ZeroTrace OSINT
Recon Command Builders
Six builders that turn point-and-click options into the exact command you'd run in your terminal — Nmap, Gobuster, SQLMap, Sublist3r, Google Dorks, and wordlist generators.
The Recon Command Builders are a different category from the rest of the toolkit. They do not run anything against a target. They generate commands you'd run yourself in a terminal, in a controlled environment, against targets you have permission to test.
The reason: industry-standard reconnaissance tools (Nmap, Gobuster, SQLMap, Sublist3r) live in your shell, not embedded in a desktop app. Their flag interfaces are powerful but unfriendly. The builders give you a dialled-in, explained, copy-pasteable command.
What's in this section
| Builder | What it generates |
|---|---|
| Nmap | Port-scan and version-detection commands with a live "explain" panel |
| Gobuster | Directory and DNS brute-force commands with wordlist preview |
| SQLMap | SQL-injection test commands with payload preview |
| Sublist3r | Subdomain-enumeration command lines |
| Google Dorks | Advanced Google search queries with shorthand syntax |
| Wordlist generators | Custom dictionaries from text, sites, names, and patterns |
Authorisation matters. The commands these builders generate produce real traffic against the target. Use them only against assets you own, manage, or have written permission to test. Most jurisdictions treat unauthorised port scanning, brute-forcing, and SQL-injection probing as offences regardless of intent.
Why builders rather than running the tools
A few reasons the toolkit ships builders instead of embedded scanners:
- Permission and scoping. The act of generating a command is risk-free. The act of running it requires a controlled environment, an authorised target, and an investigator who has thought about the consequences. Separating those steps is deliberate.
- Tool versions. Nmap, Gobuster, SQLMap evolve. Embedding old versions inside the toolkit would mean shipping out-of-date scanners. Generating commands lets you use whatever version you have installed.
- Output flexibility. Industry tools have well-understood output formats that integrate with downstream pipelines (CI, SIEM, ticketing). Running them yourself preserves those integrations.
- Audit trail. When you run a command from your shell, your shell history captures it. The toolkit's profile system captures the generated command alongside the rest of your investigation, but the actual execution stays in your environment.
Common workflow
For each builder:
- Open the builder for the tool you want.
- Configure the options through the UI.
- Read the live "explain" panel — confirm what each enabled flag does.
- Copy the generated command.
- Run it in a terminal, inside your authorised testing environment.
- Pin the generated command (and optionally the output) to your investigation profile.
Pinning the command preserves the configuration of the test alongside your other findings. If you re-run the test six months later, the saved command tells you what changed.
Composition with other tools
Builder outputs are inputs to other tools:
- Subdomain wordlists generated by the wordlist generator feed into Sublist3r commands.
- Discovered subdomains from Sublist3r feed into Nmap commands as scan targets.
- Open ports from Nmap output feed back into the exposed services tool for context.
- Discovered web paths from Gobuster feed into site analysis per path.
The builder produces the command; the rest of the toolkit consumes the results.