tools

SecurityTrails Blog · Oct 28 · by Esteban Borges

Aquatone: An HTTP-Based Attack Surface Visual Inspection Tool

Reading time: 6 minutes
Listen to this article

Attack surface management has become one of the most critical aspects of any website on the public internet. Simply knowing your attack surface is no longer enough— and effectively managing it with tools like Aquatone has become the norm. Combining Aquatone with popular tools like OWASP Amass helps improve and streamline website attack surface management even further.

What is Aquatone?

Aquatone is a free-to-use, open-source project aimed at making visual inspection of websites an easy task. This valuable tool also supports looking up websites in bulk, which can make the task of information gathering for your website’s attack surface surprisingly easy.

Aquatone works with the help of a web browser like Chrome or Chromium to perform the visual inspection of any website being looked up. Aquatone can be further combined with tools like Nmap to gain even more insight about a website’s attack surface.

Reduce your Attack Surface Now Discover unknown hosts, open ports, expired SSL certificates,
dev and staging subdomains in your organization

Installation

To install Aquatone, grab the latest release of the project’s GitHub page for the operating system you run on. Aquatone has released versions for Linux (amd64 and arm64), MacOS, and Windows, which makes it a very handy tool no matter what platform you’re on.

In our example, we’ll take a look at both the Linux and Windows options.

For Linux, grab the amd64 build or arm64 build. If in doubt, grab the amd64 build:

wget https://github.com/michenriksen/aquatone/releases/download/v1.7.0/aquatone_linux_amd64_1.7.0.zip

And then unzip the archive

unzip aquatone_linux_amd64_1.7.0.zip

Now let’s run the command for the first time:

./aquatone --help

The --help command will show a list of command arguments, features and flags supported by Aquatone:

Aquatone, list of command arguments

Next, for Aquatone to perform visual lookups of websites, you’ll need Chromium or Google Chrome installed on your system. If you are running any Debian-based distro, you can install this package by just running the following command:

apt install -y chromium-browser

Similarly, for Windows, download the “windows_amd64.zip” build, and extract the archive.

This should result in the following files:

Aquatone, windows download

Fire up the command prompt with WIN + R and then enter CMD.

Navigate to the folder where you extracted the files and run

aquatone.exe --help

Which should then result in the following output:

Aquatone, help command

As seen with Linux, you’ll need either Google Chrome or Chromium installed on your system to aid Aquatone to perform the website visual lookups.

Aquatone phases and usage examples

Basic usage

To begin using Aquatone, let’s look at scanning websites with basic flags/options available.

First, create a text file called “websites.txt” inside the same folder as the Aquatone executable. And inside that, add the websites you wish to scan, ensuring you have only one website per line.

Run the command

cat websites.txt | ./aquatone

Which should net you the following output:

Aquatone, basic usage

From the output above, we’re able to gather a few important facts:

  1. Aquatone is FAST! Using this tool, we were able to gather information about two websites in only five seconds
  2. As for the output returned, Aquatone gives us an HTML report, an HTTP code and a screenshot of the website
  3. Aquatone targets port 80, 443, 8000, 8080 and 8443 by default if no arguments or specific ports are passed into the command

Scanning specific ports

At times you may need to scan only specific ports, or the most commonly used ports (such as 80 and 443). This can be done by using the –ports flag.

For example:

cat websites.txt | ./aquatone -ports 80,443

Should return to you the following output:

Aquatone, scanning specific ports

Using Aquatone with OWASP Amass

Another excellent feature of Aquatone is that it can be combined with other tools like OWASP Amass. This extends what Aquatone can achieve even further.

Amass is a great tool for DNS enumeration, as it helps find and list subdomains belonging to a domain. With larger organizations having hundreds, if not thousands, of subdomains active at any time, using Amass helps speed up the process, gathering information from multiple 3rd-party sources.

Amass carries builds for Linux, Windows and MacOS, as well as FreeBSD.

To begin, grab the latest release of Amass from its GitHub Releases page by executing:

wget https://github.com/OWASP/Amass/releases/download/v3.13.4/amass_linux_amd64.zip

And then unzip the archive.

Next, use the following command to make Amass look up subdomains belonging to netflix.com

amass -active -brute -o output.txt -d netflix.com

This makes Amass lookup only active subdomains via the brute force method, and writes the output to the output.txt file.

Next, this very same output.txt file (which contains all the subdomains returned by Amass) can be used as input for the Aquatone tool to gather screenshots and HTTP header information as well as generate an HTML-based report containing all the information related to the hosts being looked up.

cat output.txt | ./aquatone

Accessing the HTML report generated by Aquatone

Setting Aquatone apart from other similar tools is the HTML report that it generates. When scanning for hundreds or thousands of websites, getting key facts, upfront, can help save a lot of time.

With its HTML report, Aquatone does exactly that. You can get screenshots and various HTTP header-related information from it.

Note: Aquatone writes out the HTML report file “aquatone_report.html” in the same directory as the Aquatone executable.

Open up the HTML “aquatone_report.html” file with your web browser of choice, and you’re presented with an attractive user interface that lists the websites scanned, the HTTP code and the web server detected:

Aquatone, pages by similarity

To view more information about a website that’s been scanned via Aquatone, click on the “View Details” button:

Aquatone, view details

This then returns response header information, including content type, cache control, last modified, content length, date and web server in use:

Aquatone, response header

Next, Aquatone offers a Graph option, which allows you to view a visual representation of the relationship between the hosts being scanned:

Aquatone, a graph option

The graph below allows users to map similar websites together and gain further understanding of how they’re related.

Aquatone, map similar websites

Summary

Aquatone offers itself as an good attack surface management tool, all while being free to use and open source—making using it a very easy choice to make.

With its impressive website scanning speed and capabilities, which include grabbing a screenshot of the website as well as HTTP header information, Aquatone also gathers all of this information together in an HTML format report. This convenience allows users to share scan session results with other team members, or a group of security researchers, easily.

Aquatone also offers extensibility. With its ability to be combined with other security research tools like Nmap, Amass, and others, this tool enhances most security researchers’ toolsets quite extensively.

Something to keep in mind: while Aquatone is a good starting point for information discovery, it does lack some features that would allow it to be helpful in further tasks, such as risk detection, SSL analysis, and more advanced data correlation.

Esteban Borges Blog Author
ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.