Fingerprinting with Aquatone

I recently read about Aquatone on Twitter from this tweet:

HTML reports generated by Aquatone are been broken due to Subresource Integrity failure on a CSS resource. Version 1.4.3 fixes this problem: https://t.co/eb9Z1LTIZw— Michael Henriksen (@michenriksen) January 5, 2019

Aquatone is a little tool that I have been playing around with the past couple of weeks. It enables users to quickly and easily forward network scans, or DNS enumeration scans, and grab screenshots. Now that is definitely useful for attackers, but could it also be useful for defenders? I believe so.

Inventory and Control of Hardware and Software Assets

SANS and CIS Top 20 Critical Security Controls, Control 1 & 2

Understanding what is in your network is pretty important to defending it. The old adage “You can’t defend what you don’t know about” is still very relevant. Now, all defenders know and trust everyone in their organization to not spin up/turn on/program/activate any type of web server or application without approval. (There should be a little /sarcasm there).

That isn’t true. It happens all the time in SMB’s(small to medium businesses) and large enterprises. Your developers, your engineers, your systems admins, even your marketing team is constantly moving forward. To do that they may need new systems, or to test new systems. What does that mean for defenders though?

We have to be able to identify, defend, and support these new systems to deliver the best assessments to our teams possible. Even in a environment that has a strong change control culture, unapproved changes could happen. Now if, as a defender, you have a solid vulnerability management tool you may already be doing automatic network discovery scans. However, Aquatone may find a spot in your repertoire anyways.

If not though, maybe you need something a little different. I envision two different methods for incorporating Aquatone into a network discovery audit:

  • External Discovery: Performing automated scans against your external IP range and domains to discover any new subdomains, websites, etc.
  • Internal Discovery: Quickly identify what is running without having to investigate manually during your network scans. This helps identify unwanted services, and new equipment/applications that you were unaware of.

Using the tool

Aquatone can take nearly any format of input for discovery, as long as that input is either domain name or IP address. In fact, it actually uses regex to discover acceptable inputs. I have piped output from basic lists, NMAP scans, and vulnerability discovery reports with no issue.

It doesn’t really care how the piped data looks as URLs, domains, and IP addresses will be extracted with regular expression pattern matching. This means that you can pretty much give it output of any tool you use for host discovery.

https://github.com/michenriksen/aquatone

I foresee Aquatone and Shodan.io being two extremely pair-able tools for external network audits. With a little automation you could even create deliver monthly external landscape reports to your blue team to verify the integrity of your environment.

Running the tool is as simple as:

Running Aqauatone

With results stored in several different formats. I found the basic Aquatone report extremely helpful. It provides a report of each scanned input, along with that input’s screenshot. Clicking into the report brings up an easy to understand dashboard of your scan:

Aqauatone Report/Dashboard

There are two things I love about this report. One, it has zoom capabilities! I think that is pretty slick given how low impact the scanner is. Two, you can easily scroll through your entire scan and find what in the world you are scanning.

Installing the Tool

Aquatone does come with a caveat though that headless-chrome is not the most reliable for screenshots. I found this very true. Chromium is the preferred browser. Linux also appears to be the preferred OS.

The tool is ridiculously easy to get set up and going. Literally you just download the zip file from the Github page, unpack it, and run the executable from a command line.

In fact I could not get the tool to work on Windows 10 at all, whether using Chrome or Chromium. However, when launching from an Ubuntu 18.06 VM, the tool ran flawlessly. This appears to be a common problem as the Github page has multiple issues referencing this. The author actively says that he doesn’t use Windows, and the tool works fine on a Linux machine.

Conclusion

Aquatone is such a small and easy to use tool, its hard to imagine why you wouldn’t stick this in your tool belt. It’s fast, and makes identifying unknown assets extremely easy. Kudos to its creator michenriksen!