loading
loading
Network
A fast and reliable port scanner that enumerates open ports for hosts.
overview
naabu enumerates open ports for a host or a list of hosts. By default it runs fast stateless SYN scans, sends probes across the port set you choose, and lists every port that answers, turning a set of hosts into a map of exposed services. Written in Go for throughput, it sweeps wide ranges without the long waits of a heavier scanner.
It exposes the controls a real engagement needs. Pick SYN or CONNECT with -scan-type, set the probe -rate and worker count, target the -top-ports or a custom -port range, and drop noise with -exclude-ports. Host-discovery probes can front the scan so only live hosts get swept, and CDN awareness keeps naabu off cloud edges: flag the CDN in use with -display-cdn, or use -exclude-cdn to skip full scans of CDN ranges and check only 80 and 443.
Run naabu after subdomain or host discovery and its open host:port pairs feed the rest of a Trickest workflow. Emit JSON lines with -json or CSV and the results drop straight into httpx for probing and a scanner for testing, so later stages only touch ports that are actually open.
use cases
Scan a host list with SYN probes to enumerate every responding port, building the service map that probing and scanning stages depend on.
Tune the rate and worker count to cover large ranges quickly while staying inside a target's tolerance and your own bandwidth.
Use exclude-cdn so cloud edge ranges only get checked on ports 80 and 443, keeping scan time focused on origin infrastructure.
Emit JSON lines so the open host:port pairs flow straight into httpx for probing and a scanner for testing without manual reshaping.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| host | STRING | -host | Hosts to scan ports for (comma-separated). |
| hosts-list | FILE | -l | List of hosts to scan ports, the usual pipeline input. |
| ports-to-enumerate | STRING | -port | Ports to enumerate (top-100, top-1000, full, or custom). |
| top-ports | STRING | -top-ports | Top ports to scan (default top 100). |
| rate | STRING | -rate | Rate of port scan probe requests (default 1000). |
| scan-type | STRING | -scan-type | Type of port scan, SYN or CONNECT (default s). |
| exclude-cdn | BOOLEAN | -exclude-cdn | Skip full port scans for CDNs, only checks 80 and 443. |
| json-output | BOOLEAN | -json | Write output in JSON lines format. |
Showing key inputs. naabu exposes 44 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| cdn | BOOLEAN | -display-cdn | display cdn in use |
| host | STRING | -host | hosts to scan ports for (comma-separated) |
| rate | STRING | -rate | Rate of port scan probe request (default 1000) |
| proxy | STRING | -proxy | socks5 proxy (ip[:port] / fqdn[:port]) |
| stats | BOOLEAN | -stats | Display stats of the running scan |
| nd-ping | BOOLEAN | -nd-ping | IPv6 Neighbor Discovery (host discovery needs to be enabled) |
| passive | BOOLEAN | -passive | display passive open ports using shodan internetdb api |
| threads | STRING | -c | General internal worker threads (default 25) |
| timeout | STRING | -timeout | Millisecond to wait before timing out (default 700) |
| verbose | BOOLEAN | -v | Show verbose output |
| arp-ping | BOOLEAN | -arp-ping | ARP ping (host discovery needs to be enabled) |
| no-colors | BOOLEAN | -no-color | Don't Use colors in output |
| resolvers | FILE | -r | list of custom resolvers for dns resolution |
| scan-type | STRING | -scan-type | type of port scan (SYN/CONNECT) (default "s") |
| source-ip | STRING | -source-ip | source ip and port (x.x.x.x:yyy) |
| top-ports | STRING | -top-ports | Top Ports to scan (default top 100) |
| csv-output | BOOLEAN | -csv | Write output in CSV format |
| debug-mode | BOOLEAN | -debug | display debugging information |
| hosts-list | FILE | -l | List of hosts to scan ports |
| ip-version | STRING | -ip-version | ip version to scan of hostname (4,6) - (default 4) |
| ping-probe | BOOLEAN | -ping | Perform ping probe to detect alive hosts |
| ports-file | FILE | -ports-file | File containing ports to scan for |
| proxy-auth | STRING | -proxy-auth | socks5 proxy authentication (username:password) |
| exclude-cdn | BOOLEAN | -exclude-cdn | Skip full port scans for CDNs (only checks for 80,443) |
| json-output | BOOLEAN | -json | Write output in JSON lines format |
| exclude-file | FILE | -exclude-file | List of hosts to exclude from scan |
| scan-all-ips | BOOLEAN | -scan-all-ips | Scan all the ips |
| warm-up-time | STRING | -warm-up-time | Time in seconds between scan phases (default 2) |
| exclude-hosts | STRING | -exclude-hosts | hosts to exclude from the scan (comma-separated) |
| exclude-ports | STRING | -exclude-ports | Ports to exclude from scan |
| probe-tcp-ack | BOOLEAN | -probe-tcp-ack | TCP ACK Ping (host discovery needs to be enabled) |
| probe-tcp-syn | BOOLEAN | -probe-tcp-syn | TCP SYN Ping (host discovery needs to be enabled) |
| host-discovery | BOOLEAN | -host-discovery | Run Host Discovery scan |
| port-threshold | STRING | -port-threshold | port threshold to skip port scan for the host |
| stats-interval | STRING | -si | number of seconds to wait between showing a statistics update (default 5) |
| validate-ports | BOOLEAN | -verify | Validate the ports again |
| probe-icmp-echo | BOOLEAN | -probe-icmp-echo | ICMP echo request Ping (host discovery needs to be enabled) |
| ports-to-exclude | STRING | -exclude-ports | Ports to exclude from enumeration |
| ports-to-enumerate | STRING | -port | Ports to enumerate for on hosts (top-100, top-1000, full, custom) |
| skip-host-discovery | BOOLEAN | -skip-host-discovery | Skip Host discovery |
| probe-icmp-timestamp | BOOLEAN | -probe-icmp-timestamp | ICMP timestamp request Ping (host discovery needs to be enabled) |
| probe-icmp-address-mask | BOOLEAN | -probe-icmp-address-mask | ICMP address mask request Ping (host discovery needs to be enabled) |
| only-host-port-in-output | BOOLEAN | -silent | Show only host:ports in output |
| number-of-retries-for-port-scan | STRING | -retries | Number of retries for the port scan probe (default 1) |
example
# scan a host list for the top 1000 ports, JSON lines outnaabu -l hosts.txt -top-ports 1000 -rate 1000 -exclude-cdn -json -o open-ports.jsonlexample.com:80example.com:443api.example.com:443api.example.com:8443staging.example.com:22staging.example.com:8080198.51.100.24:3306198.51.100.24:6379198.51.100.51:5432guidance
Use naabu to find which ports are open before you probe or scan. It is a port scanner, not a service prober, so feed its open host:port pairs to httpx for classification and a vulnerability scanner for testing. Reach for it when you need fast, scriptable port enumeration in a pipeline.
Internet-scale SYN scanner with raw speed. naabu is friendlier to wire into a pipeline and handles CDNs out of the box.
Fast scanner that hands ports to nmap for service detection. naabu favors clean structured output over nmap integration.
Deeper service and version detection, slower. Run nmap after naabu narrows the port set.
faq
related
Quickly map an organization's network ranges using ASN information.
Maximize your resolver count by combining the target's DNS servers with public resolvers.
Expand CIDR ranges into a list of IP addresses easily.
Expand CIDR ranges into a list of IP addresses easily, from a file.
Maintain a list of IPv4 DNS servers verified against baseline servers for accurate responses.
Patched dnsvalidator that keeps only IPv4 resolvers verified against baseline servers.
A host list feeds naabu, which enumerates open ports and hands them to httpx for probing before the live services land as a queryable output.
Facts on this page come from the live Trickest tool library.