loading
loading
Recon
Fast Go application scanner.
overview
zgrab2-tls is the TLS module of zgrab2. Pointed at a host or a list of hosts, it completes a TLS handshake and records what it learns: the server certificate and chain, the negotiated protocol version and cipher suite, and handshake extensions. That gives you a structured certificate and configuration inventory across a wide set of TLS services in one fast pass.
The flags let you steer the handshake. You can set the port, pin minimum and maximum TLS versions, advertise a specific cipher list or curve preferences, present client certificates, control SNI with --server-name and --no-sni, and request Signed Certificate Timestamps. It can also flag Heartbleed during the handshake and verify the server certificate against a trusted root.
Run it after a port scan finds TLS services so each one is grabbed, then mine the output for expiring certificates, weak protocol versions, or certificate-to-host relationships. On Trickest it is a Recon node that reads a list of hosts and writes a file and a folder of JSON results.
source github.com/zmap/zgrab2
use cases
Grab the TLS handshake for every host in a list and capture the certificate and chain as JSON, building a structured certificate inventory across the estate.
Pin min and max versions and advertise cipher lists to test which hosts negotiate outdated TLS or weak ciphers worth flagging for remediation.
Pull subject and SAN data from the grabbed certificates to relate hosts that share a certificate, exposing related infrastructure.
Feed open TLS ports from a scanner into zgrab2-tls so each one gets a full handshake grab instead of a guess about what is listening.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| input-file | FILE | · | Input file of hosts to grab. |
| port | STRING | --port | Port to grab on (default 80). |
| server-name | STRING | --server-name | Server name used for certificate verification and SNI. |
| min-version | STRING | --min-version | Minimum acceptable SSL/TLS version. |
| max-version | STRING | --max-version | Maximum acceptable SSL/TLS version. |
| cipher-suite | STRING | --cipher-suite | Comma-delimited list of hex cipher suites to advertise. |
| verify-server-certificate | BOOLEAN | --verify-server-certificate | Fail if the certificate does not match the server name or chain to a trusted root. |
| heartbleed | BOOLEAN | --heartbleed | Check if the server is vulnerable to Heartbleed. |
Showing key inputs. zgrab2-tls exposes 37 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| sct | BOOLEAN | --sct | Request Signed Certificate Timestamps during TLS Handshake |
| port | STRING | --port | Specify port to grab on (default: 80) |
| time | STRING | --time | Explicit request time to use, instead of clock. YYYYMMDDhhmmss format. |
| debug | BOOLEAN | --debug | Include debug fields in the output. |
| flush | BOOLEAN | --flush | Flush after each line of output. |
| input | STRING | · | Input target |
| no-sni | BOOLEAN | --no-sni | Do not send domain name in TLS Handshake regardless of whether known |
| senders | STRING | --senders | Number of send goroutines to use (default: 1000) |
| timeout | STRING | --timeout | Set connection timeout (0 = no timeout) (default: 10s) |
| trigger | STRING | --trigger | Invoke only on targets with specified tag |
| maxbytes | STRING | --maxbytes | Maximum byte read limit per scan (0 = defaults) |
| no-ecdhe | BOOLEAN | --no-ecdhe | Do not allow ECDHE handshakes |
| root-cas | FILE | --root-cas | Set of certificates to use when verifying server certificates |
| gomaxprocs | STRING | --gomaxprocs | Set GOMAXPROCS (default: 0) |
| heartbleed | BOOLEAN | --heartbleed | Check if server is vulnerable to Heartbleed |
| input-file | FILE | · | Input file |
| prometheus | STRING | --prometheus | Address to use for Prometheus server (e.g. localhost:8080). If empty, Prometheus is disabled |
| dsa-enabled | BOOLEAN | --dsa-enabled | Accept server DSA keys |
| max-version | STRING | --max-version | The maximum SSL/TLS version that is acceptable. 0 means use the highest supported value. |
| min-version | STRING | --min-version | The minimum SSL/TLS version that is acceptable. 0 means that SSLv3 is the minimum. |
| next-protos | FILE | --next-protos | A list of supported application-level protocols |
| server-name | STRING | --server-name | Server name used for certificate verification and (optionally) SNI |
| certificates | FILE | --certificates | Set of certificates to present to the server |
| cipher-suite | STRING | --cipher-suite | A comma-delimited list of hex cipher suites to advertise. |
| client-hello | STRING | --client-hello | Set an explicit ClientHello (base64 encoded) |
| client-random | STRING | --client-random | Set an explicit Client Random (base64 encoded) |
| session-ticket | BOOLEAN | --session-ticket | Send support for TLS Session Tickets and output ticket if presented |
| certificate-map | FILE | --certificate-map | A file mapping server names to certificates |
| extended-random | BOOLEAN | --extended-random | Send TLS Extended Random Extension |
| keep-client-logs | BOOLEAN | --keep-client-logs | Include the client-side logs in the TLS handshake |
| curve-preferences | STRING | --curve-preferences | A list of elliptic curves used in an ECDHE handshake, in order of preference. |
| heartbeat-enabled | BOOLEAN | --heartbeat-enabled | If set, include the heartbeat extension |
| read-limit-per-host | STRING | --read-limit-per-host | Maximum total kilobytes to read for a single host (default 96kb) (default: 96) |
| connections-per-host | STRING | --connections-per-host | Number of times to connect to each host (results in more output) (default: 1) |
| signature-algorithms | STRING | --signature-algorithms | Signature and hash algorithms that are acceptable |
| extended-master-secret | BOOLEAN | --extended-master-secret | Offer RFC 7627 Extended Master Secret extension |
| verify-server-certificate | BOOLEAN | --verify-server-certificate | ail if the server certificate does not match the server-name, or does not chain to a trusted root. |
example
# TLS grab on 443 for a host list, limit senderszgrab2 tls --port 443 --input-file hosts.txt --senders 200 --timeout 10s --output-file tls.json{"ip":"198.51.100.10","data":{"tls":{"status":"success","result":{"handshake_log":{"server_certificates":{"certificate":{"parsed":{"subject_dn":"CN=www.example.com","issuer_dn":"CN=Example CA"}}},"server_hello":{"version":771,"cipher_suite":{"id":4865,"name":"TLS_AES_128_GCM_SHA256"}}}}}}{"ip":"198.51.100.22","data":{"tls":{"status":"success","result":{"handshake_log":{"server_hello":{"version":771}}}}}}{"ip":"203.0.113.40","data":{"tls":{"status":"success","result":{"handshake_log":{"server_certificates":{"certificate":{"parsed":{"subject_dn":"CN=api.example.com"}}}}}}}}{"ip":"203.0.113.55","data":{"tls":{"status":"connection-timeout"}}}{"ip":"198.51.100.90","data":{"tls":{"status":"success","result":{"handshake_log":{"server_hello":{"version":770}}}}}}{"ip":"203.0.113.100","data":{"tls":{"status":"success","result":{"handshake_log":{"server_hello":{"cipher_suite":{"name":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}}}}}}guidance
Use zgrab2-tls to grab certificates and handshake detail across many hosts after a port scan finds TLS services. For a single clustering hash instead of full detail, use zgrab2-jarm. For deep configuration auditing of one host, use sslyze.
Produces one JARM hash per host for clustering. Use it to group, not to inspect certificates.
Fast TLS data toolkit with rich output options. A close alternative for certificate and TLS data.
Deep TLS configuration analyzer for one host. Use it to audit ciphers and protocols thoroughly.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A CIDR range feeds zmap, which finds open TLS ports and passes them to zgrab2-tls so each service's handshake and certificate land as a queryable output.
Facts on this page come from the live Trickest tool library.