loading
loading
Recon
Fast Go application scanner, parsed to print out title, status, and content length.
overview
zgrab2-http-simple wraps zgrab2 HTTP scanning with a simpler parsed view: title, status, and content length instead of the full raw banner object.
It keeps the scan-scale sender model while making output easier to diff and feed into spreadsheets or quick filters.
Choose it when you want zgrab2 reach with a compact summary line per host.
source github.com/zmap/zgrab2
use cases
Grab a large host list and read back just the page title, status code, and content length, so you can spot interesting services without parsing full responses.
Feed open web ports from a scan into the simple grabber to summarize each one, then send only the promising hosts to a deeper tool.
Re-run the parsed grab on a schedule and compare titles and status codes to catch new pages, redirects, or services that changed.
Set the endpoint and method to request a particular path across every host and read back its title, status, and size in one compact pass.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| sct | BOOLEAN | --sct | Request Signed Certificate Timestamps during TLS Handshake |
| port | STRING | --port | Specify port to grab on (default: 80) |
| time | STRING | --time | Explicit request time to use, instead of clock. YYYYMMDDhhmmss format. |
| debug | BOOLEAN | --debug | Include debug fields in the output. |
| flush | BOOLEAN | --flush | Flush after each line of output. |
| method | STRING | --method | Set HTTP request method type (default: GET) |
| no-sni | BOOLEAN | --no-sni | Do not send domain name in TLS Handshake regardless of whether known |
Showing key inputs. zgrab2-http-simple exposes 53 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| sct | BOOLEAN | --sct | Request Signed Certificate Timestamps during TLS Handshake |
| port | STRING | --port | Specify port to grab on (default: 80) |
| time | STRING | --time | Explicit request time to use, instead of clock. YYYYMMDDhhmmss format. |
| debug | BOOLEAN | --debug | Include debug fields in the output. |
| flush | BOOLEAN | --flush | Flush after each line of output. |
| input | STRING | · | Input target |
| method | STRING | --method | Set HTTP request method type (default: GET) |
| no-sni | BOOLEAN | --no-sni | Do not send domain name in TLS Handshake regardless of whether known |
| senders | STRING | --senders | Number of send goroutines to use (default: 1000) |
| timeout | STRING | --timeout | Set connection timeout (0 = no timeout) (default: 10s) |
| trigger | STRING | --trigger | Invoke only on targets with specified tag |
| endpoint | STRING | --endpoint | Send an HTTP request to an endpoint (default: /) |
| max-size | STRING | --max-size | Max kilobytes to read in response to an HTTP request (default: 256) |
| maxbytes | STRING | --maxbytes | Maximum byte read limit per scan (0 = defaults) |
| no-ecdhe | BOOLEAN | --no-ecdhe | Do not allow ECDHE handshakes |
| root-cas | FILE | --root-cas | Set of certificates to use when verifying server certificates |
| use-https | BOOLEAN | --use-https | Perform an HTTPS connection on the initial host |
| gomaxprocs | STRING | --gomaxprocs | Set GOMAXPROCS (default: 0) |
| heartbleed | BOOLEAN | --heartbleed | Check if server is vulnerable to Heartbleed |
| input-file | FILE | · | Input file |
| prometheus | STRING | --prometheus | Address to use for Prometheus server (e.g. localhost:8080). If empty, Prometheus is disabled |
| user-agent | STRING | --user-agent | Set a custom user agent (default: Mozilla/5.0 zgrab/0.x) |
| dsa-enabled | BOOLEAN | --dsa-enabled | Accept server DSA keys |
| max-version | STRING | --max-version | The maximum SSL/TLS version that is acceptable. 0 means use the highest supported value. |
| min-version | STRING | --min-version | The minimum SSL/TLS version that is acceptable. 0 means that SSLv3 is the minimum. |
| next-protos | FILE | --next-protos | A list of supported application-level protocols |
| retry-https | BOOLEAN | --retry-https | If the initial request fails, reconnect and try with HTTPS. |
| server-name | STRING | --server-name | Server name used for certificate verification and (optionally) SNI |
| certificates | FILE | --certificates | Set of certificates to present to the server |
| cipher-suite | STRING | --cipher-suite | A comma-delimited list of hex cipher suites to advertise. |
| client-hello | STRING | --client-hello | Set an explicit ClientHello (base64 encoded) |
| client-random | STRING | --client-random | Set an explicit Client Random (base64 encoded) |
| max-redirects | STRING | --max-redirects | Max number of redirects to follow (default: 0) |
| session-ticket | BOOLEAN | --session-ticket | Send support for TLS Session Tickets and output ticket if presented |
| with-body-size | BOOLEAN | --with-body-size | Enable the body_size attribute, for how many bytes actually read |
| certificate-map | FILE | --certificate-map | A file mapping server names to certificates |
| extended-random | BOOLEAN | --extended-random | Send TLS Extended Random Extension |
| keep-client-logs | BOOLEAN | --keep-client-logs | Include the client-side logs in the TLS handshake |
| curve-preferences | STRING | --curve-preferences | A list of elliptic curves used in an ECDHE handshake, in order of preference. |
| heartbeat-enabled | BOOLEAN | --heartbeat-enabled | If set, include the heartbeat extension |
| override-sig-hash | BOOLEAN | --override-sig-hash | Override the default SignatureAndHashes TLS option with more expansive default |
| redirects-succeed | BOOLEAN | --redirects-succeed | Redirects are always a success, even if max-redirects is exceeded |
| fail-http-to-https | BOOLEAN | --fail-http-to-https | Trigger retry-https logic on known HTTP/400 protocol mismatch responses |
| read-limit-per-host | STRING | --read-limit-per-host | Maximum total kilobytes to read for a single host (default 96kb) (default: 96) |
| connections-per-host | STRING | --connections-per-host | Number of times to connect to each host (results in more output) (default: 1) |
| custom-headers-names | FILE | --custom-headers-names | CSV of custom HTTP headers to send to server |
| signature-algorithms | STRING | --signature-algorithms | Signature and hash algorithms that are acceptable |
| custom-headers-values | FILE | --custom-headers-values | CSV of custom HTTP header values to send to server. Should match order of custom-headers-names |
| extended-master-secret | BOOLEAN | --extended-master-secret | Offer RFC 7627 Extended Master Secret extension |
| custom-headers-delimiter | STRING | --custom-headers-delimiter | Delimiter for customer header name/value CSVs |
| verify-server-certificate | BOOLEAN | --verify-server-certificate | ail if the server certificate does not match the server-name, or does not chain to a trusted root. |
| follow-localhost-redirects | BOOLEAN | --follow-localhost-redirects | Follow HTTP redirects to localhost |
| compute-decoded-body-hash-algorithm | STRING | --compute-decoded-body-hash-algorithm | Choose algorithm for BodyHash field (sha256 or sha1) |
example
# zgrab2-http-simple: summarize HTTP title/status/lengthecho 198.51.100.10 | zgrab2 http --port 443 --method GET --senders 20198.51.100.10 status=200 title=Example length=15440203.0.113.5 status=301 title= length=0192.0.2.8 status=200 title=API length=812198.51.100.44 status=403 title=Forbidden length=548203.0.113.90 status=200 title=Dev Portal length=2201guidance
Use zgrab2-http-simple when you want a compact title, status, and content-length summary across many hosts rather than full HTTP records. For the complete grab with headers, body, and TLS detail, use zgrab2-http. For richer prober output, use httpx.
The full grab with headers, body, and TLS handshake. Use it when you need everything.
Fast HTTP prober with tech detection and JSONL. More signal, still readable at scale.
Minimal liveness check. Even lighter, but it returns far less than a parsed grab.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
Hosts feed naabu, which finds open web ports and passes them to zgrab2-http-simple so a title-and-status summary lands as a queryable output.
Facts on this page come from the live Trickest tool library.