Skip to content
This repository has been archived by the owner. It is now read-only.


Switch branches/tags

🚨 ZGRAB 1.0 IS DEPRECATED. Please use ZGrab 2.0:

ZGrab 1.0: A Banner Grabber, in Go

Build Status Go Report Card


You will need to have a valid $GOPATH set up, for more information about $GOPATH, see

Once you have a working $GOPATH, run:

go get

This will install zgrab under $GOPATH/src/

$ cd $GOPATH/src/
$ go build


Usage of ./zgrab:
    	Send some BACNet data
    	Read banner upon connection creation
  -ca-file string
    	List of trusted root certificate authorities in PEM format
    	Send Chrome Ordered Cipher Suites
    	Send chrome ciphers minus DHE suites
  -connections-per-host uint
    	Number of times to connect to each host (results in more output) (default 1)
  -data string
    	Send a message and read response (%s will be replaced with destination IP)
    	Send only DHE ciphers (not ECDHE)
    	Read DNP3 banners
    	Send only ECDHE ciphers (not DHE)
  -ehlo string
    	Send an EHLO with the specified domain (implies --smtp)
    	Send only export ciphers
    	Send only export DHE ciphers
    	Send Firefox Ordered Cipher Suites
    	Follow HTTP redirects to localhost (default true)
    	Send some Niagara Fox Tunneling data
    	Read FTP banners
    	Collect FTPS certificates in addition to FTP banners
  -gomaxprocs int
    	Set GOMAXPROCS (default 3) (default 3)
    	Check if server is vulnerable to Heartbleed (implies --tls)
  -http string
    	Send an HTTP request to an endpoint
  -http-max-redirects int
    	Max number of redirects to follow
  -http-max-size int
    	Max kilobytes to read in response to an HTTP request (default 256)
  -http-method string
    	Set HTTP request method type (default "GET")
  -http-proxy-domain string
    	Send a CONNECT <domain> first
  -http-user-agent string
    	Set a custom HTTP user agent (default "Mozilla/5.0 zgrab/0.x")
    	Conform to IMAP rules when sending STARTTLS
  -input-file string
    	Input filename, use - for stdin (default "-")
  -interface string
    	Network interface to send on
  -log-file string
    	File to log to, use - for stderr (default "-")
    	Input contains only domain names
  -metadata-file string
    	File to record banner-grab metadata, use - for stdout (default "-")
    	Send some modbus data
    	Do not send domain name in TLS handshake regardless of whether known
  -output-file string
    	Output filename, use - for stdout (default "-")
    	Conform to POP3 rules when sending STARTTLS
  -port uint
    	Port to grab on (default 80)
  -prometheus string
    	Address to use for Prometheus server (e.g. localhost:8080). If empty, Prometheus is disabled.
  -raw-client-hello string
    	Provide a raw ClientHello to be sent; only the SNI will be rewritten
    	Send some Siemens S7 data
    	Send Safari Ordered Cipher Suites
    	Send Safari ciphers minus DHE suites
  -senders uint
    	Number of send coroutines to use (default 1000)
    	request SCTs during TLS handshake (default true)
    	Scan for SMB
  -smb-protocol int
    	Specify which SMB protocol to scan for (default 1)
    	Conform to SMTP when reading responses and sending STARTTLS
    	Send a SMTP help (implies --smtp)
    	Send STARTTLS before negotiating
    	Read telnet banners
  -telnet-max-size int
    	Max bytes to read for telnet banner (default 65536)
  -timeout uint
    	Set connection timeout in seconds (default 10)
    	Grab over TLS
    	Offer RFC 7627 Extended Master Secret extension
    	send extended random extension
    	Send support for TLS Session Tickets and output ticket if presented
    	Add extra TLS information to JSON output (client hello, client KEX, key material, etc)
  -tls-version string
    	Max TLS version to use (implies --tls)
    	Use the x/crypto SSH scanner
  -xssh-ciphers value
    	A comma-separated list of which ciphers to offer (default "aes128-ctr,aes192-ctr,aes256-ctr,,arcfour256,arcfour128")
  -xssh-client-id string
    	Specify the client ID string to use (default "SSH-2.0-Go")
  -xssh-gex-max-bits uint
    	The maximum number of bits for the DH GEX prime. (default 8192)
  -xssh-gex-min-bits uint
    	The minimum number of bits for the DH GEX prime. (default 1024)
  -xssh-gex-preferred-bits uint
    	The preferred number of bits for the DH GEX prime. (default 2048)
  -xssh-host-key-algorithms value
    	A comma-separated list of which host key algorithms to offer (default ",,,,,,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss,ssh-ed25519")
  -xssh-kex-algorithms value
    	A comma-separated list of which DH key exchange algorithms to offer (default ",ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1")
    	Use the 'none' authentication request to see what userauth methods are allowed.
    	Output additional information.


$ zmap -p 443 --output-fields=* | ztee results.csv | zgrab --port 443 --tls --http="/" --output-file=banners.json


zgrab requires go version of at least 1.8.1. Please note that this is newer than the version included in Ubuntu 14.04 apt repository. You can install ztee from ZMap Github repository at

ZGrab as a library / dependency

ZGrab tends to be very unstable, API's may break at any time, so be sure to vendor ZGrab.


ZGrab is licensed under Apache 2.0 and ISC. For more information, see the LICENSE file.