Aquatone - A Tool for Domain Flyovers 09-01-2017, 08:23 PM
#1
AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.
Usage
Discovery:
The first stage of an AQUATONE assessment is the discovery stage where subdomains are discovered on the target domain using open sources, services and the more common dictionary brute force approach:
aquatone-discover will find the target's nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domain's nameservers, aquatone-discover will fall back to using Google's public DNS servers to maximize discovery. The fallback DNS servers can be changed with the --fallback-nameservers option:
$ aquatone-discover --domain example.com --fallback-nameservers 87.98.175.85,5.9.49.12
Tuning
aquatone-discover will use 5 threads as default for concurrently performing DNS lookups. This provides reasonable performance but can be tuned to be more or less aggressive with the --threads option:
Hammering a DNS server with failing lookups can potentially be picked up by intrusion detection systems, so if that is a concern for you, you can make aquatone-discover a bit more stealthy with the --sleep and --jitter options. --sleep accepts a number of seconds to sleep between each DNS lookup while --jitter accepts a percentage of the --sleep value to randomly add or subtract to or from the sleep interval in order to break the sleep pattern and make it less predictable.
![[Image: d7372f1ce310468bae9fec771919741b.png]](https://i.gyazo.com/d7372f1ce310468bae9fec771919741b.png)
Usage
Discovery:
The first stage of an AQUATONE assessment is the discovery stage where subdomains are discovered on the target domain using open sources, services and the more common dictionary brute force approach:
Code:
$ aquatone-discover --domain example.comaquatone-discover will find the target's nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domain's nameservers, aquatone-discover will fall back to using Google's public DNS servers to maximize discovery. The fallback DNS servers can be changed with the --fallback-nameservers option:
$ aquatone-discover --domain example.com --fallback-nameservers 87.98.175.85,5.9.49.12
Tuning
aquatone-discover will use 5 threads as default for concurrently performing DNS lookups. This provides reasonable performance but can be tuned to be more or less aggressive with the --threads option:
Code:
$ aquatone-discover --domain example.com --threads 25Hammering a DNS server with failing lookups can potentially be picked up by intrusion detection systems, so if that is a concern for you, you can make aquatone-discover a bit more stealthy with the --sleep and --jitter options. --sleep accepts a number of seconds to sleep between each DNS lookup while --jitter accepts a percentage of the --sleep value to randomly add or subtract to or from the sleep interval in order to break the sleep pattern and make it less predictable.
Code:
$ aquatone-discover --domain example.com --sleep 5 --jitter 30![[Image: Vs4P58c.png]](https://i.imgur.com/Vs4P58c.png)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: YUpAMpx.png]](https://i.imgur.com/YUpAMpx.png)