GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → shelld3v → aquatone

shelld3v / aquatone

Licence: MIT License
A Tool for Domain Flyovers

Programming Languages

javascript
184084 projects - #8 most used programming language
go
31211 projects - #10 most used programming language
HTML
75241 projects

Labels

securityosinthackingpenetration-testingbug-bountyinfosecpentestingbugbountypentestappsechacking-toolsecurity-toolsreconnaissance

Projects that are alternatives of or similar to aquatone

tugarecon
Pentest: Subdomains enumeration tool for penetration testers.
Stars: ✭ 142 (+230.23%)
Mutual labels:  penetration-testing, bug-bounty, infosec, bugbounty, pentest, reconnaissance
flydns
Related subdomains finder
Stars: ✭ 29 (-32.56%)
Mutual labels:  osint, bug-bounty, infosec, bugbounty, pentest, reconnaissance
Dirsearch
Web path scanner
Stars: ✭ 7,246 (+16751.16%)
Mutual labels:  penetration-testing, bug-bounty, infosec, bugbounty, appsec, hacking-tool
Rengine
reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface. reNgine makes it easy for penetration testers to gather reconnaissance with…
Stars: ✭ 3,439 (+7897.67%)
Mutual labels:  osint, penetration-testing, bug-bounty, infosec, bugbounty, reconnaissance
Osmedeus
Fully automated offensive security framework for reconnaissance and vulnerability scanning
Stars: ✭ 3,391 (+7786.05%)
Mutual labels:  osint, penetration-testing, bugbounty, hacking-tool, reconnaissance
AttackSurfaceManagement
Discover the attack surface and prioritize risks with our continuous Attack Surface Management (ASM) platform - Sn1per Professional #pentest #redteam #bugbounty
Stars: ✭ 45 (+4.65%)
Mutual labels:  osint, penetration-testing, bugbounty, hacking-tool, reconnaissance
Hosthunter
HostHunter a recon tool for discovering hostnames using OSINT techniques.
Stars: ✭ 427 (+893.02%)
Mutual labels:  osint, penetration-testing, bugbounty, hacking-tool, reconnaissance
Awesome Bbht
A bash script that will automatically install a list of bug hunting tools that I find interesting for recon, exploitation, etc. (minus burp) For Ubuntu/Debain.
Stars: ✭ 190 (+341.86%)
Mutual labels:  penetration-testing, bug-bounty, bugbounty, hacking-tool, reconnaissance
Keye
Keye is a reconnaissance tool that was written in Python with SQLite3 integrated. After adding a single URL, or a list of URLs, it will make a request to these URLs and try to detect changes based on their response's body length.
Stars: ✭ 101 (+134.88%)
Mutual labels:  penetration-testing, bug-bounty, pentest, reconnaissance
31 Days Of Api Security Tips
This challenge is Inon Shkedy's 31 days API Security Tips.
Stars: ✭ 1,038 (+2313.95%)
Mutual labels:  bug-bounty, infosec, bugbounty, pentest
Pidrila
Python Interactive Deepweb-oriented Rapid Intelligent Link Analyzer
Stars: ✭ 125 (+190.7%)
Mutual labels:  penetration-testing, bug-bounty, pentest, appsec
Sublert
Sublert is a security and reconnaissance tool which leverages certificate transparency to automatically monitor new subdomains deployed by specific organizations and issued TLS/SSL certificate.
Stars: ✭ 699 (+1525.58%)
Mutual labels:  penetration-testing, bug-bounty, pentest, reconnaissance
Asnlookup
Leverage ASN to look up IP addresses (IPv4 & IPv6) owned by a specific organization for reconnaissance purposes, then run port scanning on it.
Stars: ✭ 163 (+279.07%)
Mutual labels:  infosec, bugbounty, pentest, reconnaissance
Crithit
Takes a single wordlist item and tests it one by one over a large collection of websites before moving onto the next. Create signatures to cross-check vulnerabilities over multiple hosts.
Stars: ✭ 182 (+323.26%)
Mutual labels:  penetration-testing, infosec, bugbounty, hacking-tool
lit-bb-hack-tools
Little Bug Bounty & Hacking Tools⚔️
Stars: ✭ 180 (+318.6%)
Mutual labels:  bug-bounty, infosec, bugbounty, hacking-tool
PyParser-CVE
Multi source CVE/exploit parser.
Stars: ✭ 25 (-41.86%)
Mutual labels:  osint, penetration-testing, infosec, pentest
Spiderfoot
SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.
Stars: ✭ 6,882 (+15904.65%)
Mutual labels:  osint, infosec, pentest, reconnaissance
Ashok
Ashok is a OSINT Recon Tool , a.k.a 😍 Swiss Army knife .
Stars: ✭ 109 (+153.49%)
Mutual labels:  osint, penetration-testing, hacking-tool, reconnaissance
Reconky-Automated Bash Script
Reconky is an great Content Discovery bash script for bug bounty hunters which automate lot of task and organized in the well mannered form which help them to look forward.
Stars: ✭ 167 (+288.37%)
Mutual labels:  osint, penetration-testing, bugbounty, reconnaissance
KaliIntelligenceSuite
Kali Intelligence Suite (KIS) shall aid in the fast, autonomous, central, and comprehensive collection of intelligence by executing standard penetration testing tools. The collected data is internally stored in a structured manner to allow the fast identification and visualisation of the collected information.
Stars: ✭ 58 (+34.88%)
Mutual labels:  osint, penetration-testing, bugbounty
View All Similar Projects ➔

AQUATONE

Original: https://github.com/michenriksen/aquatone

This is an actively developing aquatone forked from michenriksen's project. I do this because the original project has been stopped updating

Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.

Installation

  1. Install Google Chrome or Chromium browser -- Note: Google Chrome is currently giving unreliable results when running in headless mode, so it is recommended to install Chromium for the best results.

You'll need a working installation of Go with go 1.11+ modules support.

go get github.com/shelld3v/aquatone

Usage

Command-line options:

Usage of aquatone:
  -chrome-path string
        Full path to the Chrome/Chromium executable to use. By default, aquatone will search for Chrome or Chromium
  -debug
        Print debugging information
  -filter-codes string
        Invalid HTTP status codes to do web scan (seperated by commas)
  -full-page
        Screenshot full web pages
  -http-timeout int
        Timeout in miliseconds for HTTP requests (default 15000)
  -input-file string
        Input file to parse hosts (Nmap or Raw) rather than STDIN
  -match-codes string
        Valid HTTP status codes to do web scan (seperated by commas)
  -nmap
        Parse input as Nmap/Masscan XML
  -no-redirect
        Do not follow HTTP redirects
  -offline
        Use offline js files to generate the default template report.
  -out string
        Directory to write files to (default ".")
  -ports string
        Ports to scan on hosts. Supported list aliases: small, medium, large, xlarge (default "80,443,8080,8443")
  -proxy string
        Proxy to use for HTTP requests
  -save-body
        Save response bodies to files
  -scan-timeout int
        Timeout in miliseconds for port scans (default 3000)
  -screenshot-delay int
        Delay in miliseconds before taking screenshots
  -screenshot-timeout int
        Timeout in miliseconds for screenshots (default 30000)
  -session string
        Load Aquatone session file and generate HTML report
  -silent
        Suppress all output except for errors
  -similarity float
        Cluster Similarity Float for Screenshots. Default 0.80 (default 0.8)
  -template-path string
        Path to HTML template to use for report
  -threads int
        Number of concurrent threads (default number of logical CPUs)
  -thumbnail-size string
        Screenshot thumbnail size (format: width,height)
  -timeout int
        Generic timeout for everithing. (specific timeouts will be ignored if set)
  -version
        Print current Aquatone version

Giving Aquatone data

Aquatone is designed to be as easy to use as possible and to integrate with your existing toolset with no or minimal glue. Aquatone is started by piping output of a command into the tool. It doesn't really care how the piped data looks as URLs, domains, and IP addresses will be extracted with regular expression pattern matching. This means that you can pretty much give it output of any tool you use for host discovery.

IPs, hostnames and domain names in the data will undergo scanning for ports that are typically used for web services and transformed to URLs with correct scheme. If the data contains URLs, they are assumed to be alive and do not undergo port scanning.

Example:

$ cat targets.txt | aquatone
$ aquatone -input-file targets.txt

Output

When Aquatone is done processing the target hosts, it has created a bunch of files and folders in the current directory:

  • aquatone_report.html: An HTML report to open in a browser that displays all the collected screenshots and response headers clustered by similarity.
  • aquatone_urls.txt: A file containing all responsive URLs. Useful for feeding into other tools.
  • aquatone_session.json: A file containing statistics and page data. Useful for automation.
  • aquatone_log.log: A file containing log information of the scan. Useful for debugging.
  • headers/: A folder with files containing raw response headers from processed targets.
  • html/: A folder with files containing the raw response bodies from processed targets. If you are processing a large amount of hosts, and don't need this for further analysis, you can disable this with the -save-body=false flag to save some disk space.
  • screenshots/: A folder with PNG screenshots of the processed targets.

The output can easily be zipped up and shared with others or archived.

Changing the output destination

If you don't want Aquatone to create files in the current working directory, you can specify a different location with the -out flag:

$ cat hosts.txt | aquatone -out ~/aquatone/example.com

It is also possible to set a permanent default output destination by defining an environment variable:

export AQUATONE_OUT_PATH="~/aquatone"

Specifying ports to scan

Be default, Aquatone will scan target hosts with a small list of commonly used HTTP ports: 80, 443, 8080 and 8443. You can change this to your own list of ports with the -ports flag:

$ cat hosts.txt | aquatone -ports 80,443,3000,3001

Aquatone also supports aliases of built-in port lists to make it easier for you:

  • small: 80, 443
  • medium: 80, 443, 8000, 8080, 8443
  • large: 80, 81, 443, 591, 2082, 2087, 2095, 2096, 3000, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888
  • xlarge: 80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2087, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 12443, 16080, 18091, 18092, 20720, 28017

Example:

$ cat hosts.txt | aquatone -ports large

Screenshot delay

For example delaying capture, could be useful for javascript rendered pages (sleeping a couple of ms). The system waits the specified number of virtual milliseconds before deeming the page to be ready.

Example:

$ cat hosts.txt | aquatone -screenshot-delay 10000

Usage examples

Aquatone is designed to play nicely with all kinds of tools. Here's some examples:

Amass DNS enumeration

Amass is currently my preferred tool for enumerating DNS. It uses a bunch of OSINT sources as well as active brute-forcing and clever permutations to quickly identify hundreds, if not thousands, of subdomains on a domain:

$ amass -active -brute -o hosts.txt -d yahoo.com
alerts.yahoo.com
ads.yahoo.com
am.yahoo.com
- - - SNIP - - -
prd-vipui-01.infra.corp.gq1.yahoo.com
cp103.mail.ir2.yahoo.com
prd-vipui-01.infra.corp.bf1.yahoo.com
$ cat hosts.txt | aquatone -out reports/yahoo.com

There are plenty of other DNS enumeration tools out there and Aquatone should work just as well with any other tool:

Nmap or Masscan

Aquatone can make a report on hosts scanned with the Nmap or Masscan portscanner. Simply feed Aquatone the XML output and give it the -nmap flag to tell it to parse the input as Nmap/Masscan XML:

$ cat scan.xml | aquatone -nmap

Credits

  • Thanks to EdOverflow for the can-i-take-over-xyz project which Aquatone's domain takeover capability is based on.
  • Thanks to Elbert Alias for the Wappalyzer project's technology fingerprints which Aquatone's technology fingerprinting capability is based on.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].