ZeroTrace OSINT
Nmap Builder
Configure port-scan, version-detection, and script-scan options through the UI, with a live explain panel that says what each flag does.
Nmap is the industry-standard port scanner. Its flag interface is famously dense — over a hundred options across timing, scan-type, host-discovery, version-detection, OS-detection, scripting, and output. The Nmap builder presents the options as a UI and explains each one as you toggle it.
What you configure
| Section | Options |
|---|---|
| Target | Single IP / CIDR / list / file |
| Port selection | Top-N most-common, full 1-65535, specific list, well-known web/mail/DB sets |
| Scan technique | TCP SYN, TCP connect, UDP, FIN, NULL, Xmas, ACK, idle, Maimon |
| Service / version detection | None, light, intensive |
| OS detection | On / off |
| Timing template | T0 (paranoid) through T5 (insane) |
| Host discovery | Treat all as alive, ICMP-only, ARP-only, custom probes |
| NSE script category | None, default, vuln, safe, intrusive, custom list |
| Output format | Normal, XML, grepable, all (-oA) |
Live explain panel
As you toggle options, an inline panel describes what each enabled flag does:
-sV --version-intensity 7— service / version detection at intensity 7 (default 7, max 9). Probes service banners; longer scans with higher intensity.
-T4— aggressive timing. Faster than the default; may trip rate limits or IDS on sensitive networks.
--script vuln— runs thevulnNSE script category. Intrusive — generates exploit-like traffic against detected services.
The explain panel surfaces:
- What each flag does in one line.
- Why you might want or not want it.
- Any flag that is intrusive — generates traffic an IDS could classify as attack.
- Any flag that depends on root / admin privileges.
Scanning is detectable. Most networks log unusual port-scan traffic. For authorised tests, coordinate timing with the network owner. For unauthorised tests, don't.
"Why is this command slow / aggressive" warning
When you combine flags that interact poorly — T5 timing with --script intrusive against a large CIDR, for example — the builder surfaces a warning explaining the consequence. Helpful for catching configuration mistakes before they cost you a multi-hour scan.
Generated command
The output is a one-line command ready to copy into your terminal:
nmap -sV --version-intensity 7 -p 1-1000 -T4 --script default,vuln -oA scan-output 192.0.2.0/24
A "copy command" affordance copies it without the surrounding chrome.
Save as profile
Frequent scan configurations can be saved as named profiles. "External-asset weekly", "internal-host quick check", "version-detection only" — pre-configured option sets you can reload with one click.
Pivots
Nmap's output (when you run the command yourself and bring the result back) pivots into:
- Exposed services — for public-scan-database context per host.
- Site analysis — for any web port discovered.
- TLS inspector — for any TLS port discovered.
The builder itself does not pivot — it generates a command.
Sources
- The flag-explanation catalog is bundled.
- The NSE script catalog is bundled and reflects a current Nmap install.
- No external sources are queried.