Aquatone

Aquatone

# Aquatone is a complete tool separate in three commands to make complete recon

# Collector modules :
# Dictionary brute force
# DNSDB.org
# Google Transparency Report
# HackerTarget
# Netcraft
# Shodan (API key needed)
# ThreatCrowd
# VirusTotal (API key needed)

# PHASE 1 : Discovery
# aquatone-discover is the first step
# It uses name servers and performs some test to see if wildcard is configured
# Then it asks each subdomain collector for potential subdomain
# Then it tries to resolve them to see which ones are up and creates the hosts.txt file
aquatone-discover -d domain.com

# PHASE 2 : Scanning
# aquatone-scan will try to find which subdomains serve web content
# By default it will scan 80, 443, 8000, 8080 and 8443 but you can specify ports with --ports or pre-configured aliases (small, medium, large, huge)
# It creates open_ports.txt and urls.tx

# PHASE 3 : Gathering
# aquatone-gather can collect HTTP response and screenshots
# It uses Nightmare tool to do that
# It creates headers, html, report and screenshots folder

CLI Tricks

# Get server technology stats (headers folder)
cat * | grep 'Server:' | sort | uniq -c | sort -nr

# Find more subdomains (html folder)
cat * | egrep -o '[a-z0-9\-\_\.]+\.corp\.yahoo\.com' | sort -u

# Find HTML comments (html folder)
cat * | egrep -o '<!--.*-->'

# Find pages with password field (html folder)
grep 'type="password"' *

# Get hosts listening on port 443
cat open_ports.txt | grep ',443' | cut -d "," -f 1

# Check HTTPS hosts for Heartbleed
grep https urls.txt | cut -d '/' -f 3 > /tmp/targets.lst
sslscan --targets=/tmp/targets.lst --no-ciphersuites --no-fallback --no-renegotiation --no-compression --no-check-certificate