AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.
AQUATONE depends on Node.js and NPM package manager for its web page screenshotting capabilities. Follow this guidefor Installation instructions. You will also need a newer version of Ruby installed. If you plan to use AQUATONE in Kali Linux, you are already set up with this. If not, it is recommended to install Ruby with RVM.
Finally, the tool itself can be installed with the following command in a terminal:
$ gem install aquatone
The first stage of an AQUATONE assessment is the discovery stage where subdomains are discovered on the target domain using open sources, services and the more common dictionary brute force approach:
$ aquatone-discover --domain example.com
aquatone-discover will find the target’s nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domain’s nameservers, aquatone-discover will fall back to using Google’s public DNS servers to maximize discovery. The fallback DNS servers can be changed with the
$ aquatone-discover --domain example.com --fallback-nameservers 18.104.22.168,22.214.171.124
Some of the passive collectors will require API keys or similar credentials in order to work. Setting these values can be done with the
$ aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ
All keys will be saved in
When aquatone-discover is finished, it will create a
hosts.txt file in the
~/aquatone/<domain> folder, so for a scan of example.com it would be located at
~/aquatone/example.com/hosts.txt. The format will be a comma-separated list of hostnames and their IP, for example:
example.com,126.96.36.199 www.example.com,188.8.131.52 secret.example.com,184.108.40.206 cdn.example.com,192.0.2.42 ...
In addition to the
hosts.txt file, it will also generate a
hosts.json which includes the same information but in JSON format. This format might be preferable if you want to use the information in custom scripts and tools.
hosts.json will also be used by the aquatone-scan and aquatone-gather tools.
aquatone-discover --help for more options.
The scanning stage is where AQUATONE will enumerate the discovered hosts for open TCP ports that are commonly used for web services:
$ aquatone-scan --domain example.com
--domain option will look for
hosts.json in the domain’s AQUATONE assessment directory, so in the example above it would look for
~/aquatone/example.com/hosts.json. This file should be present if
aquatone-discover --domain example.com has been run previously.
When aquatone-scan is finished, it will create a
urls.txt file in the
~/aquatone/<domain> directory, so for a scan of example.com it would be located at
~/aquatone/example.com/urls.txt. The format will be a list of URLs, for example:
http://example.com/ https://example.com/ http://www.example.com/ https://www.example.com/ http://secret.example.com:8001/ https://secret.example.com:8443/ http://cdn.example.com/ https://cdn.example.com/ ...
This file can be loaded into other tools such as EyeWitness.
aquatone-scan will also generate a
open_ports.txt file, which is a comma-separated list of hosts and their open ports, for example:
220.127.116.11,80,443 18.104.22.168,80 22.214.171.124,80,443,8443 192.0.2.42,80,8080 ...
aquatone-scan --help for more options.
The final stage is the gathering part where the results of the discovery and scanning stages are used to query the discovered web services in order to retrieve and save HTTP response headers and HTML bodies, as well as taking screenshots of how the web pages look like in a web browser to make analysis easier. The screenshotting is done with the Nightmare.js Node.js library. This library will be installed automatically if it’s not present in the system.
$ aquatone-gather --domain example.com
aquatone-gather will look for
open_ports.txt in the given domain’s AQUATONE assessment directory and request and screenshot every IP address for each domain name for maximum coverage.
When aquatone-gather is finished, it will have created several directories in the domain’s AQUATONE assessment directory:
headers/: Contains text files with HTTP response headers from each web page
html/: Contains text files with HTML response bodies from each web page
screenshots/: Contains PNG images of how each web page looks like in a browser
report/Contains report files in HTML displaying the gathered information for easy analysis