naabu
be sure to check out the Usage page. On this page we’ll share examples running httpx with specific flags and goals
and the output you can expect from each.
If you have questions, reach out to us through Help.
Basic Examples
Running Naabu
To run the tool on a target, just use the following command.-v
can be used to display verbose information.
-p
parameter (udp ports must be expressed as u:port
). It takes nmap format ports and runs enumeration on them.
Top 100
ports. It supports the following in-built port lists -
Flag | Description |
---|---|
-top-ports 100 | Scan for nmap top 100 port |
-top-ports 1000 | Scan for nmap top 1000 port |
-p - | Scan for full ports from 1-65535 |
-list
option can be used.
-json
switch. This switch saves the output in the JSON lines format.
rate
flag that represent the number of packets per second. Increasing it while processing hosts may lead to increased false-positive rates. So it is recommended to keep it to a reasonable amount.
IPv4 and IPv6
Naabu supports both IPv4 and IPv6. Both ranges can be piped together as input. If IPv6 is used, connectivity must be correctly configured, and the network interface must have an IPv6 address assigned (inet6
) and a default gateway.
-ip-version 6
makes the tool use IPv6 addresses while resolving domain names.
ip-version 4,6
can be used along with -scan-all-ips
flag.
Host Discovery
Naabu optionally supports multiple options to perform host discovery, as outlined below. Host discovery is completed automatically before beginning a connect/syn scan if the process has enough privileges.-sn
flag instructs the toll to perform host discovery only. -Pn
flag skips the host discovery phase. Host discovery is completed using multiple internal methods; one can specify the desired approach to perform host discovery by setting available options.
Available options to perform host discovery:
- ARP ping (
-arp
) - TCP SYN ping (
-ps 80
) - TCP ACK ping (
-pa 443
) - ICMP echo ping (
-pe
) - ICMP timestamp ping (
-pp
) - ICMP address mask ping (
-pm
) - IPv6 neighbor discovery (
-nd
)
Configuration file
Naabu supports config file as default located at$HOME/.config/naabu/config.yaml
, It allows you to define any flag in the config file and set default values to include for all scans.
Nmap integration
We have integrated nmap support for service discovery or any additional scans supported by nmap on the found results by Naabu, make sure you havenmap
installed to use this feature.
To use,nmap-cli
flag can be used followed by nmap command, for example:-
CDN/WAF Exclusion
Naabu also supports excluding CDN/WAF IPs being port scanned. If used, only80
and 443
ports get scanned for those IPs. This feature can be enabled by using exclude-cdn
flag.
Currently cloudflare
, akamai
, incapsula
and sucuri
IPs are supported for exclusions.
Scan Status
Naabu exposes json scan info on a local port bound to localhost athttp://localhost:63636
(the port can be changed via the -metrics-port
flag)
Using naabu as library
The following sample program scan the port80
of scanme.sh
. The results are returned via the OnResult
callback: