You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long. 91e8cb4586
Fix: conn_bytelimit_test
4 months ago
.github Update CI 4 months ago
bin Fix synchronization for Monitor 3 years ago
cmd/zgrab2 Add support for importing the ZGrab2 main (#224) 4 years ago
docker-runner Go get module package dependencies. 5 years ago
integration_tests Fix panics in Modbus scanner (#265) 3 years ago
lib Attempt to appease go vet ./ 4 months ago
modules Attempt to appease go vet ./ 4 months ago
tools/keys sed name changes 5 years ago
zgrab2_schemas Add NativeOS, NTLM, and GroupName to SMBv1 results (#286) 2 years ago
.gitattributes Implements postgres zgrab2 module (#30) 5 years ago
.gitignore Fix various issues found when testing 4 months ago
LICENSE initial commit with readme and license 7 years ago
Makefile Add output unit tests; add output.Process to strip debug; make MySQL debug fields omitempty too; use processor to strip data in Process() 5 years ago Attempt to appease go vet ./ 4 months ago
config.go Remove source IP option (#356) 9 months ago
conn.go Fix: conn_bytelimit_test 4 months ago
conn_bytelimit_test.go Fix: conn_bytelimit_test 4 months ago
conn_timeout_test.go Attempt to appease go vet ./ 4 months ago
errors.go port POP3 5 years ago
fake_resolver.go Update header comment for fake_resolver.go 3 years ago
go.mod Fix various issues found when testing 4 months ago
go.sum Fix various issues found when testing 4 months ago
input.go Provides a framework for modularized target input and result output functions. 5 years ago
input_test.go end 5 years ago
module.go Add Description() to ScanModule (#248) 3 years ago
module_set.go Add ModuleSet object (#247) 3 years ago
monitor.go Fix synchronization for Monitor 3 years ago
multiple.go add option to stop scanning host after first successful protocol (#242) 3 years ago
output.go fix compilation error introduced by #244 merge 2 years ago
output_test.go Add shared FlagsToSet function in output.go (#62) 5 years ago
processing.go Extract the creation and Marshal of a Grab object (#256) 3 years ago
requirements.txt fix zcrypto_schemas egg name 5 years ago
scanner.go Scanner modules return the protocol ID, scan returns the protocol in the results. 5 years ago schemas.zgrab2 -> zgrab2_schemas 5 years ago
status.go add initial work 4 years ago
tls.go Attempt to appease go vet ./ 4 months ago
utility.go jarm: update jarm to not fail on handshake failure (#328) 1 year ago

ZGrab 2.0

Fork Changes

ZGrab is a fast, modular application-layer network scanner designed for completing large Internet-wide surveys. ZGrab is built to work with ZMap (ZMap identifies L4 responsive hosts, ZGrab performs in-depth, follow-up L7 handshakes). Unlike many other network scanners, ZGrab outputs detailed transcripts of network handshakes (e.g., all messages exchanged in a TLS handshake) for offline analysis.

ZGrab 2.0 contains a new, modular ZGrab framework, which fully supersedes


You will need to have a valid $GOPATH set up, for more information about $GOPATH, see

Once you have a working $GOPATH, run:

$ go get

This will install zgrab under $GOPATH/src/

$ cd $GOPATH/src/
$ make

Single Module Usage

ZGrab2 supports modules. For example, to run the ssh module use

./zgrab2 ssh

Module specific options must be included after the module. Application specific options can be specified at any time.

Input Format

Targets are specified with input files or from stdin, in CSV format. Each input line has three fields:


Each line must specify IP, DOMAIN, or both. If only DOMAIN is provided, scanners perform a DNS hostname lookup to determine the IP address. If both IP and DOMAIN are provided, scanners connect to IP but use DOMAIN in protocol-specific contexts, such as the HTTP HOST header and TLS SNI extension.

If the IP field contains a CIDR block, the framework will expand it to one target for each IP address in the block.

The TAG field is optional and used with the --trigger scanner argument.

Unused fields can be blank, and trailing unused fields can be omitted entirely. For backwards compatibility, the parser allows lines with only one field to contain DOMAIN.

These are examples of valid input lines:,,, tag, , tag
,, tag, , tag

Multiple Module Usage

To run a scan with multiple modules, a .ini file must be used with the multiple module. Below is an example .ini file with the corresponding zgrab2 command.


[Application Options]
./zgrab2 multiple -c multiple.ini

Application Options must be the initial section name. Other section names should correspond exactly to the relevant zgrab2 module name. The default name for each module is the command name. If the same module is to be used multiple times then name must be specified and unique.

Multiple module support is particularly powerful when combined with input tags and the --trigger scanner argument. For example, this input contains targets with two different tags:, , tagA,, tagB

Invoking zgrab2 with the following multiple configuration will perform an SSH grab on the first target above and an HTTP grab on the second target:



Adding New Protocols

Add module to modules/ that satisfies the following interfaces: Scanner, ScanModule, ScanFlags.

The flags struct must embed zgrab2.BaseFlags. In the modules init() function the following must be included.

func init() {
    var newModule NewModule
    _, err := zgrab2.AddCommand("module", "short description", "long description of module", portNumber, &newModule)
    if err != nil {

Output schema

To add a schema for the new module, add a module under schemas, and update schemas/ to ensure that it is loaded.

See zgrab2_schemas/ for details.

Integration tests

To add integration tests for the new module, run integration_tests/ [your_new_protocol_name]. This will add stub shell scripts in integration_tests/your_new_protocol_name; update these as needed. See integration_tests/mysql/* for an example. The only hard requirement is that the script drops its output in $ZGRAB_OUTPUT/[your-module]/*.json, so that it can be validated against the schema.

How to Run Integration Tests

To run integration tests, you must have Docker installed. Then, you can follow the following steps to run integration tests:

$ go get && go build
$ pip install --user zschema
$ make integration-test

Running the integration tests will generate quite a bit of debug output. To ensure that tests completed successfully, you can check for a successful exit code after the tests complete:

$ echo $?


ZGrab2.0 is licensed under Apache 2.0 and ISC. For more information, see the LICENSE file.