Attack surface management has become one of the most critical aspects of any website on the public internet. Simply knowing your attack surface is no longer enough— and effectively managing it with tools like Aquatone has become the norm. Combining Aquatone with popular tools like OWASP Amass helps improve and streamline website attack surface management even further.
What is Aquatone?
Aquatone is a free-to-use, open-source project aimed at making visual inspection of websites an easy task. This valuable tool also supports looking up websites in bulk, which can make the task of information gathering for your website's attack surface surprisingly easy.
Aquatone works with the help of a web browser like Chrome or Chromium to perform the visual inspection of any website being looked up. Aquatone can be further combined with tools like Nmap to gain even more insight about a website's attack surface.
dev and staging subdomains in your organization
To install Aquatone, grab the latest release of the project's GitHub page for the operating system you run on. Aquatone has released versions for Linux (amd64 and arm64), MacOS, and Windows, which makes it a very handy tool no matter what platform you're on.
In our example, we'll take a look at both the Linux and Windows options.
For Linux, grab the amd64 build or arm64 build. If in doubt, grab the amd64 build:
And then unzip the archive
Now let's run the command for the first time:
--help command will show a list of command arguments, features and flags supported by Aquatone:
Next, for Aquatone to perform visual lookups of websites, you'll need Chromium or Google Chrome installed on your system. If you are running any Debian-based distro, you can install this package by just running the following command:
apt install -y chromium-browser
Similarly, for Windows, download the "windows_amd64.zip" build, and extract the archive.
This should result in the following files:
Fire up the command prompt with WIN + R and then enter CMD.
Navigate to the folder where you extracted the files and run
Which should then result in the following output:
As seen with Linux, you'll need either Google Chrome or Chromium installed on your system to aid Aquatone to perform the website visual lookups.
Aquatone phases and usage examples
To begin using Aquatone, let's look at scanning websites with basic flags/options available.
First, create a text file called "websites.txt" inside the same folder as the Aquatone executable. And inside that, add the websites you wish to scan, ensuring you have only one website per line.
Run the command
cat websites.txt | ./aquatone
Which should net you the following output:
From the output above, we're able to gather a few important facts:
- Aquatone is FAST! Using this tool, we were able to gather information about two websites in only five seconds
- As for the output returned, Aquatone gives us an HTML report, an HTTP code and a screenshot of the website
- Aquatone targets port 80, 443, 8000, 8080 and 8443 by default if no arguments or specific ports are passed into the command
Scanning specific ports
At times you may need to scan only specific ports, or the most commonly used ports (such as 80 and 443). This can be done by using the --ports flag.
cat websites.txt | ./aquatone -ports 80,443
Should return to you the following output:
Using Aquatone with OWASP Amass
Another excellent feature of Aquatone is that it can be combined with other tools like OWASP Amass. This extends what Aquatone can achieve even further.
Amass is a great tool for DNS enumeration, as it helps find and list subdomains belonging to a domain. With larger organizations having hundreds, if not thousands, of subdomains active at any time, using Amass helps speed up the process, gathering information from multiple 3rd-party sources.
Amass carries builds for Linux, Windows and MacOS, as well as FreeBSD.
To begin, grab the latest release of Amass from its GitHub Releases page by executing:
And then unzip the archive.
Next, use the following command to make Amass look up subdomains belonging to netflix.com
amass -active -brute -o output.txt -d netflix.com
This makes Amass lookup only active subdomains via the brute force method, and writes the output to the output.txt file.
Next, this very same output.txt file (which contains all the subdomains returned by Amass) can be used as input for the Aquatone tool to gather screenshots and HTTP header information as well as generate an HTML-based report containing all the information related to the hosts being looked up.
cat output.txt | ./aquatone
Accessing the HTML report generated by Aquatone
Setting Aquatone apart from other similar tools is the HTML report that it generates. When scanning for hundreds or thousands of websites, getting key facts, upfront, can help save a lot of time.
With its HTML report, Aquatone does exactly that. You can get screenshots and various HTTP header-related information from it.
Note: Aquatone writes out the HTML report file "aquatone_report.html" in the same directory as the Aquatone executable.
Open up the HTML "aquatone_report.html" file with your web browser of choice, and you're presented with an attractive user interface that lists the websites scanned, the HTTP code and the web server detected:
To view more information about a website that's been scanned via Aquatone, click on the "View Details" button:
This then returns response header information, including content type, cache control, last modified, content length, date and web server in use:
Next, Aquatone offers a Graph option, which allows you to view a visual representation of the relationship between the hosts being scanned:
The graph below allows users to map similar websites together and gain further understanding of how they're related.
Aquatone offers itself as an good attack surface management tool, all while being free to use and open source—making using it a very easy choice to make.
With its impressive website scanning speed and capabilities, which include grabbing a screenshot of the website as well as HTTP header information, Aquatone also gathers all of this information together in an HTML format report. This convenience allows users to share scan session results with other team members, or a group of security researchers, easily.
Aquatone also offers extensibility. With its ability to be combined with other security research tools like Nmap, Amass, and others, this tool enhances most security researchers' toolsets quite extensively.
Something to keep in mind: while Aquatone is a good starting point for information discovery, it does lack some features that would allow it to be helpful in further tasks, such as risk detection, SSL analysis, and more advanced data correlation.