loading
loading
Recon
Fast Go application scanner.
overview
zgrab2-http uses the zmap family's zgrab2 HTTP module to speak application-layer HTTP against large IP or host sets and record structured responses.
Sender concurrency, method, SNI controls, and timeouts are built for internet-scale banner grabbing rather than single-host debugging.
Pair it with zmap or an IP list when you need HTTP fingerprints across a netblock instead of a browser-grade crawler.
source github.com/zmap/zgrab2
use cases
Send a request to every host in a list and capture the status, headers, and body as JSON, building a structured inventory of what each web service returns.
Feed open web ports from a scanner into zgrab2-http so each one gets a full grab, turning open ports into identified HTTP services.
Use the HTTPS and TLS options to record certificate data, cipher suites, and handshake details alongside the HTTP response in one pass.
Set the method, endpoint, and custom headers to request a particular path or API route across the whole host list instead of just the root.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| sct | BOOLEAN | --sct | Request Signed Certificate Timestamps during TLS Handshake |
| port | STRING | --port | Specify port to grab on (default: 80) |
| time | STRING | --time | Explicit request time to use, instead of clock. YYYYMMDDhhmmss format. |
| debug | BOOLEAN | --debug | Include debug fields in the output. |
| flush | BOOLEAN | --flush | Flush after each line of output. |
| method | STRING | --method | Set HTTP request method type (default: GET) |
| no-sni | BOOLEAN | --no-sni | Do not send domain name in TLS Handshake regardless of whether known |
Showing key inputs. zgrab2-http exposes 53 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| sct | BOOLEAN | --sct | Request Signed Certificate Timestamps during TLS Handshake |
| port | STRING | --port | Specify port to grab on (default: 80) |
| time | STRING | --time | Explicit request time to use, instead of clock. YYYYMMDDhhmmss format. |
| debug | BOOLEAN | --debug | Include debug fields in the output. |
| flush | BOOLEAN | --flush | Flush after each line of output. |
| input | STRING | · | Input target |
| method | STRING | --method | Set HTTP request method type (default: GET) |
| no-sni | BOOLEAN | --no-sni | Do not send domain name in TLS Handshake regardless of whether known |
| senders | STRING | --senders | Number of send goroutines to use (default: 1000) |
| timeout | STRING | --timeout | Set connection timeout (0 = no timeout) (default: 10s) |
| trigger | STRING | --trigger | Invoke only on targets with specified tag |
| endpoint | STRING | --endpoint | Send an HTTP request to an endpoint (default: /) |
| max-size | STRING | --max-size | Max kilobytes to read in response to an HTTP request (default: 256) |
| maxbytes | STRING | --maxbytes | Maximum byte read limit per scan (0 = defaults) |
| no-ecdhe | BOOLEAN | --no-ecdhe | Do not allow ECDHE handshakes |
| root-cas | FILE | --root-cas | Set of certificates to use when verifying server certificates |
| use-https | BOOLEAN | --use-https | Perform an HTTPS connection on the initial host |
| gomaxprocs | STRING | --gomaxprocs | Set GOMAXPROCS (default: 0) |
| heartbleed | BOOLEAN | --heartbleed | Check if server is vulnerable to Heartbleed |
| input-file | FILE | · | Input file |
| prometheus | STRING | --prometheus | Address to use for Prometheus server (e.g. localhost:8080). If empty, Prometheus is disabled |
| user-agent | STRING | --user-agent | Set a custom user agent (default: Mozilla/5.0 zgrab/0.x) |
| dsa-enabled | BOOLEAN | --dsa-enabled | Accept server DSA keys |
| max-version | STRING | --max-version | The maximum SSL/TLS version that is acceptable. 0 means use the highest supported value. |
| min-version | STRING | --min-version | The minimum SSL/TLS version that is acceptable. 0 means that SSLv3 is the minimum. |
| next-protos | FILE | --next-protos | A list of supported application-level protocols |
| retry-https | BOOLEAN | --retry-https | If the initial request fails, reconnect and try with HTTPS. |
| server-name | STRING | --server-name | Server name used for certificate verification and (optionally) SNI |
| certificates | FILE | --certificates | Set of certificates to present to the server |
| cipher-suite | STRING | --cipher-suite | A comma-delimited list of hex cipher suites to advertise. |
| client-hello | STRING | --client-hello | Set an explicit ClientHello (base64 encoded) |
| client-random | STRING | --client-random | Set an explicit Client Random (base64 encoded) |
| max-redirects | STRING | --max-redirects | Max number of redirects to follow (default: 0) |
| session-ticket | BOOLEAN | --session-ticket | Send support for TLS Session Tickets and output ticket if presented |
| with-body-size | BOOLEAN | --with-body-size | Enable the body_size attribute, for how many bytes actually read |
| certificate-map | FILE | --certificate-map | A file mapping server names to certificates |
| extended-random | BOOLEAN | --extended-random | Send TLS Extended Random Extension |
| keep-client-logs | BOOLEAN | --keep-client-logs | Include the client-side logs in the TLS handshake |
| curve-preferences | STRING | --curve-preferences | A list of elliptic curves used in an ECDHE handshake, in order of preference. |
| heartbeat-enabled | BOOLEAN | --heartbeat-enabled | If set, include the heartbeat extension |
| override-sig-hash | BOOLEAN | --override-sig-hash | Override the default SignatureAndHashes TLS option with more expansive default |
| redirects-succeed | BOOLEAN | --redirects-succeed | Redirects are always a success, even if max-redirects is exceeded |
| fail-http-to-https | BOOLEAN | --fail-http-to-https | Trigger retry-https logic on known HTTP/400 protocol mismatch responses |
| read-limit-per-host | STRING | --read-limit-per-host | Maximum total kilobytes to read for a single host (default 96kb) (default: 96) |
| connections-per-host | STRING | --connections-per-host | Number of times to connect to each host (results in more output) (default: 1) |
| custom-headers-names | FILE | --custom-headers-names | CSV of custom HTTP headers to send to server |
| signature-algorithms | STRING | --signature-algorithms | Signature and hash algorithms that are acceptable |
| custom-headers-values | FILE | --custom-headers-values | CSV of custom HTTP header values to send to server. Should match order of custom-headers-names |
| extended-master-secret | BOOLEAN | --extended-master-secret | Offer RFC 7627 Extended Master Secret extension |
| custom-headers-delimiter | STRING | --custom-headers-delimiter | Delimiter for customer header name/value CSVs |
| verify-server-certificate | BOOLEAN | --verify-server-certificate | ail if the server certificate does not match the server-name, or does not chain to a trusted root. |
| follow-localhost-redirects | BOOLEAN | --follow-localhost-redirects | Follow HTTP redirects to localhost |
| compute-decoded-body-hash-algorithm | STRING | --compute-decoded-body-hash-algorithm | Choose algorithm for BodyHash field (sha256 or sha1) |
example
# zgrab2-http: HTTP GET banner grab on port 443echo 198.51.100.10 | zgrab2 http --port 443 --method GET --senders 50{"ip":"198.51.100.10","data":{"http":{"status_code":200,"headers":{"server":"nginx"}}}}{"ip":"203.0.113.5","data":{"http":{"status_code":301,"headers":{"server":"cloudflare"}}}}{"ip":"192.0.2.8","data":{"http":{"status_code":200,"headers":{"server":"Apache"}}}}{"ip":"198.51.100.44","data":{"http":{"status_code":403,"headers":{"server":"nginx"}}}}guidance
Use zgrab2-http to grab full HTTP banners across many hosts after a port scan finds open web ports. For a parsed, summarized view of title, status, and length, use zgrab2-http-simple. For richer prober output with tech detection, use httpx.
Same grab, parsed down to title, status, and content length. Use it when you want a summary.
Fast HTTP prober with tech detection and JSONL. More signal per request for recon.
Grabs only the TLS handshake. Use it when you care about certificates, not HTTP content.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A CIDR range feeds zmap, which finds open web ports and passes them to zgrab2-http so each service's HTTP banner lands as a queryable output.
Facts on this page come from the live Trickest tool library.