aquatone v1.7 released: A Tool for Domain Flyovers
Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
session:endevents have been introduced in the event bus to allow agents to perform bootstrap and cleanup tasks if needed
- A temporary user directory is now created for the Chrome/Chromium process and additional command line flags have been added to increase compartmentalization
- Production versions of Vue.js and Vue Router are now used in the HTML report for increased performance
- List of user agents have been updated to the current list of most common user agents
- Install Google Chrome or Chromium browser — Note: Google Chrome is currently giving unreliable results when running in headless mode, so it is recommended to install Chromium for the best results.
- Download the latest release of Aquatone for your operating system.
- Uncompress the zip file and move the aquatone binary to your desired location. You probably want to move it to a location in your $PATH for easier use.
Giving Aquatone data
Aquatone is designed to be as easy to use as possible and to integrate with your existing toolset with no or minimal glue. Aquatone is started by piping output of a command into the tool. It doesn’t really care how the piped data looks as URLs, domains, and IP addresses will be extracted with regular expression pattern matching. This means that you can pretty much give it output of any tool you use for host discovery.
IPs, hostnames and domain names in the data will undergo scanning for ports that are typically used for web services and transformed to URLs with correct scheme. If the data contains URLs, they are assumed to be alive and do not undergo port scanning.
$ cat targets.txt | aquatone
When Aquatone is done processing the target hosts, it has created a bunch of files and folders in the current directory:
- aquatone_report.html: An HTML report to open in a browser that displays all the collected screenshots and response headers clustered by similarity.
- headers/: A folder with files containing raw response headers from processed targets
- html/: A folder with files containing the raw response bodies from processed targets. If you are processing a large amount of hosts, and don’t need this for further analysis, you can disable this with the -save-body=false flag to save some disk space.
- screenshots/: A folder with PNG screenshots of the processed targets
The output can easily be zipped up and shared with others or archived.
Changing the output destination
If you don’t want Aquatone to create files in the current working directory, you can specify a different location with the -out flag:
$ cat hosts.txt | aquatone -out ~/aquatone/example.com
Note: Aquatone requires that the output destination folder exists.
Specifying ports to scan
By default, Aquatone will scan target hosts with a small list of commonly used HTTP ports: 80, 443, 8000, 8080 and 8443. You can change this to your own list of ports with the -ports flag:
$ cat hosts.txt | aquatone -ports 80,443,3000,3001
Aquatone also supports aliases of built-in port lists to make it easier for you:
- small: 80, 443
- medium: 80, 443, 8000, 8080, 8443 (same as default)
- large: 80, 81, 443, 591, 2082, 2087, 2095, 2096, 3000, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888
- xlarge: 80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2087, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 12443, 16080, 18091, 18092, 20720, 28017
$ cat hosts.txt | aquatone -ports large
Aquatone is designed to play nicely with all kinds of tools. Here’s some examples:
Amass DNS enumeration
Amass is currently my preferred tool for enumerating DNS. It uses a bunch of OSINT sources as well as active brute-forcing and clever permutations to quickly identify hundreds, if not thousands, of subdomains on a domain:
$ amass -active -brute -o hosts.txt -d yahoo.com alerts.yahoo.com ads.yahoo.com am.yahoo.com - - - SNIP - - - prd-vipui-01.infra.corp.gq1.yahoo.com cp103.mail.ir2.yahoo.com prd-vipui-01.infra.corp.bf1.yahoo.com $ cat hosts.txt | aquatone
There are plenty of other DNS enumeration tools out there and Aquatone should work just as well with any other tool:
Nmap or Masscan
$ cat scan.xml | aquatone -nmap
Copyright (c) 2018 Michael Henriksen