Skip to main content
QtRecon’s power comes from its ability to integrate your favorite security tools. This guide shows you how to add custom tools to the user_binaries section and configure them for automatic or manual execution.

Understanding user_binaries

Custom tools are defined in the user_binaries section of conf.json. Each tool has a unique identifier and configuration properties.

Tool configuration structure

"user_binaries": {
    "tool_id": {
        "name": "Display Name",
        "text": "Menu text shown to user",
        "detached": true,
        "in_terminal": false,
        "edit_before_launch": false,
        "binary": "/path/to/binary",
        "icon": "/path/to/icon.png",
        "args": ["arg1", "arg2"]
    }
}
Configuration options:
  • name - Short identifier for the tool
  • text - Description shown in context menus
  • detached - Run in background (true) or wait for completion (false)
  • in_terminal - Launch in a new terminal window
  • edit_before_launch - Prompt user to modify command before execution
  • binary - Full path to executable
  • icon - (Optional) Path to icon file
  • args - Array of command-line arguments

Using variable substitution

QtRecon replaces special variables in your arguments at runtime:

Network variables

  • %%%IP%%% - Target IP address
  • %%%PORT%%% - Target port number
  • %%%PROTO%%% - Protocol (http/https)
  • %%%LHOST%%% - Local IP from preferred interfaces
  • %%%LPORT%%% - Preferred local port

Credential variables

  • %%%DOMAIN%%% - Domain name
  • %%%USERNAME%%% - Username
  • %%%PASSWORD%%% - Password
  • %%%HASH%%% - Hash value
  • %%%SSH_KEY%%% - SSH key path

Custom variables

  • %%%VARIABLE_NAME%%% - User-defined variables from user_variables

Example: Adding a custom tool

1

Choose your tool

Let’s add ffuf for web fuzzing. First, verify the binary path:
which ffuf
# Output: /usr/bin/ffuf
2

Define the tool configuration

Add to user_binaries in conf.json:
"ffuf_dirs": {
    "name": "ffuf",
    "text": "Fuzz directories with ffuf",
    "detached": false,
    "in_terminal": false,
    "edit_before_launch": false,
    "binary": "/usr/bin/ffuf",
    "args": [
        "-u", "%%%PROTO%%%://%%%IP%%%:%%%PORT%%%/FUZZ",
        "-w", "/usr/share/wordlists/dirb/common.txt",
        "-mc", "200,204,301,302,307,401,403",
        "-fc", "404"
    ]
}
This configuration:
  • Uses protocol and IP variables for the target URL
  • Specifies a wordlist path
  • Filters by HTTP status codes
  • Runs attached (shows progress in real-time)
3

Associate with port numbers

Add your tool to ports_associations to make it available for specific ports:
"ports_associations": {
    "tcp": {
        "80": [
            "nikto",
            "sqlmap",
            "ffuf_dirs"
        ],
        "443": [
            "nikto",
            "sqlmap",
            "ffuf_dirs"
        ]
    }
}
Your tool now appears in the context menu when right-clicking web service ports.
4

Add to autorun (optional)

To run automatically when ports are discovered:
"autorun": {
    "tcp": {
        "80": [
            "feroxbuster",
            "nikto",
            "ffuf_dirs"
        ],
        "443": [
            "feroxbuster",
            "ffuf_dirs"
        ]
    }
}
Be careful with autorun - too many tools can overwhelm your system. Start with essential tools only.
5

Test the tool

  1. Scan a target with web services
  2. Right-click on port 80 or 443
  3. Select “Fuzz directories with ffuf”
  4. View output in the newly created tab

Real-world examples from conf.json

Netcat listener

"netcat": {
    "name": "Netcat",
    "text": "Run Netcat",
    "detached": true,
    "in_terminal": true,
    "edit_before_launch": false,
    "binary": "/usr/bin/ncat",
    "args": ["-nv", "%%%IP%%%", "%%%PORT%%%"]
}
Launches in a terminal window to interact with the service.

Authenticated SMB enumeration

"smb_script_authenticated": {
    "name": "SMB authenticated enum",
    "text": "Launch authenticated custom smb enumeration script",
    "detached": false,
    "binary": "/bin/bash",
    "args": [
        "scripts/smb.sh",
        "%%%IP%%%",
        "%%%DOMAIN%%%",
        "%%%USERNAME%%%",
        "%%%PASSWORD%%%"
    ]
}
This tool prompts for credentials when credential variables are used.

Browser with custom profile

"firefox": {
    "name": "Firefox",
    "text": "Launch Firefox",
    "detached": true,
    "in_terminal": false,
    "edit_before_launch": false,
    "binary": "/usr/bin/firefox",
    "icon": "/usr/share/icons/hicolor/256x256/apps/firefox.png",
    "args": ["-P", "tmp", "http://%%%IP%%%:%%%PORT%%%/"]
}
Opens Firefox with a temporary profile for isolated testing.

Custom script with multiple arguments

"redis_script": {
    "name": "Redis enum",
    "text": "Launch custom redis enumeration script",
    "detached": false,
    "binary": "/bin/bash",
    "args": ["scripts/redis.sh", "%%%IP%%%"]
}
References the custom script at scripts/redis.sh:13-15: 
echo "$ nmap --script redis-info -sV -p 6379 $1"
nmap --script redis-info -sV -p 6379 "$1"

Associating with “any” port

Some tools work on any port: 
"ports_associations": {
    "tcp": {
        "any": [
            "netcat",
            "firefox",
            "nuclei"
        ]
    }
}
These appear in the context menu regardless of port number.

Best practices

Make text field clear about what the tool does. Users see this in menus.
Run tools manually first to verify they work correctly with your variables.
Tools with credential variables will prompt when credentials are available for a host.
Set detached: false for resource-intensive tools to prevent running too many simultaneously.
Group related tools under logical port associations (web tools on 80/443, DB tools on database ports).