• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

agents/H19-May-2019-1,3481,159

core/H19-May-2019-1,048863

parsers/H19-May-2019-11695

static/H03-May-2022-37,28633,429

vendor/H03-May-2022-370,829310,626

.gitignoreH A D19-May-2019113 109

CHANGELOG.mdH A D19-May-20195.4 KiB12592

Gopkg.lockH A D19-May-20195.1 KiB179159

Gopkg.tomlH A D19-May-20191.3 KiB6755

README.mdH A D19-May-20197 KiB144100

build.shH A D19-May-20191.4 KiB6648

main.goH A D19-May-20197.2 KiB270230

release.shH A D19-May-2019770 3223

README.md

1# AQUATONE
2
3Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
4
5## Installation
6
71. Install [Google Chrome](https://www.google.com/chrome/) or [Chromium](https://www.chromium.org/getting-involved/download-chromium) browser -- **Note:** Google Chrome is currently giving unreliable results when running in *headless* mode, so it is recommended to install Chromium for the best results.
82. Download the [latest release](https://github.com/michenriksen/aquatone/releases/latest) of Aquatone for your operating system.
93. Uncompress the zip file and move the `aquatone` binary to your desired location. You probably want to move it to a location in your `$PATH` for easier use.
10
11### Compiling the source code
12
13If you for some reason don't trust the pre-compiled binaries, you can also compile the code yourself. **You are on your own if you want to do this. I do not support compiling problems. Good luck with it!**
14
15## Usage
16
17### Command-line options:
18
19```
20  -chrome-path string
21    	Full path to the Chrome/Chromium executable to use. By default, aquatone will search for Chrome or Chromium
22  -debug
23    	Print debugging information
24  -http-timeout int
25    	Timeout in miliseconds for HTTP requests (default 3000)
26  -nmap
27    	Parse input as Nmap/Masscan XML
28  -out string
29    	Directory to write files to (default ".")
30  -ports string
31    	Ports to scan on hosts. Supported list aliases: small, medium, large, xlarge (default "80,443,8000,8080,8443")
32  -proxy string
33    	Proxy to use for HTTP requests
34  -resolution string
35    	screenshot resolution (default "1440,900")
36  -save-body
37    	Save response bodies to files (default true)
38  -scan-timeout int
39    	Timeout in miliseconds for port scans (default 100)
40  -screenshot-timeout int
41    	Timeout in miliseconds for screenshots (default 30000)
42  -session string
43    	Load Aquatone session file and generate HTML report
44  -silent
45    	Suppress all output except for errors
46  -template-path string
47    	Path to HTML template to use for report
48  -threads int
49    	Number of concurrent threads (default number of logical CPUs)
50  -version
51    	Print current Aquatone version
52```
53
54### Giving Aquatone data
55
56Aquatone is designed to be as easy to use as possible and to integrate with your existing toolset with no or minimal glue. Aquatone is started by piping output of a command into the tool. It doesn't really care how the piped data looks as URLs, domains, and IP addresses will be extracted with regular expression pattern matching. This means that you can pretty much give it output of any tool you use for host discovery.
57
58IPs, hostnames and domain names in the data will undergo scanning for ports that are typically used for web services and transformed to URLs with correct scheme.  If the data contains URLs, they are assumed to be alive and do not undergo port scanning.
59
60**Example:**
61
62    $ cat targets.txt | aquatone
63
64### Output
65
66When Aquatone is done processing the target hosts, it has created a bunch of files and folders in the current directory:
67
68 - **aquatone_report.html**: An HTML report to open in a browser that displays all the collected screenshots and response headers clustered by similarity.
69 - **aquatone_urls.txt**: A file containing all responsive URLs. Useful for feeding into other tools.
70 - **aquatone_session.json**: A file containing statistics and page data. Useful for automation.
71 - **headers/**: A folder with files containing raw response headers from processed targets
72 - **html/**: A folder with files containing the raw response bodies from processed targets. If you are processing a large amount of hosts, and don't need this for further analysis, you can disable this with the `-save-body=false` flag to save some disk space.
73 - **screenshots/**: A folder with PNG screenshots of the processed targets
74
75The output can easily be zipped up and shared with others or archived.
76
77#### Changing the output destination
78
79If you don't want Aquatone to create files in the current working directory, you can specify a different location with the `-out` flag:
80
81    $ cat hosts.txt | aquatone -out ~/aquatone/example.com
82
83It is also possible to set a permanent default output destination by defining an environment variable:
84
85    export AQUATONE_OUT_PATH="~/aquatone"
86
87
88### Specifying ports to scan
89
90Be default, Aquatone will scan target hosts with a small list of commonly used HTTP ports: 80, 443, 8000, 8080 and 8443. You can change this to your own list of ports with the `-ports` flag:
91
92    $ cat hosts.txt | aquatone -ports 80,443,3000,3001
93
94Aquatone also supports aliases of built-in port lists to make it easier for you:
95
96 - **small**: 80, 443
97 - **medium**: 80, 443, 8000, 8080, 8443 (same as default)
98 - **large**: 80, 81, 443, 591, 2082, 2087, 2095, 2096, 3000, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888
99 - **xlarge**: 80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2087, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 12443, 16080, 18091, 18092, 20720, 28017
100
101**Example:**
102
103    $ cat hosts.txt | aquatone -ports large
104
105
106### Usage examples
107
108Aquatone is designed to play nicely with all kinds of tools. Here's some examples:
109
110#### Amass DNS enumeration
111
112[Amass](https://github.com/OWASP/Amass) is currently my preferred tool for enumerating DNS. It uses a bunch of OSINT sources as well as active brute-forcing and clever permutations to quickly identify hundreds, if not thousands, of subdomains on a  domain:
113
114```bash
115$ amass -active -brute -o hosts.txt -d yahoo.com
116alerts.yahoo.com
117ads.yahoo.com
118am.yahoo.com
119- - - SNIP - - -
120prd-vipui-01.infra.corp.gq1.yahoo.com
121cp103.mail.ir2.yahoo.com
122prd-vipui-01.infra.corp.bf1.yahoo.com
123$ cat hosts.txt | aquatone
124```
125
126There are plenty of other DNS enumeration tools out there and Aquatone should work just as well with any other tool:
127
128- [Sublist3r](https://github.com/aboul3la/Sublist3r)
129- [Subfinder](https://github.com/subfinder/subfinder)
130- [Knock](https://github.com/guelfoweb/knock)
131- [Fierce](https://www.aldeid.com/wiki/Fierce)
132- [Gobuster](https://github.com/OJ/gobuster)
133
134#### Nmap or Masscan
135
136Aquatone can make a report on hosts scanned with the [Nmap](https://nmap.org/) or [Masscan](https://github.com/robertdavidgraham/masscan) portscanner. Simply feed Aquatone the XML output and give it the `-nmap` flag to tell it to parse the input as Nmap/Masscan XML:
137
138    $ cat scan.xml | aquatone -nmap
139
140### Credits
141
142- Thanks to [EdOverflow](https://twitter.com/EdOverflow) for the [can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz/) project which Aquatone's domain takeover capability is based on.
143- Thanks to [Elbert Alias](https://github.com/AliasIO) for the [Wappalyzer](https://github.com/AliasIO/Wappalyzer) project's technology fingerprints which Aquatone's technology fingerprinting capability is based on.
144