Nmap Command Builder
Pick a scan type, ports, scripts, timing and output, and this builder assembles the matching nmap command with a plain-English note for every flag. It only generates a command string for you to copy. It never scans anything, so only use it against hosts you own or are explicitly authorized to test.
How to build an nmap command
- Enter your authorized targets: a host, IP, CIDR (192.168.1.0/24) or range.
- Choose a scan type and toggle ports, version detection, scripts, timing and output.
- Copy the generated command and read the explanation for each flag.
Examples
Top-1000 service scan of a subnet
targets 192.168.1.0/24, SYN scan, top 1000 ports, -sV, -T4
nmap -sS --top-ports 1000 -sV -T4 192.168.1.0/24
Quick connect scan of specific ports
targets 10.0.0.5, connect scan, ports 22,80,443
nmap -sT -p 22,80,443 10.0.0.5
Frequently asked questions
Is it legal to use the commands this builds?
Only scan systems you own or have explicit, written authorization to test. Port scanning networks you do not control can be illegal and against most providers' terms of service. This tool only assembles a command string in your browser. It never runs nmap or contacts any host, so what you do with the command is your responsibility.
What is the difference between -sS and -sT?
-sS is a SYN (half-open) scan: nmap sends a SYN, watches for the SYN/ACK that signals an open port, then sends a RST instead of completing the handshake. It is fast and relatively stealthy but needs raw-socket (root) privileges. -sT is a connect scan that asks the operating system to complete the full TCP handshake. It works without elevated privileges but is slower and more likely to be logged.
When should I use --top-ports versus -p-?
--top-ports 1000 scans the 1000 ports nmap considers most common, which covers the vast majority of real services and finishes quickly, so it is a sensible default. -p- scans all 65,535 TCP ports and will find services on unusual ports, but it takes far longer. Use --top-ports for a fast first pass and -p- when you need full coverage.
What do the timing templates -T0 to -T5 do?
The -T flag sets how aggressively nmap sends probes. -T0 (paranoid) and -T1 (sneaky) are very slow and used to evade detection or rate limits. -T2 (polite) eases load on the target. -T3 is the default. -T4 (aggressive) speeds things up on fast, reliable networks and is a common choice. -T5 (insane) is the fastest but can miss results or trip defenses.
Does this tool send my targets anywhere?
No. The command is built entirely in your browser from the options you choose. Nothing is uploaded, logged or stored, and no scan is performed.
What does -Pn do, and why might I need it?
-Pn tells nmap to skip host discovery and treat every target as online. Many hosts and firewalls block the ping probes nmap uses by default, which can make a live host look down. Adding -Pn forces nmap to scan ports anyway. A ping sweep (-sn) is the opposite: it only does discovery, so the builder leaves -Pn off in that case.
Related tools
Reverse Shell Generator
Generate reverse shell one-liners for Bash, Python, PHP, Perl, Ruby, PowerShell, Netcat and Socat from an IP and port, plus the listener command.
Hash Identifier
Identify the likely hash algorithm of a string by its length, character set and prefix. Detects MD5, SHA, bcrypt and more. Runs in your browser.
CVSS Calculator
Calculate a CVSS v3.1 base score and severity from the eight base metrics. Build the vector string and see how each choice moves the score, in your browser.
Subnet Calculator
Free IPv4 subnet calculator. Enter a CIDR like 192.168.1.0/24 to get the network, broadcast, subnet mask, host range and host count. Runs in your browser.
AES Encryption
Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.
CSP Analyzer
Paste a Content-Security-Policy header and get it parsed into directives and audited for weaknesses, with severity and fixes. Runs in your browser.