Naabu — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

ProjectDiscovery's Go port scanner — pipes cleanly into other PD tools, faster than Nmap for discovery.

Use case: ReconnaissanceDifficulty: BeginnerHomepage: https://github.com/projectdiscovery/naabu

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Go install

go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest

Linux (apt)

sudo apt install naabu

Docker

docker run projectdiscovery/naabu -host target.com

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Scan top 100

naabu -host target.com

All ports

naabu -p - -host target.com

Specific ports

naabu -p 80,443,8080-8090 -host target.com

Scan from list

naabu -list hosts.txt -p 80,443

Pipe to httpx

naabu -list hosts.txt -p 80,443,8080 | httpx -silent

JSON output

naabu -host target.com -json -o ports.json

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • -rate 1000 req/sec default — bump to 5000 on solid uplinks.
  • -c 50 concurrent threads. 50 default is good on most targets.
  • -scan-type s SYN scan (default, requires sudo) — faster than connect.
  • -stats shows progress bar + ETA.
  • -exclude-cdn skips known CDN ranges (Cloudflare, Akamai) — they always return 80/443 regardless.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • No version detection — pair with -nmap-cli "nmap -sV" for service detection.
  • SYN scan needs root. -scan-type c for connect (no root, slower).
  • Default top-100 misses 8443/8888/27017 — specify ports explicitly for serious scans.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • nmap — feature-complete.
  • masscan — fastest.
  • rustscan — wraps Nmap nicely.

India context and engagement notes

In a PD-stack pipeline (subfinder → dnsx → naabu → httpx → nuclei), naabu is the port-discovery step. For internet-scale, swap with masscan; for full version detection, finalize with Nmap.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants