Naabu — Fast Port Scanner by ProjectDiscovery

Introduction

Naabu is a port scanning tool by ProjectDiscovery designed for speed and reliability in attack surface discovery. Built in Go with both SYN and CONNECT scan modes, it integrates cleanly with the ProjectDiscovery ecosystem (subfinder, httpx, nuclei) to form automated reconnaissance pipelines for authorized security testing.

What Naabu Does

• Performs fast TCP port scanning using SYN (raw socket) or CONNECT methods
• Supports scanning from host lists, CIDR ranges, and stdin for pipeline integration
• Automatically excludes CDN and cloud provider IP ranges to avoid scanning shared infrastructure
• Detects service banners on discovered open ports for initial fingerprinting
• Outputs results in JSON, CSV, or plain text for downstream tool consumption

Architecture Overview

Naabu uses a custom TCP stack for SYN scanning that sends raw packets and listens for SYN-ACK responses, achieving high throughput without completing full TCP handshakes. For unprivileged environments, it falls back to CONNECT scanning. The scanner manages rate limiting internally and supports both IPv4 and IPv6 targets. Host exclusion lists and CDN detection prevent scanning shared infrastructure. Results flow through a deduplication layer before output.

Self-Hosting & Configuration

• Install a single Go binary; SYN mode requires root/sudo for raw sockets
• Configure rate limits with -rate to control packets per second (default 1000)
• Use -exclude-cdn to automatically skip Cloudflare, Akamai, and other CDN ranges
• Set custom port lists with -p or use predefined sets (top 100, top 1000, full)
• Chain with httpx and nuclei: naabu -host target.com | httpx | nuclei

Key Features

• Hybrid scanning with automatic SYN/CONNECT fallback based on available privileges
• CDN and WAF exclusion prevents wasting time on shared infrastructure IPs
• Stdin/stdout integration enables seamless piping with subfinder, httpx, and nuclei
• IPv6 support for scanning modern infrastructure
• Configurable retries and timeouts for reliable results across different network conditions

Comparison with Similar Tools

• Nmap — feature-rich but slower for pure port discovery; Naabu is optimized for speed as a pipeline component
• RustScan — similar fast scanner with auto-Nmap integration; Naabu integrates with the ProjectDiscovery toolchain instead
• Masscan — fastest raw SYN scanner but complex output; Naabu offers simpler integration and built-in CDN exclusion
• Zmap — designed for internet-wide research scanning; Naabu targets focused reconnaissance on specific host lists

FAQ

Q: Does Naabu require root access? A: SYN scan mode requires root for raw socket access. CONNECT scan mode works without elevated privileges but is slower.

Q: How do I avoid scanning targets behind CDNs? A: Use the -exclude-cdn flag. Naabu maintains lists of IP ranges for major CDN providers and automatically skips them.

Q: Can Naabu scan UDP ports? A: Naabu focuses on TCP port scanning. For UDP service discovery, use complementary tools like Nmap with UDP scan flags.

Q: What is the recommended workflow for bug bounty? A: Combine subfinder for subdomain enumeration, naabu for port scanning, httpx for HTTP probing, and nuclei for vulnerability detection in a piped workflow.

Sources

• https://github.com/projectdiscovery/naabu
• https://docs.projectdiscovery.io/tools/naabu/