Skip to main content
This guide walks you through running your first network reconnaissance scan with QtRecon, from launching the application to analyzing results and leveraging automated tools.

Launch QtRecon

1

Start the application

Launch QtRecon from your terminal:
pipenv run python qtrecon.py
The main window will open with an empty workspace ready for your first scan.
2

Enter target addresses

In the scan dialog, enter your target IP addresses or ranges. QtRecon supports:
  • Single IP: 192.168.1.10
  • IP range: 192.168.1.1-254
  • CIDR notation: 10.10.10.0/24
  • Multiple targets separated by spaces
3

Configure scan options

Select your scan type and speed parameters:Scan type
  • -sS (SYN scan) - Default, requires privileges
  • -sT (TCP connect scan) - No privileges required
  • -sU (UDP scan) - Scan UDP ports
Speed
  • -T3 (Normal) - Recommended default
  • -T4 (Aggressive) - Faster scans
  • -T2 (Polite) - Slower, stealthier scans
Port specification
T:-,U:53,161,631
  • T:- scans all TCP ports
  • U:53,161,631 scans specific UDP ports
Example configuration from conf.json.example:576-586:
"nmap_options": {
    "ports": "T:-,U:53,161,631",
    "type": "-sS",
    "speed": "-T3",
    "skip_host_discovery": false,
    "version_probing": true,
    "default_scripts": true,
    "os_detection": true,
    "tcp_and_udp": true,
    "additional_args": "-v --min-rate 500"
}
4

Start the scan

Click the scan button to begin. QtRecon will:
  • Execute nmap with your specified options
  • Parse results in real-time
  • Store output in /tmp/QtRecon (configurable)
  • Display discovered hosts in the host list
5

View scan results

As hosts are discovered, they appear in the left panel with:
  • IP address and hostname
  • Operating system detection results
  • Open ports grouped by protocol (TCP/UDP)
  • Service version information
Click any host to view detailed information in the right panel.
6

Observe autorun programs

If autorun is enabled (enable_autorun: true in config), QtRecon automatically triggers tools when specific ports are discovered:Web services (ports 80, 443)
  • feroxbuster - Directory enumeration
  • nikto - Web vulnerability scanner
SMB (ports 135, 445)
  • smb_script - Custom SMB enumeration (scripts/smb.sh)
Database services
  • Port 3306: nmap_mysql - MySQL scripts
  • Port 1433: nmap_mssql - MSSQL scripts
  • Port 6379: redis_script - Redis enumeration
Other services
  • Port 53: axfr_no_domain - DNS zone transfer
  • Port 161: onesixtyone - SNMP enumeration
  • Port 88: kerbrute - Kerberos user enumeration
View running and completed jobs in the Jobs tab.
7

Explore host tabs

Each automated tool creates a new tab under the selected host:
  • Click a host in the left panel
  • View tabs for each executed command
  • Read full command output
  • Copy results to clipboard
  • Add notes specific to that host
Tabs are organized by:
  • Command name (e.g., “Feroxbuster”, “Nikto”)
  • Timestamp of execution
  • Exit status (success/failure)

Next steps

After your first scan completes: