{"id":13415339,"url":"https://github.com/michenriksen/aquatone","last_synced_at":"2025-10-05T17:31:48.066Z","repository":{"id":37580359,"uuid":"46488106","full_name":"michenriksen/aquatone","owner":"michenriksen","description":"A Tool for Domain Flyovers","archived":true,"fork":false,"pushed_at":"2022-05-22T19:49:32.000Z","size":587,"stargazers_count":5696,"open_issues_count":106,"forks_count":883,"subscribers_count":136,"default_branch":"master","last_synced_at":"2025-01-20T23:55:53.010Z","etag":null,"topics":["chrome-headless","chromium","golang","osint","reconnaissance","security"],"latest_commit_sha":null,"homepage":"https://michenriksen.com/blog/aquatone-now-in-go/","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/michenriksen.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-11-19T11:30:12.000Z","updated_at":"2025-01-20T02:46:54.000Z","dependencies_parsed_at":"2022-07-12T16:24:48.814Z","dependency_job_id":null,"html_url":"https://github.com/michenriksen/aquatone","commit_stats":null,"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michenriksen%2Faquatone","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michenriksen%2Faquatone/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michenriksen%2Faquatone/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michenriksen%2Faquatone/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/michenriksen","download_url":"https://codeload.github.com/michenriksen/aquatone/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":235425001,"owners_count":18988327,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chrome-headless","chromium","golang","osint","reconnaissance","security"],"created_at":"2024-07-30T21:00:47.330Z","updated_at":"2025-10-05T17:31:42.728Z","avatar_url":"https://github.com/michenriksen.png","language":"Go","funding_links":[],"categories":["Go","Popular","Subdomain-enum","Tools","\u003ca id=\"a76463feb91d09b3d024fae798b92be6\"\u003e\u003c/a\u003e侦察\u0026\u0026信息收集\u0026\u0026子域名发现与枚举\u0026\u0026OSINT","Recon","Weapons","Go (531)","其他_安全与渗透","Network Tools","\u003ca id=\"170048b7d8668c50681c0ab1e92c679a\"\u003e\u003c/a\u003e工具","Tools by Category","Domain and Network Recon","Network","OSINT Tools"],"sub_categories":["Reconnaissance","\u003ca id=\"e945721056c78a53003e01c3d2f3b8fe\"\u003e\u003c/a\u003e子域名枚举\u0026\u0026爆破","Screenshots","Tools","网络服务_其他","Network Reconnaissance Tools","🌐 Website Monitoring \u0026 Analysis","Programs and Web Applications","OSINT Tools","Web Vulnerability Scanners"],"readme":"# AQUATONE\n\nAquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.\n\n## Installation\n\n1. Install [Google Chrome](https://www.google.com/chrome/) or [Chromium](https://www.chromium.org/getting-involved/download-chromium) browser -- **Note:** Google Chrome is currently giving unreliable results when running in *headless* mode, so it is recommended to install Chromium for the best results.\n2. Download the [latest release](https://github.com/michenriksen/aquatone/releases/latest) of Aquatone for your operating system.\n3. Uncompress the zip file and move the `aquatone` binary to your desired location. You probably want to move it to a location in your `$PATH` for easier use.\n\n### Compiling the source code\n\nIf you for some reason don't trust the pre-compiled binaries, you can also compile the code yourself. **You are on your own if you want to do this. I do not support compiling problems. Good luck with it!**\n\n## Usage\n\n### Command-line options:\n\n```\n  -chrome-path string\n    \tFull path to the Chrome/Chromium executable to use. By default, aquatone will search for Chrome or Chromium\n  -debug\n    \tPrint debugging information\n  -http-timeout int\n    \tTimeout in miliseconds for HTTP requests (default 3000)\n  -nmap\n    \tParse input as Nmap/Masscan XML\n  -out string\n    \tDirectory to write files to (default \".\")\n  -ports string\n    \tPorts to scan on hosts. Supported list aliases: small, medium, large, xlarge (default \"80,443,8000,8080,8443\")\n  -proxy string\n    \tProxy to use for HTTP requests\n  -resolution string\n    \tscreenshot resolution (default \"1440,900\")\n  -save-body\n    \tSave response bodies to files (default true)\n  -scan-timeout int\n    \tTimeout in miliseconds for port scans (default 100)\n  -screenshot-timeout int\n    \tTimeout in miliseconds for screenshots (default 30000)\n  -session string\n    \tLoad Aquatone session file and generate HTML report\n  -silent\n    \tSuppress all output except for errors\n  -template-path string\n    \tPath to HTML template to use for report\n  -threads int\n    \tNumber of concurrent threads (default number of logical CPUs)\n  -version\n    \tPrint current Aquatone version\n```\n\n### Giving Aquatone data\n\nAquatone is designed to be as easy to use as possible and to integrate with your existing toolset with no or minimal glue. Aquatone is started by piping output of a command into the tool. It doesn't really care how the piped data looks as URLs, domains, and IP addresses will be extracted with regular expression pattern matching. This means that you can pretty much give it output of any tool you use for host discovery.\n\nIPs, hostnames and domain names in the data will undergo scanning for ports that are typically used for web services and transformed to URLs with correct scheme.  If the data contains URLs, they are assumed to be alive and do not undergo port scanning.\n\n**Example:**\n\n    $ cat targets.txt | aquatone\n\n### Output\n\nWhen Aquatone is done processing the target hosts, it has created a bunch of files and folders in the current directory:\n\n - **aquatone_report.html**: An HTML report to open in a browser that displays all the collected screenshots and response headers clustered by similarity.\n - **aquatone_urls.txt**: A file containing all responsive URLs. Useful for feeding into other tools.\n - **aquatone_session.json**: A file containing statistics and page data. Useful for automation.\n - **headers/**: A folder with files containing raw response headers from processed targets\n - **html/**: A folder with files containing the raw response bodies from processed targets. If you are processing a large amount of hosts, and don't need this for further analysis, you can disable this with the `-save-body=false` flag to save some disk space.\n - **screenshots/**: A folder with PNG screenshots of the processed targets\n\nThe output can easily be zipped up and shared with others or archived.\n\n#### Changing the output destination\n\nIf you don't want Aquatone to create files in the current working directory, you can specify a different location with the `-out` flag:\n\n    $ cat hosts.txt | aquatone -out ~/aquatone/example.com\n\nIt is also possible to set a permanent default output destination by defining an environment variable:\n\n    export AQUATONE_OUT_PATH=\"~/aquatone\"\n\n\n### Specifying ports to scan\n\nBe default, Aquatone will scan target hosts with a small list of commonly used HTTP ports: 80, 443, 8000, 8080 and 8443. You can change this to your own list of ports with the `-ports` flag:\n\n    $ cat hosts.txt | aquatone -ports 80,443,3000,3001\n\nAquatone also supports aliases of built-in port lists to make it easier for you:\n\n - **small**: 80, 443\n - **medium**: 80, 443, 8000, 8080, 8443 (same as default)\n - **large**: 80, 81, 443, 591, 2082, 2087, 2095, 2096, 3000, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888\n - **xlarge**: 80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2087, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 12443, 16080, 18091, 18092, 20720, 28017\n\n**Example:**\n\n    $ cat hosts.txt | aquatone -ports large\n\n\n### Usage examples\n\nAquatone is designed to play nicely with all kinds of tools. Here's some examples:\n\n#### Amass DNS enumeration\n\n[Amass](https://github.com/OWASP/Amass) is currently my preferred tool for enumerating DNS. It uses a bunch of OSINT sources as well as active brute-forcing and clever permutations to quickly identify hundreds, if not thousands, of subdomains on a  domain:\n\n```bash\n$ amass -active -brute -o hosts.txt -d yahoo.com\nalerts.yahoo.com\nads.yahoo.com\nam.yahoo.com\n- - - SNIP - - -\nprd-vipui-01.infra.corp.gq1.yahoo.com\ncp103.mail.ir2.yahoo.com\nprd-vipui-01.infra.corp.bf1.yahoo.com\n$ cat hosts.txt | aquatone\n```\n\nThere are plenty of other DNS enumeration tools out there and Aquatone should work just as well with any other tool:\n\n- [Sublist3r](https://github.com/aboul3la/Sublist3r)\n- [Subfinder](https://github.com/subfinder/subfinder)\n- [Knock](https://github.com/guelfoweb/knock)\n- [Fierce](https://www.aldeid.com/wiki/Fierce)\n- [Gobuster](https://github.com/OJ/gobuster)\n\n#### Nmap or Masscan\n\nAquatone can make a report on hosts scanned with the [Nmap](https://nmap.org/) or [Masscan](https://github.com/robertdavidgraham/masscan) portscanner. Simply feed Aquatone the XML output and give it the `-nmap` flag to tell it to parse the input as Nmap/Masscan XML:\n\n    $ cat scan.xml | aquatone -nmap\n\n### Credits\n\n- Thanks to [EdOverflow](https://twitter.com/EdOverflow) for the [can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz/) project which Aquatone's domain takeover capability is based on.\n- Thanks to [Elbert Alias](https://github.com/AliasIO) for the [Wappalyzer](https://github.com/AliasIO/Wappalyzer) project's technology fingerprints which Aquatone's technology fingerprinting capability is based on.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmichenriksen%2Faquatone","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmichenriksen%2Faquatone","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmichenriksen%2Faquatone/lists"}