aquatone: A Tool for Domain Flyovers – Penetration Testing

AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.



The first stage of an AQUATONE assessment is the discovery stage where subdomains are discovered on the target domain using open sources, services and the more common dictionary brute force approach:

$ aquatone-discover –domain

aquatone-discover will find the target’s nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domain’s nameservers, aquatone-discover will fall back to using Google’s public DNS servers to maximize discovery. The fallback DNS servers can be changed with the –fallback-nameservers option:

$ aquatone-discover –domain –fallback-nameservers,


aquatone-discover will use 5 threads as default for concurrently performing DNS lookups. This provides reasonable performance but can be tuned to be more or less aggressive with the –threads option:

$ aquatone-discover –domain –threads 25

Hammering a DNS server with failing lookups can potentially be picked up by intrusion detection systems, so if that is a concern for you, you can make aquatone-discover a bit more stealthy with the –sleep and –jitter options. –sleep accepts a number of seconds to sleep between each DNS lookup while –jitter accepts a percentage of the –sleep value to randomly add or subtract to or from the sleep interval in order to break the sleep pattern and make it less predictable.

$ aquatone-discover –domain –sleep 5 –jitter 30

Please note that setting the –sleep option will force the thread count to one. The –jitter option will only be considered if the –sleep option has also been set.


The scanning stage is where AQUATONE will enumerate the discovered hosts for open TCP ports that are commonly used for web services:

$ aquatone-scan –domain

The –domain option will look for hosts.json in the domain’s AQUATONE assessment directory, so in the example above it would look for ~/aquatone/ This file should be present if aquatone-discover –domain has been run previously.


By default, aquatone-scan will scan the following TCP ports: 80, 443, 8000, 8080 and 8443. These are very common ports for web services and will provide a reasonable coverage. Should you want to specifiy your own list of ports, you can use the –ports option:

$ aquatone-scan –domain –ports 80,443,3000,8080

Download & Tutorial

The post aquatone: A Tool for Domain Flyovers appeared first on Penetration Testing.


Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do

Você está comentando utilizando sua conta Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s