zgrab2-http

--sctRequest Signed Certificate Timestamps during TLS Handshake

--portSpecify port to grab on (default: 80)

--timeExplicit request time to use, instead of clock. YYYYMMDDhhmmss format.

--debugInclude debug fields in the output.

--flushFlush after each line of output.

Input target

--methodSet HTTP request method type (default: GET)

--no-sniDo not send domain name in TLS Handshake regardless of whether known

--sendersNumber of send goroutines to use (default: 1000)

--timeoutSet connection timeout (0 = no timeout) (default: 10s)

--triggerInvoke only on targets with specified tag

--endpointSend an HTTP request to an endpoint (default: /)

--max-sizeMax kilobytes to read in response to an HTTP request (default: 256)

--maxbytesMaximum byte read limit per scan (0 = defaults)

--no-ecdheDo not allow ECDHE handshakes

--root-casSet of certificates to use when verifying server certificates

--use-httpsPerform an HTTPS connection on the initial host

--gomaxprocsSet GOMAXPROCS (default: 0)

--heartbleedCheck if server is vulnerable to Heartbleed

Input file

--prometheusAddress to use for Prometheus server (e.g. localhost:8080). If empty, Prometheus is disabled

--user-agentSet a custom user agent (default: Mozilla/5.0 zgrab/0.x)

--dsa-enabledAccept server DSA keys

--max-versionThe maximum SSL/TLS version that is acceptable. 0 means use the highest supported value.

--min-versionThe minimum SSL/TLS version that is acceptable. 0 means that SSLv3 is the minimum.

--next-protosA list of supported application-level protocols

--retry-httpsIf the initial request fails, reconnect and try with HTTPS.

--server-nameServer name used for certificate verification and (optionally) SNI

--certificatesSet of certificates to present to the server

--cipher-suiteA comma-delimited list of hex cipher suites to advertise.

--client-helloSet an explicit ClientHello (base64 encoded)

--client-randomSet an explicit Client Random (base64 encoded)

--max-redirectsMax number of redirects to follow (default: 0)

--session-ticketSend support for TLS Session Tickets and output ticket if presented

--with-body-sizeEnable the body_size attribute, for how many bytes actually read

--certificate-mapA file mapping server names to certificates

--extended-randomSend TLS Extended Random Extension

--keep-client-logsInclude the client-side logs in the TLS handshake

--curve-preferencesA list of elliptic curves used in an ECDHE handshake, in order of preference.

--heartbeat-enabledIf set, include the heartbeat extension

--override-sig-hashOverride the default SignatureAndHashes TLS option with more expansive default

--redirects-succeedRedirects are always a success, even if max-redirects is exceeded

--fail-http-to-httpsTrigger retry-https logic on known HTTP/400 protocol mismatch responses

--read-limit-per-hostMaximum total kilobytes to read for a single host (default 96kb) (default: 96)

--connections-per-hostNumber of times to connect to each host (results in more output) (default: 1)

--custom-headers-namesCSV of custom HTTP headers to send to server

--signature-algorithmsSignature and hash algorithms that are acceptable

--custom-headers-valuesCSV of custom HTTP header values to send to server. Should match order of custom-headers-names

--extended-master-secretOffer RFC 7627 Extended Master Secret extension

--custom-headers-delimiterDelimiter for customer header name/value CSVs

--verify-server-certificateail if the server certificate does not match the server-name, or does not chain to a trusted root.

--follow-localhost-redirectsFollow HTTP redirects to localhost

--compute-decoded-body-hash-algorithmChoose algorithm for BodyHash field (sha256 or sha1)