loading
loading
Recon
Fast Go application scanner.
overview
zgrab2-multiple runs several zgrab2 protocol modules against the same hosts in a single pass, driven by a config file. Instead of running an HTTP grab, then a TLS grab, then another protocol separately, you describe the modules and their settings once and let zgrab2 execute them in sequence per host. That keeps a multi-protocol survey to one job and one output.
The config file is where the work lives: it lists each protocol module to run and its options. Two flags control the flow across modules. Break-on-success stops running later protocols once one succeeds, useful when you only need the first thing that answers, and continue-on-error keeps going past a failed protocol so one bad module does not abort the rest of the chain.
On Trickest, zgrab2-multiple is a Recon node that reads a host list plus a config file and writes a file and a folder of JSON results. Reach for it when a single protocol grab is not enough and you want HTTP, TLS, and other modules collected together for each host in one structured run.
source github.com/zmap/zgrab2
use cases
Define multiple zgrab2 modules in a config file so each host is probed for HTTP, TLS, and more in a single pass with one combined output.
Enable break-on-success so later modules are skipped once one succeeds, which is handy when you only need to know what a host speaks first.
Point one job at hosts running different services and collect a per-host record across every configured protocol instead of running separate scans.
Use continue-on-error so a single failing protocol does not abort the chain, letting the remaining modules still produce results for each host.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| input-file | FILE | · | Input file of hosts to scan. |
| config-file | FILE | --config-file | Config file listing each protocol module and its options. |
| break-on-success | BOOLEAN | --break-on-success | Skip later protocols once one succeeds (default false). |
| continue-on-error | BOOLEAN | --continue-on-error | Keep running later protocols after one errors (default true). |
| senders | STRING | --senders | Number of send goroutines, which sets scan concurrency (default 1000). |
| connections-per-host | STRING | --connections-per-host | Times to connect to each host for more output (default 1). |
| read-limit-per-host | STRING | --read-limit-per-host | Cap on kilobytes read per host (default 96). |
| debug | BOOLEAN | --debug | Include debug fields in each result. |
Showing key inputs. zgrab2-multiple exposes 12 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| debug | BOOLEAN | --debug | Include debug fields in the output. |
| flush | BOOLEAN | --flush | Flush after each line of output. |
| input | STRING | · | Input target to scan, passed inline. |
| senders | STRING | --senders | Number of send goroutines to use (default 1000). |
| gomaxprocs | STRING | --gomaxprocs | Set GOMAXPROCS (default 0). |
| input-file | FILE | · | Input file of hosts to scan. |
| prometheus | STRING | --prometheus | Address for the Prometheus server (e.g. localhost:8080). If empty, Prometheus is disabled. |
| config-file | FILE | --config-file | Config file listing each protocol module and its options. |
| break-on-success | BOOLEAN | --break-on-success | If a protocol succeeds, do not run following protocols (default false). |
| continue-on-error | BOOLEAN | --continue-on-error | If a protocol errors, do not run following protocols (default true). |
| read-limit-per-host | STRING | --read-limit-per-host | Maximum total kilobytes to read for a single host (default 96). |
| connections-per-host | STRING | --connections-per-host | Number of times to connect to each host, which produces more output (default 1). |
example
# grab HTTP and TLS on each host, keep going past module errorszgrab2 multiple --config-file multiple.ini --input-file targets.txt --senders 500 --continue-on-error --output-file results.json{"domain":"web-01.example.com","ip":"198.51.100.10","data":{"http":{"status":"success","protocol":"http","result":{"response":{"status_code":200,"headers":{"server":["nginx/1.24.0"]}}}},"tls":{"status":"success","protocol":"tls","result":{"handshake_log":{"server_certificates":{"certificate":{"parsed":{"subject":{"common_name":["example.com"]}}}}}}}}}{"domain":"api.example.com","ip":"198.51.100.11","data":{"http":{"status":"success","protocol":"http","result":{"response":{"status_code":301,"headers":{"location":["https://api.example.com/"]}}}},"tls":{"status":"success","protocol":"tls","result":{"handshake_log":{"server_hello":{"version":{"name":"TLSv1.3"}}}}}}}{"domain":"mail.example.com","ip":"198.51.100.12","data":{"http":{"status":"connection-refused","protocol":"http","error":"dial tcp 198.51.100.12:80: connect: connection refused"},"tls":{"status":"success","protocol":"tls","result":{"handshake_log":{"server_hello":{"cipher_suite":{"name":"TLS_AES_128_GCM_SHA256"}}}}}}}{"domain":"vpn.example.com","ip":"203.0.113.24","data":{"http":{"status":"success","protocol":"http","result":{"response":{"status_code":403,"headers":{"server":["Apache/2.4.58"]}}}},"tls":{"status":"success","protocol":"tls","result":{"handshake_log":{"server_certificates":{"certificate":{"parsed":{"issuer":{"common_name":["R11"]}}}}}}}}}{"domain":"staging.example.com","ip":"203.0.113.25","data":{"http":{"status":"success","protocol":"http","result":{"response":{"status_code":200,"headers":{"server":["gunicorn"]}}}},"tls":{"status":"io-timeout","protocol":"tls","error":"read tcp 203.0.113.25:443: i/o timeout"}}}{"domain":"cache.example.com","ip":"203.0.113.26","data":{"http":{"status":"success","protocol":"http","result":{"response":{"status_code":200,"headers":{"server":["Varnish"]}}}},"tls":{"status":"success","protocol":"tls","result":{"handshake_log":{"server_hello":{"version":{"name":"TLSv1.2"}}}}}}}guidance
Use zgrab2-multiple when one host list needs several protocol grabs collected together in a single pass. For a single protocol, use the focused module: zgrab2-http for web, zgrab2-tls for TLS, or zgrab2-jarm for fingerprints.
Grabs only HTTP. Simpler when you need one protocol rather than a configured set.
Grabs only the TLS handshake. Use it when TLS is the single protocol you care about.
Identifies the service behind open ports across many protocols. A lighter multi-protocol option.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A host list and a config feed zgrab2-multiple, which runs every configured protocol per host and writes the combined results as a queryable output.
Facts on this page come from the live Trickest tool library.