ZGrab2: The Application-Layer Scanner That Captures What Others Miss
Hook
Most network scanners tell you what's running on a port. ZGrab2 gives you the complete transcript of the conversation—every certificate chain, every protocol negotiation, every byte exchanged—so you can analyze it months later when you discover what you should have been looking for.
Context
When security researchers conduct Internet-wide surveys, they face a two-stage problem: first finding which hosts are responsive, then understanding what those hosts are actually running at the application layer. Traditional tools like Nmap excel at the first part but become prohibitively slow when scanning millions of hosts. ZMap solved the speed problem in 2013 by scanning the entire IPv4 space in under an hour, but it only worked at the transport layer—telling you which ports responded to SYN packets, not what application protocols they spoke.
ZGrab2 emerged from the ZMap project to complete the other half of this equation. Rather than just detecting that port 443 is open, it performs a full TLS handshake, captures the certificate chain, tests cipher suite support, and records every detail of the negotiation. The key insight: don't try to analyze protocols in real-time during scans. Instead, capture complete handshake transcripts as structured JSON and defer analysis until later. This architectural decision enables Internet-scale surveys where researchers can revisit the same dataset with new questions months after collection, searching for newly-discovered vulnerabilities or protocol implementation quirks that weren't on anyone's radar during the initial scan.
Technical Insight
ZGrab2's architecture revolves around three core abstractions: the Scanner interface for protocol-specific logic, the Module system for registration and configuration, and the Input/Output pipeline for target processing. Each protocol module is self-contained but shares common infrastructure for connection management, timing, and error handling.
The Scanner interface requires just two methods—Init for configuration parsing and Scan for performing the actual protocol exchange:
type Scanner interface {
Init(flags ScanFlags) error
Scan(target ScanTarget) (ScanStatus, interface{}, error)
}
type ScanTarget struct {
IP net.IP
Domain string
Port uint
Tag string
}
When you run a ZGrab2 scan, targets flow in through stdin (typically piped from ZMap or read from a CSV file), get distributed across concurrent workers, and each worker invokes the appropriate module's Scan method. The module returns not just a success/failure status, but a rich data structure containing the complete protocol interaction. For TLS scans, this includes the full certificate chain, supported cipher suites, handshake timing, and even the raw bytes of the ServerHello message.
The modular design shines when you need to scan multiple protocols. Rather than writing monolithic scanner logic, you compose workflows using tags. Here's a practical example scanning both HTTP and HTTPS:
# First, discover hosts with ZMap
zmap -p 443 -o targets.txt 192.168.0.0/16
# Then probe application layer with ZGrab2
cat targets.txt | zgrab2 tls --port=443 \
--chrome-ciphers \
--extended-random \
--heartbleed \
--output=results.json
The --chrome-ciphers flag instructs ZGrab2 to mimic Chrome's cipher suite preferences, making the scan traffic less distinguishable from normal browsers. The --heartbleed flag triggers additional probing for the Heartbleed vulnerability, but crucially, it only tests for the vulnerability's presence—it never exploits it to extract memory contents.
What makes ZGrab2 particularly powerful for research is the completeness of its output. A typical TLS scan result includes not just "TLS 1.2 supported" but the entire handshake sequence:
{
"ip": "93.184.216.34",
"data": {
"tls": {
"status": "success",
"handshake_log": {
"server_hello": {
"version": {"name": "TLS 1.2", "value": 771},
"cipher_suite": {"hex": "0xc02f", "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
"session_id": "4a5b6c7d8e9f..."
},
"server_certificates": {
"certificate": {
"parsed": {
"subject_dn": "CN=example.com",
"issuer_dn": "CN=DigiCert SHA2 Secure Server CA",
"validity": {"start": "2023-01-15T00:00:00Z", "end": "2024-02-15T23:59:59Z"},
"signature_algorithm": {"name": "SHA256-RSA"}
}
},
"chain": [/* full certificate chain */]
}
}
}
}
}
This transcript-based approach enables post-hoc analysis impossible with real-time scanners. Researchers have used ZGrab2 data to track TLS certificate ecosystem changes over years, identify vulnerable Siemens industrial control systems before public disclosure, and measure SSH host key reuse across the Internet.
The module system extends beyond standard protocols. ZGrab2 includes specialized scanners for industrial control systems (Modbus, BACnet, Siemens S7), databases (MongoDB, MySQL, PostgreSQL), and even obscure protocols like Fox (used in Tridium building automation). Each module follows the same pattern: establish connection, send protocol-appropriate handshake messages, capture responses, abort before authentication. The framework handles retries, timeouts, and connection pooling, so module authors focus purely on protocol semantics.
For researchers building custom modules, the barrier to entry is manageable but non-trivial. You need Go familiarity and understanding of the target protocol, but the framework provides scaffolding. The HTTP module serves as an excellent reference implementation, showing how to handle redirects, parse headers, and optionally follow to a depth limit—all while capturing every request and response pair for later analysis.
Gotcha
ZGrab2's biggest limitation isn't technical—it's operational. The tool provides no built-in rate limiting, IP rotation, or distributed scanning coordination. When conducting Internet-wide surveys, you're responsible for implementing respectful scanning practices. This means writing your own traffic shaping logic, rotating source IPs to avoid overwhelming single network links, and coordinating across multiple scanning machines. The ZMap ecosystem assumes you understand the ethical and legal implications of large-scale scanning; it provides powerful tools but no guardrails.
The module-centric architecture also creates friction for quick, iterative reconnaissance. Unlike Nmap where you can chain NSE scripts interactively and adjust tactics based on what you discover, ZGrab2 expects you to define your scanning strategy upfront. You can't easily say "if I find SSH, then try these auth methods, and if that fails, check for this CVE." The tool optimizes for reproducible, large-scale surveys where you process millions of hosts with the same protocol probe, not adaptive enumeration of individual targets. If you're pentesting a single organization and need to pivot based on findings, you'll find yourself fighting the architecture rather than leveraging it. Additionally, while the JSON output is comprehensive, parsing and analyzing terrabytes of handshake transcripts requires significant storage and data engineering infrastructure—you can't just grep through results like you might with Nmap's text output.
Verdict
Use if: You're conducting security research requiring reproducible Internet-scale surveys, need complete protocol handshake transcripts for later analysis, scanning industrial control systems or database protocols beyond standard HTTP/SSH, or building measurement studies where data provenance and completeness matter more than real-time interpretation. ZGrab2 excels when feeding results into data pipelines, time-series analysis, or academic research publications where reviewers will scrutinize methodology. Skip if: You're performing targeted penetration testing where adaptive enumeration matters, need vulnerability exploitation capabilities beyond detection, lack infrastructure for managing large JSON datasets, or want interactive scanning with real-time decision making. Also skip if you're unfamiliar with the legal and ethical dimensions of network scanning—ZGrab2's power demands responsibility that goes far beyond technical competence.
