Naabu – Port Scanner Written in Go that Enumerates Valid Ports for Hosts in a Fast & Reliable Manner

naabu
  • Simple and modular code base making it easy to contribute.
  • Fast And Simple SYN/CONNECT probe based scanning.
  • Multiple Output formats supported (JSON, File, Stdout)
  • Optimized for ease of use and lightweight on resources
  • Stdin and stdout support for integrating in workflows
  • Automatic handling of duplicate hosts between multiple subdomains
  • Multiple input type support including HOST/IP/CIDR notation.

Usage

▶ naabu -h

This will display help for the tool. Here are all the switches it supports.

FlagDescriptionExample
cWorker threads for fqdn to ip resolutionnaabu -c 25
configConfiguration file for naabunaabu -config naabu.conf
pPorts to scan (80,443, 100-200)naabu -p –
top-portsTop Ports to scan (default top 100naabu -top-ports 1000
hosthost/domain/CIDR to scan ports fornaabu -host 192.168.0.1/24
iLFile containing list of hosts to enumerate portsnaabu -iL hosts.txt
ports-fileFile containing ports to enumerate for on hostsnaabu -ports-file ports.txt
exclude-cdnSkip full port scans for CDNs (only checks for 80,443)naabu -exclude-cdn
exclude-hostsSkip port scans for given hostsnaabu -exclude-hosts 192.168.0.1/24
exclude-fileSkip port scans for given hosts in filenaabu -exclude-file exclude.txt
exclude-portsSkip port scans on hosts for given portsnaabu -exclude-ports 22,80,443
nmapnmap scans to run on results (works with config file)naabu -nmap
nmap-clinmap scans to run on resultsnaabu -nmap-cli ‘nmap -sV’
oFile to write output to (optional)naabu -o output.txt
jsonWrite output in JSON lines Formatnaabu -json
rateRate of port scan probes per requestsnaabu -rate 1000
interfaceNetwork Interface to use for port scannaabu -interface eth0
interface-listList available interfaces and public ipnaabu -interface-list
no-colorDon’t Use colors in outputnaabu -no-color
retriesNumber of retries for the port scan probe (default 3)naabu -retries 10
silentPrint found ports only in outputnaabu -silent
source-ipSource IPnaabu -source-ip 10.10.10.10
sScan Type (s – SYN, c – CONNECT)naabu -s c
timeoutMillisecond to wait before timing out (default 700)naabu -timeout 700
verifyValidate the ports again with TCP verificationnaabu -verify
debugEnable debugging informationnaabu -debug
versionShow version of naabunaabu -version
warm-up-timeTime in seconds between scan phases (default 2)naabu -warm-up-time

Installation Instructions

From Binary

The installation is easy. You can download the pre-built binaries for your platform from the releases page. Extract them using tar, move it to your $PATHand you’re ready to go.

Download latest binary from https://github.com/projectdiscovery/naabu/releases

▶ tar -xvf naabu-linux-amd64.tar
▶ cp naabu-linux-amd64 /usr/local/bin/naabu
▶ naabu -version

From Source

naabu requires go1.14+ to install successfully and have libpcap-dev installed on the system.

To install libpcap-dev:-

apt install -y libpcap-dev
▶ GO111MODULE=on go get -v github.com/projectdiscovery/naabu/v2/cmd/naabu
▶ naabu -version

From Github

▶ git clone https://github.com/projectdiscovery/naabu.git; cd naabu/v2/cmd/naabu; go build; cp naabu /usr/local/bin/; naabu -version

From Docker

You can use the official dockerhub image at naabu. Simply run –

▶ docker pull projectdiscovery/naabu

The above command will pull the latest tagged release from the dockerhub repository.

  • After pulling / building the container using either way, run the following –
docker run -it projectdiscovery/naabu -version

For example, this runs the tool against hackerone.com and output the results to your host file system –

docker run -it projectdiscovery/naabu -host hackerone.com > hackerone.com.txt

Windows

Windows version is currently not usable without docker.

The docker install instructions are identical to the ones for other platforms. See the From Docker section for install instructions on Windows.

Running Naabu

To run the tool on a target, just use the following command.

▶ naabu -host hackerone.com

This will run the tool against hackerone.com. There are a number of configuration options that you can pass along with this command. The verbose switch -v can be used to display verbose information.

▶ naabu -host hackerone.com

                  __
  ___  ___  ___ _/ /  __ __
 / _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/ v2.0.3

    projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running SYN scan with root privileges
[INF] Found 4 ports on host hackerone.com (104.16.100.52)
hackerone.com:80
hackerone.com:443
hackerone.com:8443
hackerone.com:8080

The ports to scan for on the host can be specified via -p parameter. It takes nmap format ports and runs enumeration on them.

▶ naabu -p 80,443,21-23 -host hackerone.com

By default, the Naabu checks for nmap’s Top 100 ports. It supports following in-built port lists –

  • -top-ports 100 => Checks for nmap top 100 ports.
  • -top-ports 1000 => Checks for nmap top 1000 ports.
  • -p - => Checks for all ports from 1-65535.

You can also specify specific ports which you would like to exclude from the scan.

▶ naabu -p - -exclude-ports 80,443

The o flag can be used to specify an output file.

▶ naabu -host hackerone.com -o output.txt

To run the naabu on a list of hosts, -iL option can be used.

▶ naabu -iL hosts.txt

You can also get output in json format using -json switch. This switch saves the output in the JSON lines format.

▶ naabu -host hackerone.com -json

{"host":"hackerone.com","ip":"104.16.99.52","port":8443}
{"host":"hackerone.com","ip":"104.16.99.52","port":80}
{"host":"hackerone.com","ip":"104.16.99.52","port":443}
{"host":"hackerone.com","ip":"104.16.99.52","port":8080}

Hosts can also be piped to naabu and port enumeration can be ran on them. For example –

▶ echo hackerone.com | naabu
▶ cat targets.txt | naabu

The ports discovered can be piped to other tools too. For example, you can pipe the ports discovered by naabu to httpx which will then find running http servers on the host.

▶ echo hackerone.com | naabu -silent | httpx -silent

http://hackerone.com:8443
http://hackerone.com:443
http://hackerone.com:8080
http://hackerone.com:80

If you want a second layer validation of the ports found, you can instruct the tool to make a TCP connection for every port and verify if the connection succeeded. This method is very slow, but is really reliable. This is similar to using nmap as a second layer validation

▶ naabu -host hackerone.com -verify

The speed can be controlled by changing the value of rate flag that represent the number of packets per second. Increasing it while processing hosts may lead to increased false-positive rates. So it is recommended to keep it to a reasonable amount.

Configuration file

We have added support for config file, it allows each and every flag to define in config file, so you don’t have to write them everytime, it’s optional and not used on default run, default location of config file is $HOME/.config/naabu/naabu.conf, custom config file can be provided using config flag. Example config file

Nmap integration

We have integrated nmap support with nmap and nmap-cli flag, in config file you can define any nmap command you wish to run on the result of naabu, make sure you have nmap installed to use this feature.

To make use of nmap flag, make sure to remove the comments from the config file at $HOME/.config/naabu/naabu.conf

We also added nmap-cli flag that let you run nmap commands directly on the results of naabu without making use of config file.

▶ echo hackerone.com | naabu -nmap-cli 'nmap -sV -oX naabu-output'
                  __       
  ___  ___  ___ _/ /  __ __
 / _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/ v2.0.0				 

		projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running TCP/ICMP/SYN scan with root privileges
[INF] Found 4 ports on host hackerone.com (104.16.99.52)

hackerone.com:443
hackerone.com:80
hackerone.com:8443
hackerone.com:8080

[INF] Running nmap command: nmap -sV -p 80,8443,8080,443 104.16.99.52

Starting Nmap 7.01 ( https://nmap.org ) at 2020-09-23 05:02 UTC
Nmap scan report for 104.16.99.52
Host is up (0.0021s latency).
PORT     STATE SERVICE       VERSION
80/tcp   open  http          cloudflare
443/tcp  open  ssl/https     cloudflare
8080/tcp open  http-proxy    cloudflare
8443/tcp open  ssl/https-alt cloudflare

Download: https://github.com/projectdiscovery/naabu

Please follow and like us:

Leave a Reply

Your email address will not be published.