The first stage of an AQUATONE assessment is the discovery stage where subdomains are discovered on the target domain using open sources, services and the more common dictionary brute force approach:
$ aquatone-discover –domain example.com
aquatone-discover will find the target’s nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domain’s nameservers, aquatone-discover will fall back to using Google’s public DNS servers to maximize discovery. The fallback DNS servers can be changed with the –fallback-nameservers option:
$ aquatone-discover –domain example.com –fallback-nameservers 18.104.22.168,22.214.171.124
aquatone-discover will use 5 threads as default for concurrently performing DNS lookups. This provides reasonable performance but can be tuned to be more or less aggressive with the –threads option:
$ aquatone-discover –domain example.com –threads 25
Hammering a DNS server with failing lookups can potentially be picked up by intrusion detection systems, so if that is a concern for you, you can make aquatone-discover a bit more stealthy with the –sleep and –jitter options. –sleep accepts a number of seconds to sleep between each DNS lookup while –jitter accepts a percentage of the –sleep value to randomly add or subtract to or from the sleep interval in order to break the sleep pattern and make it less predictable.
$ aquatone-discover –domain example.com –sleep 5 –jitter 30
Please note that setting the –sleep option will force the thread count to one. The –jitter option will only be considered if the –sleep option has also been set.
The scanning stage is where AQUATONE will enumerate the discovered hosts for open TCP ports that are commonly used for web services:
$ aquatone-scan –domain example.com
The –domain option will look for hosts.json in the domain’s AQUATONE assessment directory, so in the example above it would look for ~/aquatone/http://ift.tt/2srkMwn. This file should be present if aquatone-discover –domain example.com has been run previously.
By default, aquatone-scan will scan the following TCP ports: 80, 443, 8000, 8080 and 8443. These are very common ports for web services and will provide a reasonable coverage. Should you want to specifiy your own list of ports, you can use the –ports option:
$ aquatone-scan –domain example.com –ports 80,443,3000,8080
Download & Tutorial
The post aquatone: A Tool for Domain Flyovers appeared first on Penetration Testing.