Naabu is a modern port scanner built by the ProjectDiscovery team. Written in Go, it focuses on high performance, ease of integration, and usage in engineering pipelines. If Nmap is the classic all-rounder and Masscan is the representative of extreme speed, then Naabu is the “modern, automated, orchestratable” intermediate state between the two.

🚀 Tool Positioning

Naabu implements port scanning via SYN/CONNECT/UDP probing methods, supporting:

  • DNS resolution and automatic deduplication
  • IPv4 / IPv6 mixed scanning (experimental)
  • Passive port enumeration (Shodan / InternetDB)
  • Host discovery and Nmap integration
  • Multiple inputs (Domain / IP / CIDR / ASN) and multiple output formats (JSON / TXT / STDOUT)

⚙️ Key Technologies and Implementation in Naabu

1️⃣ Concurrency Model: Goroutine + Worker Pool

Naabu uses Go’s native goroutine and channel model to drive large-scale scanning tasks. Each probe task is assigned to a worker pool for asynchronous execution, realizing the flow of “Massive Tasks → Lightweight Threads → Aggregated Output”.

flowchart LR A[Input Domain/IP] --> B[Resolution & Deduplication] B --> C[Task Queue] C --> D[Worker Goroutine Concurrent Probing] D --> E[Result Aggregation/Output]

2️⃣ Controllable Rate and Concurrency: Token Bucket Idea

Control sending rate and thread limit via -rate (rate) and -c (concurrency) parameters. The underlying logic is similar to the token bucket rate-limiting mechanism, preventing scanning too fast which leads to packet loss or blocking by protection systems.

naabu -list targets.txt -rate 5000 -c 200

💡 Practical Experience: VPS can usually use a higher -rate; for local or proxy environments, <2000 is recommended.

3️⃣ Detection Modes and Privilege Fallback

SYN Scan (requires root privileges): Fastest, directly based on raw TCP packets. CONNECT Scan: Falls back to use this when without root privileges. UDP Scan: Can specify custom payloads to improve identification accuracy.

sudo naabu -p 80,443,8080 -host example.com -scan-type syn

4️⃣ DNS Resolution and IP Deduplication

Naabu automatically resolves input domains and deduplicates identical IPs to avoid duplicate scanning and improve efficiency.

echo -e "a.example.com\nb.example.com" | naabu  # If both resolve to the same IP, it scans only once

✨ This makes Naabu very suitable for processing large numbers of subdomains in asset discovery pipelines.

5️⃣ Address Shuffling Algorithm

To reduce pressure on a single target and evade defense systems, Naabu randomizes the targets to be scanned internally. Similar to Masscan’s “address shuffling algorithm”, this makes scan traffic more dispersed and stealthy.

6️⃣ Passive Information Integration (Shodan / InternetDB)

Naabu can combine Shodan and InternetDB to passively pull known port information, used to complete scan results or accelerate probing.

naabu -list ips.txt -passive

🔍 The hybrid strategy of “Active Scanning + Passive Intelligence” allows it to balance speed and coverage.

7️⃣ Seamless Nmap Integration

Naabu supports automatically calling Nmap for service identification after discovering ports.

naabu -host target.com -nmap-cli "nmap -sV -p {{port}} {{host}}"

⚙️ Naabu is responsible for discovering open ports, and Nmap is responsible for identifying services and fingerprints. This is a typical modern layered scanning architecture.

8️⃣ Engineered Output Design

Output can be JSON, TXT, or STDOUT, naturally supporting pipelining and automated processing:

naabu -list targets.txt -json | jq
naabu -list targets.txt -o results.txt

💬 The output design is very friendly to subsequent tools (like httpx, nuclei).

9️⃣ Retries, Backoff, and Warm-up

Naabu provides -retries and -warm-up-time parameters for retrying and warming up during network fluctuations. For example, wait a few seconds before starting the scan to let the routing table and sockets initialize and stabilize.

naabu -list hosts.txt -retries 2 -warm-up-time 5s

🧠 Summary: Naabu’s Design Philosophy

Naabu does not pursue extreme speed (like Masscan), but balances speed, ease of use, and integrability. It evolves the port scanner from a “hacker tool” into an “automated asset discovery module”, allowing security researchers and blue teams to elegantly use it in CI/CD pipelines.

Feature Nmap Masscan Naabu (ProjectDiscovery)
Language C C Go
Probe Mode SYN/ACK/UDP/Script SYN Only (Extremely Fast) SYN/CONNECT/UDP
Advantage Comprehensive Features Extreme Speed Engineering & Automated Integration
Output Format XML/Nmap Script Binary / JSON JSON / TXT / STDOUT
Integration Manual Call Needs Scripts Native Support for Nmap / httpx / nuclei