loading
loading
Recon
Fast and configurable TLS grabber focused on TLS-based data collection.
overview
tlsx is a fast TLS grabber from ProjectDiscovery that connects to hosts and records certificate fields, negotiated versions, ciphers, and optional JARM or JA3 fingerprints. Feed it a host or a list and it returns structured TLS metadata suited to both posture checks and further recon.
SAN and common-name extraction turn certificates into a subdomain source: -san and -cn surface names that passive DNS may have missed. JSON output keeps every probe as a record for filtering expired, self-signed, or mismatched certs downstream.
On Trickest the Recon node accepts hosts or a list file and writes a file and a folder of TLS data. Pair it with httpx for HTTP context, or feed SAN names back into subdomain workflows.
use cases
Enable -san on a live host list so Subject Alternative Names expand the attack surface inventory.
Add -jarm to group hosts by TLS implementation and spot outliers that share the same stack.
Point -list and -port at many hosts so certificate and version data land in one JSONL stream.
Use -expired or -self-signed filters to highlight hosts with weak or neglected TLS posture.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| host | STRING | -host | Target host or hosts to scan, comma-separated. |
| list | FILE | -list | File of targets to scan. |
| port | STRING | -port | Target port to connect (default 443). |
| subject-alternative-names | BOOLEAN | -san | Display subject alternative names from certificates. |
| jarm | BOOLEAN | -jarm | Display JARM fingerprint hash. |
| json | BOOLEAN | -json | Write output in JSON format. |
| silent | BOOLEAN | -silent | Display silent output. |
| concurrency | STRING | -concurrency | Number of concurrent threads (default 300). |
Showing key inputs. tlsx exposes 53 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| dns | BOOLEAN | -dns | display unique hostname from SSL certificate response |
| ja3 | BOOLEAN | -ja3 | display ja3 fingerprint hash (using ztls) |
| sni | STRING | -sni | tls sni hostname to use |
| hash | BOOLEAN | -hash | display certificate fingerprint hashes (md5,sha1,sha256) |
| host | STRING | -host | target host(s) to scan (comma-separated) |
| jarm | BOOLEAN | -jarm | display jarm fingerprint hash |
| json | BOOLEAN | -json | json format output |
| list | FILE | -list | target list to scan |
| port | STRING | -port | target port to connect (default 443) |
| delay | STRING | -delay | duration to wait between each connection per thread (eg: 200ms, 1s) |
| retry | STRING | -retry | number of retries to perform for failures (default 3) |
| cacert | FILE | -cacert | client certificate authority file |
| cipher | BOOLEAN | -cipher | display used cipher |
| config | FILE | -config | tlsx configuration file |
| serial | BOOLEAN | -serial | display certificate serial number |
| silent | BOOLEAN | -silent | display silent output |
| expired | BOOLEAN | -expired | display validity status of certificate |
| revoked | BOOLEAN | -revoked | display host with revoked certificate |
| timeout | STRING | -timeout | tls connection timeout in seconds (default 5) |
| verbose | BOOLEAN | -verbose | display verbose output |
| hardfail | BOOLEAN | -hardfail | strategy to use if encountered errors while checking revocation status |
| resolvers | FILE | -resolvers | list of resolvers to use |
| resp-only | BOOLEAN | -resp-only | display tls response only |
| scan-mode | STRING | -scan-mode | tls connection mode to use (ctls, ztls, openssl, auto) (default "auto") |
| tls-chain | BOOLEAN | -tls-chain | display tls chain in json output |
| untrusted | BOOLEAN | -untrusted | display host with untrusted certificate |
| ip-version | STRING | -ip-version | ip version to use (4, 6) (default 4) |
| mismatched | BOOLEAN | -mismatched | display host with mismatched certificate |
| random-sni | BOOLEAN | -random-sni | use random sni when empty |
| all-ciphers | BOOLEAN | -all-ciphers | send all ciphers as accepted inputs (default true) |
| certificate | BOOLEAN | -certificate | include certificates in json output (PEM format) |
| cipher-enum | BOOLEAN | -cipher-enum | enumerate and display supported cipher |
| cipher-type | STRING | -cipher-type | ciphers types to enumerate. possible values: all/secure/insecure/weak (comma-separated) (default all) |
| concurrency | STRING | -concurrency | number of concurrent threads to process (default 300) |
| max-version | STRING | -max-version | maximum tls version to accept (ssl30,tls10,tls11,tls12,tls13) |
| min-version | STRING | -min-version | minimum tls version to accept (ssl30,tls10,tls11,tls12,tls13) |
| self-signed | BOOLEAN | -self-signed | display status of self-signed certificate |
| tls-version | BOOLEAN | -tls-version | display used tls version |
| verify-cert | BOOLEAN | -verify-cert | enable verification of server certificate |
| cipher-input | STRING | -cipher-input | ciphers to use with tls connection |
| client-hello | BOOLEAN | -client-hello | include client hello in json output (ztls mode only) |
| common-names | BOOLEAN | -cn | display subject common names |
| health-check | BOOLEAN | -health-check | run diagnostic check up |
| probe-status | BOOLEAN | -probe-status | display tls probe status |
| scan-all-ips | BOOLEAN | -scan-all-ips | scan all ips for a host (default false) |
| server-hello | BOOLEAN | -server-hello | include server hello in json output (ztls mode only) |
| version-enum | BOOLEAN | -version-enum | enumerate and display supported tls versions |
| pre-handshake | BOOLEAN | -pre-handshake | enable pre-handshake tls connection (early termination) using ztls |
| wildcard-cert | BOOLEAN | -wildcard-cert | display host with wildcard ssl certificate |
| openssl-binary | FILE | -openssl-binary | OpenSSL Binary Path |
| cipher-concurrency | STRING | -cipher-concurrency | cipher enum concurrency for each target (default 10) |
| subject-alternative-names | BOOLEAN | -san | display subject alternative names |
| subject-organization-name | BOOLEAN | -so | display subject organization name |
example
# grab SANs and JARM from a host list as JSONLtlsx -list hosts.txt -san -jarm -json -silent -port 443example.com:443 [tls13] [CN=example.com] [SAN=example.com,www.example.com]api.example.com:443 [tls13] [CN=api.example.com]www.example.com:443 [tls12] [CN=www.example.com] [SAN=www.example.com,example.com]mail.example.com:443 [tls13] [CN=mail.example.com]staging.example.com:443 [tls12] [CN=*.example.com] [SAN=*.example.com,example.com]198.51.100.10:443 [tls13] [CN=example.com]203.0.113.25:443 [tls12] [CN=api.example.com]guidance
Use tlsx when you need TLS and certificate data fast, whether to assess posture or to mine SANs for more subdomains. It is a grabber, not a full SSL auditor, so for deep protocol-level vulnerability checks reach for sslscan or testssl alongside it.
Deep per-host SSL/TLS protocol and cipher audit. Slower and richer than tlsx, less suited to wide scopes.
General HTTP prober that also reports some TLS data. tlsx goes deeper on certificates and fingerprints.
Passive subdomain discovery. tlsx complements it by extracting more names from certificate SANs.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A host list feeds tlsx, which grabs certificate and TLS data from each one and writes the results, including SANs, as a queryable output.
Facts on this page come from the live Trickest tool library.