV -oG nmap-naabu-out" -silent -o naabu-full.txt

If you found this Naabu cheat sheet useful, please share it below.

Document Changelog

Last Updated: 12/02/2024 (12th of February 2024)
Author: Dhruv Ambaliya
Notes: Checked syntax was current for latest version of Naabu.

Category	Post Name
`walkthroughs`	FactCheck CTF - Walkthrough
`walkthroughs`	WinAntiDbg0x100 CTF - Walkthrough
`walkthroughs`	packer CTF - Walkthrough
`walkthroughs`	vault-door-1 CTF - Walkthrough
`walkthroughs`	vault-door-training CTF - Walkthrough
`cheat-sheet`	Android Pen Testing Environment Setup
`cheat-sheet`	DNS Tunneling dnscat2 Cheat Sheet
`cheat-sheet`	Katana Cheat Sheet - Commands, Flags & Examples
`cheat-sheet`	httpx Cheat Sheet - Commands & Examples Tutorial
`cheat-sheet`	SSH Lateral Movement Cheat Sheet

Naabu Cheat Sheet: Commands & Examples ∞