ZGrab2

Modular application-layer network scanner that performs deep protocol handshakes and banner grabbing across 33+ protocols, outputting structured JSON transcripts at Internet scale.

Developer

ZMap Project

verified_user
Visit Official Site open_in_new

description Technical Dossier

ZGrab2 is the second-generation application-layer network scanner from the ZMap Project. Where ZMap operates at Layer 4 — firing single packets to identify open ports across the entire IPv4 space — ZGrab2 picks up at Layer 7, establishing full stateful connections and conducting protocol-native exchanges to extract rich service metadata. The result is structured JSON output capturing full handshake transcripts, TLS certificate chains, server banners, protocol negotiation details, and more, all without any exploitation or credential testing.

The tool is built around a modular Go architecture. Each protocol is implemented as an independent module, and multiple modules can be combined in a single scan run via configuration files or command-line flags. Targets are fed via stdin in CSV format supporting raw IPs, domain names, CIDR blocks, and per-target port overrides, making it trivially composable in shell pipelines. The JARM module adds TLS fingerprinting capability, and the SMB and SSH modules capture negotiated ciphers and host keys — data used extensively in large-scale cryptographic hygiene studies.

ZGrab2 is the backbone of Censys, one of the most widely used Internet intelligence platforms in security research. It has been cited in hundreds of academic papers studying TLS deployment, protocol adoption, and Internet-wide vulnerability exposure. Its ICS protocol modules (Modbus, BACnet, DNP3, Siemens S7, Tridium Fox) are particularly notable — almost entirely absent from competing open-source scanners, they make ZGrab2 a go-to tool for critical infrastructure exposure research.

layers Modular Protocol Engine

33+ independent protocol modules — HTTP/S, SSH, TLS, FTP, SMTP, MySQL, PostgreSQL, Redis, MongoDB, SMB, Modbus, BACnet, DNP3, and more.

description Full Handshake Transcripts

Captures complete application-layer exchanges including TLS negotiation details and certificate chains as structured JSON for deep offline analysis.

hub ZMap Pipeline Integration

Designed as the Layer 7 follow-up to ZMap's Layer 4 scanning — accepts ZMap output directly for seamless Internet-scale survey pipelines.

factory ICS/SCADA Coverage

Includes modules for industrial control system protocols — Modbus, BACnet, DNP3, Siemens S7, Tridium Fox — rare among open-source scanners.

Distribution Model

Open Source

Free community edition available.
Enterprise support on request.

trending_up Popularity

Low 40 / 100 High

settings_suggest Deployment Complexity

Low 20 / 100 High

engineering Technical Difficulty

Low 55 / 100 High
ZGrab2 visualization
radar

Protocols

33+

Language

GO

Output

JSON

License

APACHE 2.0 / ISC