Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface. If you for some reason don't trust the pre-compiled binaries, you can also compile the code yourself. You are on your own if you want to do this. I do not support compiling problems. Good luck with it! Aquatone is designed to be as easy to use as possible and to integrate with your existing toolset with no or minimal glue. Aquatone is started by piping output of a command into the tool. It doesn't really care how the piped data looks as URLs, domains, and IP addresses will be extracted with regular expression pattern matching. This means that you can pretty much give it output of any tool you use for host discovery. IPs, hostnames and domain names in the data will undergo scanning for ports that are typically used for web services and transformed to URLs with correct scheme. If the data contains URLs, they are assumed to be alive and do not undergo port scanning. Example: When Aquatone is done processing the target hosts, it has created a bunch of files and folders in the current directory: The output can easily be zipped up and shared with others or archived. If you don't want Aquatone to create files in the current working directory, you can specify a different location with the It is also possible to set a permanent default output destination by defining an environment variable: Be default, Aquatone will scan target hosts with a small list of commonly used HTTP ports: 80, 443, 8000, 8080 and 8443. You can change this to your own list of ports with the Aquatone also supports aliases of built-in port lists to make it easier for you: Example: Aquatone is designed to play nicely with all kinds of tools. Here's some examples: Amass is currently my preferred tool for enumerating DNS. It uses a bunch of OSINT sources as well as active brute-forcing and clever permutations to quickly identify hundreds, if not thousands, of subdomains on a domain: There are plenty of other DNS enumeration tools out there and Aquatone should work just as well with any other tool: Aquatone can make a report on hosts scanned with the Nmap or Masscan portscanner. Simply feed Aquatone the XML output and give it the aquatone
binary to your desired location. You probably want to move it to a location in your $PATH
for easier use. -chrome-path string
Full path to the Chrome/Chromium executable to use. By default, aquatone will search for Chrome or Chromium
-debug
Print debugging information
-http-timeout int
Timeout in miliseconds for HTTP requests (default 3000)
-nmap
Parse input as Nmap/Masscan XML
-out string
Directory to write files to (default ".")
-ports string
Ports to scan on hosts. Supported list aliases: small, medium, large, xlarge (default "80,443,8000,8080,8443")
-proxy string
Proxy to use for HTTP requests
-resolution string
screenshot resolution (default "1440,900")
-save-body
Save response bodies to files (default true)
-scan-timeout int
Timeout in miliseconds for port scans (default 100)
-screenshot-timeout int
Timeout in miliseconds for screenshots (default 30000)
-session string
Load Aquatone session file and generate HTML report
-silent
Suppress all output except for errors
-template-path string
Path to HTML template to use for report
-threads int
Number of concurrent threads (default number of logical CPUs)
-version
Print current Aquatone version
$ cat targets.txt | aquatone
-save-body=false
flag to save some disk space.-out
flag:$ cat hosts.txt | aquatone -out ~/aquatone/example.com
export AQUATONE_OUT_PATH="~/aquatone"
-ports
flag:$ cat hosts.txt | aquatone -ports 80,443,3000,3001
$ cat hosts.txt | aquatone -ports large
$ amass -active -brute -o hosts.txt -d yahoo.com
alerts.yahoo.com
ads.yahoo.com
am.yahoo.com
- - - SNIP - - -
prd-vipui-01.infra.corp.gq1.yahoo.com
cp103.mail.ir2.yahoo.com
prd-vipui-01.infra.corp.bf1.yahoo.com
$ cat hosts.txt | aquatone
-nmap
flag to tell it to parse the input as Nmap/Masscan XML:$ cat scan.xml | aquatone -nmap