# Aquatone is a complete tool separate in three commands to make complete recon# Collector modules :# Dictionary brute force# DNSDB.org# Google Transparency Report# HackerTarget# Netcraft# Shodan (API key needed)# ThreatCrowd# VirusTotal (API key needed)# PHASE 1 : Discovery# aquatone-discover is the first step# It uses name servers and performs some test to see if wildcard is configured# Then it asks each subdomain collector for potential subdomain# Then it tries to resolve them to see which ones are up and creates the hosts.txt file
aquatone-discover -d domain.com
# PHASE 2 : Scanning# aquatone-scan will try to find which subdomains serve web content# By default it will scan 80, 443, 8000, 8080 and 8443 but you can specify ports with --ports or pre-configured aliases (small, medium, large, huge)# It creates open_ports.txt and urls.tx# PHASE 3 : Gathering# aquatone-gather can collect HTTP response and screenshots# It uses Nightmare tool to do that# It creates headers, html, report and screenshots folder
CLI Tricks
# Get server technology stats (headers folder)
cat * | grep 'Server:'| sort | uniq -c | sort -nr
# Find more subdomains (html folder)
cat * | egrep -o '[a-z0-9\-\_\.]+\.corp\.yahoo\.com'| sort -u
# Find HTML comments (html folder)
cat * | egrep -o '<!--.*-->'# Find pages with password field (html folder)
grep 'type="password"' *
# Get hosts listening on port 443
cat open_ports.txt | grep ',443'| cut -d "," -f 1# Check HTTPS hosts for Heartbleed
grep https urls.txt | cut -d '/' -f 3 > /tmp/targets.lst
sslscan --targets=/tmp/targets.lst --no-ciphersuites --no-fallback --no-renegotiation --no-compression --no-check-certificate