loading
loading
Recon
Fast Go application scanner.
overview
zgrab2-jarm is the JARM module of zgrab2. JARM is an active TLS fingerprint: the scanner sends a series of crafted TLS Client Hello packets to a host and hashes how the server responds. Servers running the same software and configuration produce the same JARM hash, so the fingerprint becomes a way to cluster, identify, and triage TLS services at scale.
That clustering is the point. A JARM hash can flag servers that share a stack, surface infrastructure that looks like a known malware C2 profile, or group an estate by configuration so outliers stand out. Because it is active and connection-based, it works against any TLS service regardless of certificate, and it runs across a host list with the same goroutine-driven throughput as the rest of zgrab2.
On Trickest, zgrab2-jarm is a Recon node that reads a list of hosts and writes a file and a folder of JSON results. Run it after a port scan finds TLS services so each one gets a JARM hash, then group or compare those hashes downstream to map infrastructure and spot anomalies.
source github.com/zmap/zgrab2
use cases
Compute a JARM hash for every host in a list so servers sharing the same TLS stack and configuration collapse into identifiable clusters.
Group hosts by JARM hash to see which services run the same setup, making misconfigured or outlier servers easy to spot.
Compare collected hashes to a list of known JARM signatures to flag infrastructure that matches a particular software stack or threat profile.
Feed open TLS ports from a scanner into zgrab2-jarm so each one gets a fingerprint, turning open ports into a configuration map.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| input-file | FILE | · | Input file of hosts to fingerprint. |
| port | STRING | --port | Port to grab on; set 443 for HTTPS (default 80). |
| senders | STRING | --senders | Number of send goroutines to use (default 1000). |
| timeout | STRING | --timeout | Set connection timeout, 0 for none (default 10s). |
| max-tries | STRING | --max-tries | Tries for timeouts and connection errors before giving up (default 1). |
| connections-per-host | STRING | --connections-per-host | Number of times to connect to each host (default 1). |
| trigger | STRING | --trigger | Invoke only on targets carrying the specified tag. |
| read-limit-per-host | STRING | --read-limit-per-host | Maximum total kilobytes to read for a single host (default 96). |
Showing key inputs. zgrab2-jarm exposes 15 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| name | STRING | --name | Name for this scan module; becomes the key for its results in the JSON output. |
| port | STRING | --port | Port to grab on; set 443 for HTTPS (default 80). |
| debug | BOOLEAN | --debug | Include debug fields in the output. |
| flush | BOOLEAN | --flush | Flush after each line of output. |
| input | STRING | · | Input target passed to the node. |
| senders | STRING | --senders | Number of send goroutines to use (default 1000). |
| timeout | STRING | --timeout | Set connection timeout, 0 for no timeout (default 10s). |
| trigger | STRING | --trigger | Invoke only on targets carrying the specified tag. |
| maxbytes | STRING | --maxbytes | Maximum byte read limit per scan (0 uses defaults). |
| max-tries | STRING | --max-tries | Number of tries for timeouts and connection errors before giving up (default 1). |
| gomaxprocs | STRING | --gomaxprocs | Set GOMAXPROCS, the maximum number of OS threads used (default 0). |
| input-file | FILE | · | Input file of hosts to fingerprint. |
| prometheus | STRING | --prometheus | Address for the Prometheus server (e.g. localhost:8080); empty disables it. |
| read-limit-per-host | STRING | --read-limit-per-host | Maximum total kilobytes to read for a single host (default 96). |
| connections-per-host | STRING | --connections-per-host | Number of times to connect to each host, producing more output (default 1). |
example
# JARM-fingerprint a list of TLS hosts on 443, three connections each for a stabler hashcat tls-hosts.txt | zgrab2 jarm --port 443 --senders 500 --timeout 10s --connections-per-host 3 > jarm.json{"ip":"198.51.100.10","domain":"api.example.com","data":{"jarm":{"status":"success","protocol":"jarm","result":{"fingerprint":"27d40d40d29d40d1dc42d43d00041d4689ee210389f4f6b4b5b1b93f92d1a3"},"timestamp":"2026-06-22T14:03:11Z"}}}{"ip":"198.51.100.11","domain":"app.example.com","data":{"jarm":{"status":"success","protocol":"jarm","result":{"fingerprint":"27d40d40d29d40d1dc42d43d00041d4689ee210389f4f6b4b5b1b93f92d1a3"},"timestamp":"2026-06-22T14:03:11Z"}}}{"ip":"203.0.113.5","data":{"jarm":{"status":"success","protocol":"jarm","result":{"fingerprint":"27d40d40d29d40d1dc42d43d00041d4689ee210389f4f6b4b5b1b93f92d1a3"},"timestamp":"2026-06-22T14:03:12Z"}}}{"ip":"198.51.100.23","domain":"staging.example.com","data":{"jarm":{"status":"success","protocol":"jarm","result":{"fingerprint":"29d29d00029d29d21c429d29d29d29da1b2c3d4e5f60718293a4b5c6d7e8f9"},"timestamp":"2026-06-22T14:03:12Z"}}}{"ip":"198.51.100.44","domain":"mail.example.com","data":{"jarm":{"status":"success","protocol":"jarm","result":{"fingerprint":"15d3fd16d29d29d00042d43d000000faa598d5b3c8e2f1a0b9c8d7e6f5a4b3"},"timestamp":"2026-06-22T14:03:13Z"}}}{"ip":"198.51.100.60","domain":"vpn.example.com","data":{"jarm":{"status":"success","protocol":"jarm","result":{"fingerprint":"00000000000000000000000000000000000000000000000000000000000000"},"timestamp":"2026-06-22T14:03:13Z"}}}{"ip":"203.0.113.19","data":{"jarm":{"status":"connection-timeout","protocol":"jarm","timestamp":"2026-06-22T14:03:23Z"}}}guidance
Use zgrab2-jarm to fingerprint and cluster TLS services by configuration across many hosts. For full certificate and handshake detail rather than a single hash, use zgrab2-tls. For deep cipher and protocol auditing of one host, use sslyze.
Grabs the full TLS handshake and certificate. Use it when you need detail, not a single hash.
Fast TLS data toolkit that also computes JARM. A close alternative with more output options.
Deep TLS configuration analyzer for one host. Use it to audit, not to cluster at scale.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A CIDR range feeds zmap, which finds open TLS ports and passes them to zgrab2-jarm so each service's JARM fingerprint lands as a queryable output.
Facts on this page come from the live Trickest tool library.