A Banner Grabber, in Go
You will need to have a valid $GOPATH set up. For more information about $GOPATH, see https://golang.org/doc/code.html. You will also need go version 1.8 or later (required for Dep), which you can download at https://golang.org/dl/.
Once you have a working $GOPATH, run:
go get -d github.com/eniac/zgrab
This will install zgrab under $GOPATH/src/github.com/eniac/zgrab without trying to build yet (we still need to resolve some dependencies). Next, run:
go get -u github.com/golang/dep/cmd/dep
This will install dep, a go dependency manager, into $GOPATH/bin/dep. Dep requires at least go version 1.8. Then:
$ cd $GOPATH/src/github.com/eniac/zgrab
$ $GOPATH/bin/dep ensure
$ go build
(Optional): If you need to make short-term changes to a package in zgrab or zcrypto, run the following:
rm -r vendor/github.com/zmap/zgrab vendor/github.com/zmap/zcrypto
go get -d github.com/eniac/zgrab github.com/eniac/zcrypto
rm -rf $GOPATH/src/github.com/zmap/zgrab $GOPATH/src/github.com/zmap/zcrypto
ln -s $GOPATH/src/github.com/eniac/zgrab $GOPATH/src/github.com/zmap/zgrab
ln -s $GOPATH/src/github.com/eniac/zcrypto $GOPATH/src/github.com/zmap/zcrypto
Running dep ensure again will re-create the dependencies in the vendor directory, so do not run that again until you are finished.
Usage of ./zgrab:
-bacnet
Send some BACNet data
-banners
Read banner upon connection creation
-ca-file string
List of trusted root certificate authorities in PEM format
-chrome-ciphers
Send Chrome Ordered Cipher Suites
-chrome-no-dhe-ciphers
Send chrome ciphers minus DHE suites
-connections-per-host uint
Number of times to connect to each host (results in more output) (default 1)
-data string
Send a message and read response (%s will be replaced with destination IP)
-dhe-ciphers
Send only DHE ciphers (not ECDHE)
-dnp3
Read DNP3 banners
-ecdhe-ciphers
Send only ECDHE ciphers (not DHE)
-ehlo string
Send an EHLO with the specified domain (implies --smtp)
-export-ciphers
Send only export ciphers
-export-dhe-ciphers
Send only export DHE ciphers
-firefox-ciphers
Send Firefox Ordered Cipher Suites
-follow-localhost-redirects
Follow HTTP redirects to localhost (default true)
-fox
Send some Niagara Fox Tunneling data
-ftp
Read FTP banners
-ftp-authtls
Collect FTPS certificates in addition to FTP banners
-gomaxprocs int
Set GOMAXPROCS (default 3) (default 3)
-heartbleed
Check if server is vulnerable to Heartbleed (implies --tls)
-http string
Send an HTTP request to an endpoint
-http-max-redirects int
Max number of redirects to follow
-http-max-size int
Max kilobytes to read in response to an HTTP request (default 256)
-http-method string
Set HTTP request method type (default "GET")
-http-proxy-domain string
Send a CONNECT <domain> first
-http-user-agent string
Set a custom HTTP user agent (default "Mozilla/5.0 zgrab/0.x")
-ike
Use the IKE scanner
-ike-builtin string
Use a built-in IKE config, overwriting other command-line IKE options.
-ike-dh-group int
The Diffie-Hellman group to be sent in the key exchange payload. (default 14)
-ike-kex-values value
A comma-separated list of hex-encoded public key exchange values for the initiator key exchange payload.
-ike-mode-v1 string
Specify "main" or "aggressive" mode for IKEv1. (default "main")
-ike-probe-file string
Write the initial initiator packet to file and exit. (This is useful for creating zmap probes.)
-ike-proposals value
A json-encoded list of proposals for the initiator security association payload. See the build-proposal.py tool.
-ike-verbose
Output additional information about the IKE exchange.
-ike-version int
The IKE version to use. (default 1)
-imap
Conform to IMAP rules when sending STARTTLS
-input-file string
Input filename, use - for stdin (default "-")
-interface string
Network interface to send on
-log-file string
File to log to, use - for stderr (default "-")
-lookup-domain
Input contains only domain names
-metadata-file string
File to record banner-grab metadata, use - for stdout (default "-")
-modbus
Send some modbus data
-no-sni
Do not send domain name in TLS handshake regardless of whether known
-output-file string
Output filename, use - for stdout (default "-")
-pop3
Conform to POP3 rules when sending STARTTLS
-port uint
Port to grab on (default 80)
-prometheus string
Address to use for Prometheus server (e.g. localhost:8080). If empty, Prometheus is disabled.
-raw-client-hello string
Provide a raw ClientHello to be sent; only the SNI will be rewritten
-s7
Send some Siemens S7 data
-safari-ciphers
Send Safari Ordered Cipher Suites
-safari-no-dhe-ciphers
Send Safari ciphers minus DHE suites
-senders uint
Number of send coroutines to use (default 1000)
-signed-certificate-timestamp
request SCTs during TLS handshake (default true)
-smb
Scan for SMB
-smb-protocol int
Specify which SMB protocol to scan for (default 1)
-smtp
Conform to SMTP when reading responses and sending STARTTLS
-smtp-help
Send a SMTP help (implies --smtp)
-starttls
Send STARTTLS before negotiating
-telnet
Read telnet banners
-telnet-max-size int
Max bytes to read for telnet banner (default 65536)
-timeout uint
Set connection timeout in seconds (default 10)
-tls
Grab over TLS
-tls-extended-master-secret
Offer RFC 7627 Extended Master Secret extension
-tls-extended-random
send extended random extension
-tls-kex-config string
TLS key exchange config
-tls-session-ticket
Send support for TLS Session Tickets and output ticket if presented
-tls-verbose
Add extra TLS information to JSON output (client hello, client KEX, key material, etc)
-tls-version string
Max TLS version to use (implies --tls)
-xssh
Use the x/crypto SSH scanner
-xssh-ciphers value
A comma-separated list of which ciphers to offer (default "aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128")
-xssh-client-id string
Specify the client ID string to use (default "SSH-2.0-Go")
-xssh-gex-max-bits uint
The maximum number of bits for the DH GEX prime. (default 8192)
-xssh-gex-min-bits uint
The minimum number of bits for the DH GEX prime. (default 1024)
-xssh-gex-preferred-bits uint
The preferred number of bits for the DH GEX prime. (default 2048)
-xssh-host-key-algorithms value
A comma-separated list of which host key algorithms to offer (default "ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss,ssh-ed25519")
-xssh-kex-algorithms value
A comma-separated list of which DH key exchange algorithms to offer (default "curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1")
-xssh-kex-dh-pminus1
For DH key exchanges with prime p, send p-1 as the client public key.
-xssh-kex-values value
A comma-separated list of hex-encoded public key exchange values for the client to use. For DH, specify [g^x]; for ECDH, specify [x,y]; for Curve25519, specify [x].
-xssh-userauth
Use the 'none' authentication request to see what userauth methods are allowed.
-xssh-verbose
Output additional information, including X/SSH client properties from the SSH handshake.
$ zmap -p 443 --output-fields=* | ztee results.csv | zgrab --port 443 --tls --http="/" --output-file=banners.json
zgrab requires go version of at least 1.8.1. Please note that this is newer than the version included in Ubuntu 14.04 apt repository. You can install ztee from ZMap Github repository at https://github.com/zmap/zmap.
ZGrab tends to be very unstable, API's may break at any time, so be sure to vendor ZGrab.
ZGrab is licensed under Apache 2.0 and ISC. For more information, see the LICENSE file.