Aquatone

Aquatone is a complete tool separate in three commands to make complete recon

Collector modules :

Dictionary brute force DNSDB.org

Google Transparency Report

HackerTarget

Netcraft

Shodan (API key needed)

ThreatCrowd

VirusTotal (API key needed)

PHASE 1 :

Discovery aquatone-discover is the first step It uses name servers and performs some test to see if wildcard is configured Then it asks each subdomain collector for potential subdomain Then it tries to resolve them to see which ones are up and creates the hosts.txt file aquatone-discover -d domain.com

PHASE 2 :

Scanning aquatone-scan will try to find which subdomains serve web content By default it will scan 80, 443, 8000, 8080 and 8443 but you can specify ports with --ports or pre-configured aliases (small, medium, large, huge) It creates open_ports.txt and urls.tx

PHASE 3 :

Gathering aquatone-gather can collect HTTP response and screenshots It uses Nightmare tool to do that It creates headers, html, report and screenshots folder

CLI Tricks Get server technology stats (headers folder) cat * | grep 'Server:' | sort | uniq -c | sort -nr

Find more subdomains (html folder) cat * | egrep -o '[a-z0-9-_.]+.corp.yahoo.com' | sort -u

Find HTML comments (html folder) cat * | egrep -o ''

Find pages with password field (html folder)

grep 'type="password"' *

Get hosts listening on port 443

cat open_ports.txt | grep ',443' | cut -d "," -f 1

Check HTTPS hosts for Heartbleed

grep https urls.txt | cut -d '/' -f 3 > /tmp/targets.lst sslscan --targets=/tmp/targets.lst --no-ciphersuites --no-fallback --no-renegotiation --no-compression --no-check-certificate