ZGrab2

ZGrab2 is the second-generation application-layer network scanner from the ZMap Project. Where ZMap operates at Layer 4 — firing single packets to identify open ports across the entire IPv4 space — ZGrab2 picks up at Layer 7, establishing full stateful connections and conducting protocol-native exchanges to extract rich service metadata. The result is structured JSON output capturing full handshake transcripts, TLS certificate chains, server banners, protocol negotiation details, and more, all without any exploitation or credential testing.

The tool is built around a modular Go architecture. Each protocol is implemented as an independent module, and multiple modules can be combined in a single scan run via configuration files or command-line flags. Targets are fed via stdin in CSV format supporting raw IPs, domain names, CIDR blocks, and per-target port overrides, making it trivially composable in shell pipelines. The JARM module adds TLS fingerprinting capability, and the SMB and SSH modules capture negotiated ciphers and host keys — data used extensively in large-scale cryptographic hygiene studies.

ZGrab2 is the backbone of Censys, one of the most widely used Internet intelligence platforms in security research. It has been cited in hundreds of academic papers studying TLS deployment, protocol adoption, and Internet-wide vulnerability exposure. Its ICS protocol modules (Modbus, BACnet, DNP3, Siemens S7, Tridium Fox) are particularly notable — almost entirely absent from competing open-source scanners, they make ZGrab2 a go-to tool for critical infrastructure exposure research.