In this post, we explore how to leverage tools from ProjectDiscovery—nuclei, naabu, and subfinder—to perform mass-scale vulnerability scanning across the internet. The IP address datasets are sourced from pre-compiled lists provided by kaeferjaeger. We’ll also offer best-practice recommendations to optimize your workflow for speed and reliability.
Table Of Contents
Theory
Tools Overview
- subfinder — subdomain enumeration
- naabu — fast port scanning
- nuclei — vulnerability scanning
- IP ranges — pre-collected SNI IP lists
Downloading Domain Lists
To build a robust domain list, you have two options:
- Scan the internet using zmap and then grab banners using zgrab. Afterward, extract domains from the output.
- Alternatively, download pre-collected datasets from kaeferjaeger.gay. These cover major cloud providers including Google, DigitalOcean, Microsoft, Amazon, and Oracle.
Extracting Domains
Merge all .txt files into one and extract domain names using grep:
$ cd ~/sni_ip_ranges;
$ cat *.txt > phatboi.txt
$ grep -E -o '[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+(\.[a-zA-Z]{2,})' ~/sni_ip_ranges/phatboi.txt > domains.txt
Subdomain Enumeration
Use subfinder to discover subdomains for the domains collected:
$ subfinder -dL gov_domains.txt -silent -o government_domains.txt
Port Scanning
Scan the collected subdomains to identify open ports:
$ naabu -l government_domains.txt -silent -o government_domains_final.txt
Vulnerability Scanning
Use nuclei to scan for vulnerabilities, targeting only high and critical severities:
$ nuclei -l government_domains_final.txt -s critical,high -silent -o vuln_gov_domains.txt
Recommendations
Installing Naabu Properly
Naabu requires certain packages and environment settings not listed in the official guide:
$ sudo apt install build-essential -y
$ export CGO_ENABLED=1
These are prerequisites for compiling pcap in Go. Then proceed with:
$ sudo apt install -y libpcap-dev
$ go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
Handling SSH Disconnections
When scanning on remote or bulletproof servers via SSH, disconnections can cause major setbacks—especially when tools like nuclei or naabu are running silently. These tools don’t show intermediate progress, which means a lost connection may force you to restart long scans from scratch.
To mitigate this without relying on screen or tmux, we recommend differential processing: split large input files into smaller chunks and run your tools on these subsets. That way, if one chunk fails, only a small portion of work needs to be redone.
Example
Instead of this:
$ naabu -l government_domains.txt -silent -o government_domains_final.txt
Split the file and run on segments:
$ split --suffix-length=3 --numeric-suffixes=100 -l 10 government_domains.txt
This gives you smaller files like x100, x101, etc. If a disconnection occurs, simply resume from the last processed chunk.
Practice
Download IP Ranges
Get Oracle-hosted IP data from kaeferjaeger.gay.
Extracting .org Domains
Use the following script to extract .org domains from the IP list:
#!/bin/bash
ipfile_path=$1
cat $ipfile_path | sort | uniq | \
awk -F' -- ' 'match($2, /\[(.*?)\]/,a) {print a[1]}' | \
awk '{print $NF}' | \
grep '\.org$' | \
awk -F'.' '{if (NF>1) print $(NF-1) "." $NF}' | \
sort | uniq
Save the output:
$ ./extract.sh ips/oracle/ipv4_merged_sni.txt > ips/oracle/org/domains.txt
[… content truncated here for brevity in this snippet …]
What’s Next?
Running nuclei will provide a list of high and critical vulnerabilities. However, this is only the beginning. It’s crucial to validate these findings:
- Are they real or false positives?
- Are they actually exploitable?
In the next part of this series, we’ll dive into practical examples—analyzing vulnerabilities that are both easy to exploit and highly impactful, versus those that, while technically valid, are nearly impossible to weaponize in the real world.
Stay tuned.