Running Naabu
Learn about running Naabu with examples and sample output
For all of the flags and options available for naabu be sure to check out the Usage page. On this page we’ll share examples running httpx with specific flags and goals
and the output you can expect from each.
Basic Examples
Running Naabu
To run the tool on a target, just use the following command.
This will run the tool against hackerone.com. There are a number of configuration options that you can pass along with this command. The verbose switch -v can be used to display verbose information.
The ports to scan for on the host can be specified via -p parameter (udp ports must be expressed as u:port). It takes nmap format ports and runs enumeration on them.
By default, the Naabu checks for nmap’s Top 100 ports. It supports the following in-built port lists -
| Flag | Description |
|---|---|
-top-ports 100 | Scan for nmap top 100 port |
-top-ports 1000 | Scan for nmap top 1000 port |
-p - | Scan for full ports from 1-65535 |
You can also specify specific ports which you would like to exclude from the scan.
To run the naabu on a list of hosts, -list option can be used.
To run the naabu on a ASN, AS input can be used. It takes the IP address available for given ASN and runs the enumeration on them.
You can also get output in json format using -json switch. This switch saves the output in the JSON lines format.
The ports discovered can be piped to other tools too. For example, you can pipe the ports discovered by naabu to httpx which will then find running http servers on the host.
The speed can be controlled by changing the value of rate flag that represent the number of packets per second. Increasing it while processing hosts may lead to increased false-positive rates. So it is recommended to keep it to a reasonable amount.
IPv4 and IPv6
Naabu supports both IPv4 and IPv6. Both ranges can be piped together as input. If IPv6 is used, connectivity must be correctly configured, and the network interface must have an IPv6 address assigned (inet6) and a default gateway.
The option -ip-version 6 makes the tool use IPv6 addresses while resolving domain names.
To scan all the IPs of both version, ip-version 4,6 can be used along with -scan-all-ips flag.
Host Discovery
Naabu optionally supports multiple options to perform host discovery, as outlined below. Host discovery is completed automatically before beginning a connect/syn scan if the process has enough privileges. -sn flag instructs the toll to perform host discovery only. -Pn flag skips the host discovery phase. Host discovery is completed using multiple internal methods; one can specify the desired approach to perform host discovery by setting available options.
Available options to perform host discovery:
- ARP ping (
-arp) - TCP SYN ping (
-ps 80) - TCP ACK ping (
-pa 443) - ICMP echo ping (
-pe) - ICMP timestamp ping (
-pp) - ICMP address mask ping (
-pm) - IPv6 neighbor discovery (
-nd)
Configuration file
Naabu supports config file as default located at $HOME/.config/naabu/config.yaml, It allows you to define any flag in the config file and set default values to include for all scans.
Nmap integration
We have integrated nmap support for service discovery or any additional scans supported by nmap on the found results by Naabu, make sure you have nmap installed to use this feature.
To use,nmap-cli flag can be used followed by nmap command, for example:-
CDN/WAF Exclusion
Naabu also supports excluding CDN/WAF IPs being port scanned. If used, only 80 and 443 ports get scanned for those IPs. This feature can be enabled by using exclude-cdn flag.
Currently cloudflare, akamai, incapsula and sucuri IPs are supported for exclusions.
Scan Status
Naabu exposes json scan info on a local port bound to localhost at http://localhost:63636 (the port can be changed via the -metrics-port flag)
Using naabu as library
The following sample program scan the port 80 of scanme.sh. The results are returned via the OnResult callback:
Running Naabu
Learn about running Naabu with examples and sample output
For all of the flags and options available for naabu be sure to check out the Usage page. On this page we’ll share examples running httpx with specific flags and goals
and the output you can expect from each.
Basic Examples
Running Naabu
To run the tool on a target, just use the following command.
This will run the tool against hackerone.com. There are a number of configuration options that you can pass along with this command. The verbose switch -v can be used to display verbose information.
The ports to scan for on the host can be specified via -p parameter (udp ports must be expressed as u:port). It takes nmap format ports and runs enumeration on them.
By default, the Naabu checks for nmap’s Top 100 ports. It supports the following in-built port lists -
| Flag | Description |
|---|---|
-top-ports 100 | Scan for nmap top 100 port |
-top-ports 1000 | Scan for nmap top 1000 port |
-p - | Scan for full ports from 1-65535 |
You can also specify specific ports which you would like to exclude from the scan.
To run the naabu on a list of hosts, -list option can be used.
To run the naabu on a ASN, AS input can be used. It takes the IP address available for given ASN and runs the enumeration on them.
You can also get output in json format using -json switch. This switch saves the output in the JSON lines format.
The ports discovered can be piped to other tools too. For example, you can pipe the ports discovered by naabu to httpx which will then find running http servers on the host.
The speed can be controlled by changing the value of rate flag that represent the number of packets per second. Increasing it while processing hosts may lead to increased false-positive rates. So it is recommended to keep it to a reasonable amount.
IPv4 and IPv6
Naabu supports both IPv4 and IPv6. Both ranges can be piped together as input. If IPv6 is used, connectivity must be correctly configured, and the network interface must have an IPv6 address assigned (inet6) and a default gateway.
The option -ip-version 6 makes the tool use IPv6 addresses while resolving domain names.
To scan all the IPs of both version, ip-version 4,6 can be used along with -scan-all-ips flag.
Host Discovery
Naabu optionally supports multiple options to perform host discovery, as outlined below. Host discovery is completed automatically before beginning a connect/syn scan if the process has enough privileges. -sn flag instructs the toll to perform host discovery only. -Pn flag skips the host discovery phase. Host discovery is completed using multiple internal methods; one can specify the desired approach to perform host discovery by setting available options.
Available options to perform host discovery:
- ARP ping (
-arp) - TCP SYN ping (
-ps 80) - TCP ACK ping (
-pa 443) - ICMP echo ping (
-pe) - ICMP timestamp ping (
-pp) - ICMP address mask ping (
-pm) - IPv6 neighbor discovery (
-nd)
Configuration file
Naabu supports config file as default located at $HOME/.config/naabu/config.yaml, It allows you to define any flag in the config file and set default values to include for all scans.
Nmap integration
We have integrated nmap support for service discovery or any additional scans supported by nmap on the found results by Naabu, make sure you have nmap installed to use this feature.
To use,nmap-cli flag can be used followed by nmap command, for example:-
CDN/WAF Exclusion
Naabu also supports excluding CDN/WAF IPs being port scanned. If used, only 80 and 443 ports get scanned for those IPs. This feature can be enabled by using exclude-cdn flag.
Currently cloudflare, akamai, incapsula and sucuri IPs are supported for exclusions.
Scan Status
Naabu exposes json scan info on a local port bound to localhost at http://localhost:63636 (the port can be changed via the -metrics-port flag)
Using naabu as library
The following sample program scan the port 80 of scanme.sh. The results are returned via the OnResult callback: