Convert Figma logo to code with AI

michenriksen logoaquatone

A Tool for Domain Flyovers

5,618
875
5,618
106
View on GitHub

Top Related Projects

projectdiscovery's avatar

nuclei

20,301

Fast and customizable vulnerability scanner based on simple YAML based DSL.

tomnomnom's avatar

httprobe

2,849

Take a list of domains and probe for working HTTP and HTTPS servers

owasp-amass's avatar

amass

11,936

In-depth attack surface mapping and asset discovery

ffuf's avatar

ffuf

12,459

Fast web fuzzer written in Go

OJ's avatar

gobuster

9,725

Directory/File, DNS and VHost busting tool written in Go

nmap's avatar

nmap

10,048

Nmap - the Network Mapper. Github mirror of official SVN repository.

Quick Overview

Aquatone is a tool for visual inspection of websites across a large number of hosts. It's designed to quickly gather and organize screenshots, HTML, and other information from a list of domains or IP addresses. Aquatone is particularly useful for bug bounty hunters, penetration testers, and red teamers.

Pros

  • Automates the process of capturing screenshots and gathering information from multiple web hosts
  • Generates an attractive HTML report for easy visual inspection
  • Integrates well with other reconnaissance tools and workflows
  • Supports various input formats, including plain text and JSON

Cons

  • Requires Chrome or Chromium browser to be installed for screenshot capture
  • May trigger security alerts on target systems due to its scanning nature
  • Limited customization options for the generated report
  • Performance can be slow when dealing with a large number of targets

Getting Started

  1. Install Aquatone:

    go get github.com/michenriksen/aquatone

  2. Prepare a list of domains or IP addresses in a text file (e.g., targets.txt).

  3. Run Aquatone:

    cat targets.txt | aquatone

  4. Open the generated aquatone_report.html file in your browser to view the results.

For more advanced usage, refer to the project's documentation on GitHub.

Competitor Comparisons

projectdiscovery logo

nuclei

20,301

Fast and customizable vulnerability scanner based on simple YAML based DSL.

Pros of Nuclei

  • More versatile and customizable with a large library of templates
  • Supports a wider range of security checks and vulnerability scanning
  • Actively maintained with frequent updates and community contributions

Cons of Nuclei

  • Steeper learning curve due to its extensive features and template system
  • May require more setup and configuration for specific use cases

Code Comparison

Aquatone (Ruby):

def screenshot_url(url, output_file)
  begin
    browser.navigate.to(url)
    browser.save_screenshot(output_file)
  rescue => e
    @logger.error("Screenshot failed for #{url}: #{e}")
  end
end

Nuclei (Go):

func (r *Runner) runTemplate(template *templates.Template, target string) {
    for _, request := range template.RequestsHTTP {
        err := r.executeHTTPRequest(request, target)
        if err != nil {
            gologger.Warning().Msgf("Could not execute request for %s: %s\n", target, err)
        }
    }
}

Summary

Nuclei offers more advanced features and flexibility for security scanning, while Aquatone focuses primarily on domain enumeration and screenshot capture. Nuclei's template-based approach allows for more comprehensive vulnerability checks, but it may require more initial setup. Aquatone provides a simpler interface for quick reconnaissance tasks. The choice between the two depends on the specific requirements of the security assessment and the user's familiarity with each tool's ecosystem.

tomnomnom logo

httprobe

2,849

Take a list of domains and probe for working HTTP and HTTPS servers

Pros of httprobe

  • Lightweight and focused on a single task (probing for live hosts)
  • Faster execution for large-scale scans
  • Easy to integrate into custom scripts and pipelines

Cons of httprobe

  • Limited functionality compared to Aquatone's comprehensive feature set
  • Lacks visual output and reporting capabilities
  • No built-in screenshot functionality

Code Comparison

Aquatone (Ruby):

def process_url(url)
  @hosts << url.host
  @ports << url.port
  @schemes << url.scheme
end

httprobe (Go):

func probeHttp(domain string, timeout time.Duration) (string, error) {
    url := fmt.Sprintf("http://%s", domain)
    return probeHttps(url, timeout)
}

Summary

httprobe is a lightweight, focused tool for probing live hosts, making it ideal for quick scans and integration into custom workflows. It excels in speed and simplicity but lacks the comprehensive features of Aquatone.

Aquatone offers a more robust set of features, including visual output, reporting, and screenshot capabilities. However, it may be slower for large-scale scans and has a more complex setup due to its broader functionality.

Choose httprobe for rapid, targeted probing or Aquatone for a more comprehensive web-based reconnaissance toolkit.

owasp-amass logo

amass

11,936

In-depth attack surface mapping and asset discovery

Pros of Amass

  • More comprehensive subdomain enumeration with multiple data sources
  • Advanced features like DNS brute-forcing and permutation scanning
  • Active community and frequent updates

Cons of Amass

  • Steeper learning curve due to more complex configuration options
  • Can be slower for quick scans due to its thoroughness
  • Requires more system resources for large-scale scans

Code Comparison

Aquatone (simple usage):

cat domains.txt | aquatone

Amass (basic enumeration):

amass enum -d example.com

Both tools can be used for subdomain discovery, but Amass offers more advanced options for in-depth enumeration:

amass enum -d example.com -active -brute -w /path/to/wordlist.txt -dir ./output

This command demonstrates Amass's ability to perform active scanning, DNS brute-forcing, and use custom wordlists, showcasing its more comprehensive approach compared to Aquatone's simpler functionality.

ffuf logo

ffuf

12,459

Fast web fuzzer written in Go

Pros of ffuf

  • Faster performance for large-scale fuzzing tasks
  • More flexible and customizable with advanced filtering options
  • Supports multiple protocols beyond HTTP (e.g., HTTPS, HTTP/2)

Cons of ffuf

  • Steeper learning curve due to more complex configuration options
  • Less focus on visual output and reporting compared to Aquatone
  • Primarily command-line based, lacking a graphical interface

Code Comparison

Aquatone example:

aquatone-discover -d example.com
aquatone-scan --ports 80,443 -d example.com
aquatone-gather -d example.com

ffuf example:

ffuf -w wordlist.txt -u https://example.com/FUZZ -mc 200,301,302 -o output.json
ffuf -w subdomains.txt -u https://FUZZ.example.com -v

While Aquatone focuses on domain discovery and visual reporting, ffuf is more versatile for various fuzzing tasks. Aquatone provides a streamlined workflow for subdomain enumeration and screenshot capture, whereas ffuf offers greater flexibility in crafting custom fuzzing patterns and handling different protocols. The code examples demonstrate Aquatone's domain-centric approach versus ffuf's more general-purpose fuzzing capabilities.

OJ logo

gobuster

9,725

Directory/File, DNS and VHost busting tool written in Go

Pros of Gobuster

  • Faster performance for directory and file brute-forcing
  • More versatile with multiple modes (DNS, vhost, S3 buckets)
  • Lightweight and easy to integrate into automated workflows

Cons of Gobuster

  • Limited web screenshot capabilities
  • Lacks built-in reporting and visualization features
  • No automatic JavaScript parsing for discovering additional endpoints

Code Comparison

Aquatone (Ruby):

def run_command(command)
  IO.popen(command) do |io|
    io.each_line do |line|
      yield line.chomp if block_given?
    end
  end
end

Gobuster (Go):

func RunGobuster(s *State) error {
	if s.Opts.Threads < 0 {
		return fmt.Errorf("threads cannot be negative")
	}
	wg := new(sync.WaitGroup)
	wg.Add(s.Opts.Threads)
	for i := 0; i < s.Opts.Threads; i++ {
		go func() {
			defer wg.Done()
			for {
				// ... (worker logic)
			}
		}()
	}
	wg.Wait()
	return nil
}

Both tools serve different purposes within the web security testing ecosystem. Aquatone focuses on visual reconnaissance and reporting, while Gobuster excels in fast, targeted brute-forcing across various domains. The choice between them depends on the specific requirements of your security assessment workflow.

nmap logo

nmap

10,048

Nmap - the Network Mapper. Github mirror of official SVN repository.

Pros of Nmap

  • More comprehensive network scanning and discovery capabilities
  • Extensive scripting engine for custom scans and vulnerability checks
  • Widely recognized and supported in the cybersecurity community

Cons of Nmap

  • Steeper learning curve for beginners
  • Can be slower for large-scale web asset discovery
  • Less focus on visual representation of results

Code Comparison

Nmap (typical usage):

nmap -sV -sC -p- 192.168.1.0/24

Aquatone (typical usage):

cat domains.txt | aquatone

Key Differences

Nmap is a powerful network scanner and security auditing tool, while Aquatone focuses on web-based asset discovery and visualization. Nmap offers more in-depth network analysis, while Aquatone excels at quickly identifying and screenshotting web applications across multiple domains.

Nmap is better suited for comprehensive network security assessments, while Aquatone is ideal for rapid web asset discovery and visual reconnaissance during bug bounty hunting or web application security testing.

Nmap requires more technical expertise to use effectively, whereas Aquatone is designed for ease of use and quick results. Nmap's output is typically text-based, while Aquatone provides visual reports with screenshots and clustering of similar web applications.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

AQUATONE

Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.

Installation

  1. Install Google Chrome or Chromium browser -- Note: Google Chrome is currently giving unreliable results when running in headless mode, so it is recommended to install Chromium for the best results.
  2. Download the latest release of Aquatone for your operating system.
  3. Uncompress the zip file and move the aquatone binary to your desired location. You probably want to move it to a location in your $PATH for easier use.

Compiling the source code

If you for some reason don't trust the pre-compiled binaries, you can also compile the code yourself. You are on your own if you want to do this. I do not support compiling problems. Good luck with it!

Usage

Command-line options:

  -chrome-path string
    	Full path to the Chrome/Chromium executable to use. By default, aquatone will search for Chrome or Chromium
  -debug
    	Print debugging information
  -http-timeout int
    	Timeout in miliseconds for HTTP requests (default 3000)
  -nmap
    	Parse input as Nmap/Masscan XML
  -out string
    	Directory to write files to (default ".")
  -ports string
    	Ports to scan on hosts. Supported list aliases: small, medium, large, xlarge (default "80,443,8000,8080,8443")
  -proxy string
    	Proxy to use for HTTP requests
  -resolution string
    	screenshot resolution (default "1440,900")
  -save-body
    	Save response bodies to files (default true)
  -scan-timeout int
    	Timeout in miliseconds for port scans (default 100)
  -screenshot-timeout int
    	Timeout in miliseconds for screenshots (default 30000)
  -session string
    	Load Aquatone session file and generate HTML report
  -silent
    	Suppress all output except for errors
  -template-path string
    	Path to HTML template to use for report
  -threads int
    	Number of concurrent threads (default number of logical CPUs)
  -version
    	Print current Aquatone version

Giving Aquatone data

Aquatone is designed to be as easy to use as possible and to integrate with your existing toolset with no or minimal glue. Aquatone is started by piping output of a command into the tool. It doesn't really care how the piped data looks as URLs, domains, and IP addresses will be extracted with regular expression pattern matching. This means that you can pretty much give it output of any tool you use for host discovery.

IPs, hostnames and domain names in the data will undergo scanning for ports that are typically used for web services and transformed to URLs with correct scheme. If the data contains URLs, they are assumed to be alive and do not undergo port scanning.

Example:

$ cat targets.txt | aquatone

Output

When Aquatone is done processing the target hosts, it has created a bunch of files and folders in the current directory:

  • aquatone_report.html: An HTML report to open in a browser that displays all the collected screenshots and response headers clustered by similarity.
  • aquatone_urls.txt: A file containing all responsive URLs. Useful for feeding into other tools.
  • aquatone_session.json: A file containing statistics and page data. Useful for automation.
  • headers/: A folder with files containing raw response headers from processed targets
  • html/: A folder with files containing the raw response bodies from processed targets. If you are processing a large amount of hosts, and don't need this for further analysis, you can disable this with the -save-body=false flag to save some disk space.
  • screenshots/: A folder with PNG screenshots of the processed targets

The output can easily be zipped up and shared with others or archived.

Changing the output destination

If you don't want Aquatone to create files in the current working directory, you can specify a different location with the -out flag:

$ cat hosts.txt | aquatone -out ~/aquatone/example.com

It is also possible to set a permanent default output destination by defining an environment variable:

export AQUATONE_OUT_PATH="~/aquatone"

Specifying ports to scan

Be default, Aquatone will scan target hosts with a small list of commonly used HTTP ports: 80, 443, 8000, 8080 and 8443. You can change this to your own list of ports with the -ports flag:

$ cat hosts.txt | aquatone -ports 80,443,3000,3001

Aquatone also supports aliases of built-in port lists to make it easier for you:

  • small: 80, 443
  • medium: 80, 443, 8000, 8080, 8443 (same as default)
  • large: 80, 81, 443, 591, 2082, 2087, 2095, 2096, 3000, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888
  • xlarge: 80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2087, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 12443, 16080, 18091, 18092, 20720, 28017

Example:

$ cat hosts.txt | aquatone -ports large

Usage examples

Aquatone is designed to play nicely with all kinds of tools. Here's some examples:

Amass DNS enumeration

Amass is currently my preferred tool for enumerating DNS. It uses a bunch of OSINT sources as well as active brute-forcing and clever permutations to quickly identify hundreds, if not thousands, of subdomains on a domain:

$ amass -active -brute -o hosts.txt -d yahoo.com
alerts.yahoo.com
ads.yahoo.com
am.yahoo.com
- - - SNIP - - -
prd-vipui-01.infra.corp.gq1.yahoo.com
cp103.mail.ir2.yahoo.com
prd-vipui-01.infra.corp.bf1.yahoo.com
$ cat hosts.txt | aquatone

There are plenty of other DNS enumeration tools out there and Aquatone should work just as well with any other tool:

Nmap or Masscan

Aquatone can make a report on hosts scanned with the Nmap or Masscan portscanner. Simply feed Aquatone the XML output and give it the -nmap flag to tell it to parse the input as Nmap/Masscan XML:

$ cat scan.xml | aquatone -nmap

Credits

  • Thanks to EdOverflow for the can-i-take-over-xyz project which Aquatone's domain takeover capability is based on.
  • Thanks to Elbert Alias for the Wappalyzer project's technology fingerprints which Aquatone's technology fingerprinting capability is based on.