Aquatone

Aquatone is a tool for visually inspecting websites across a large amount of hosts and is convenient for quickly gaining an overview of an HTTP-based attack surface. Aquatone has four major modules: discover, scanner, gather, and takeover. Each of these can be used to perform in-depth enumeration of a target:

1. We will use a simple command to install aquatone:

gem install aquatone

The following screenshot shows the output of the preceding command:

1. Next, we create a directory in /root/folder using the following command:

mkdir /root/aquatone/

1. As aquatone uses different modules to hunt for subdomains, we will have to configure aquatone's discovery module before running it.
2. For example, to configure the shodan, we can use the following command:

aquatone-discover --set-key shodan XXXXXXXXXXX

The following screenshot shows the output of the preceding command:

1. Similarly, we can set keys for other services too, such as Censys and PassiveTotal.
2. Once it is all set, we can start our subdomain hunting. We can do this using the following command:

aquatone-discover -d domain.com

The following screenshot shows the output of the preceding command:

1. Aquatone also allows us to set a custom wordlist by using the -w flag, and we can also set the threads by using the -t flag.
2. By default, aquatone stores the output in TXT as well as JSON format in the /root/aquatone/ directory.
3. After we find the subdomains, we can use the aquatone scanner to scan for open ports on the discovered hosts. Let's look at an example:

aquatone-scan --ports 80 -d packtpub.com

The following screenshot shows the output of the preceding command:

1. This will look for the domain's hosts.json file in the aquatone directory.
   Aquatone by default has four inbuilt port scanning flags (small, medium, large, and huge). These flags will decide the number of ports being scanned on the hosts, or we can define custom ports by using the -ports flag.
   • aquatone-gather: This tool makes a connection to the web services found using the discover and scanner modules of aquatone and takes screenshots of discovered web pages for later analysis. 
   • aquatone-takeover: This module is used to find subdomains that are vulnerable to the subdomain takeover vulnerability.

Let's refer to the following screenshot: