Aquatone Versions Save

Added

• New session:start and session:end events have been introduced in the event bus to allow agents to perform bootstrap and cleanup tasks if needed
• A temporary user directory is now created for the Chrome/Chromium process and additional command line flags have been added to increase compartmentalization

Changed

• Production versions of Vue.js and Vue Router are now used in the HTML report for increased performance
• List of user agents have been updated to current list of most common user agents

Fixed

• The pagination logic in the new HTML report would skip the page or cluster at index 0 as the v-for function on an integer value in Vue.js starts from 1 and not 0

NOTE: This is a pre-release! The HTML report has been completely changed and is now powered by the Vue.js Javascript framework and has lots of great new features. Please try it out and report any bugs or issues. Thanks! Are you a vis.js wizard? If so, I would love to hear if you have any recommendations for improving the network graph!

Added

• Session data will now be written to output directory as aquatone_session.json
• New url_hostname_resolver agent that resolves page's hostnames to IP addresses
• New url_page_title_extractor that extracts HTML page titles from responsive pages
• New command line flag -template-path to specify a custom template to use for the HTML report
• New command line flag -session to load a previous Aquatone session file and generate a report on its data
• Aquatone is now compiled for ARM64 in build.sh

Changed

• Bigger refactoring of session and pages
• New Vue.js powered HTML report with lots of new cool stuff:
  • New look and feel
  • Pages can now be viewed in different modes:
    • By Similarity: Pages are displayed in clusters by their HTML structure similarity
    • By Hostname: Pages are displayed in clusters by their hostname
    • Single Pages: Pages are shown one-by-one with bigger screenshots and response headers (oldschool Aquatone style)
  • Vis.js powered network graph view to see relations between pages, IP addresses and technologies
  • Page clusters are now rendered in a paginated carousel view instead of horizontally scrollable lanes
  • Clusters and pages are paginated to improve performance on large reports
  • Page titles are now shown for pages

Removed

• url_logger agent (no longer needed)

NOTE: This release changes the base file names for screenshots, headers and HTML files to include a partial hash of the URL path and fragment in order to support multiple URLs on the same host. Beware of this if you do any automation with files generated by Aquatone!

Fixed

• The Nmap/Masscan XML report parser did not ignore closed/filtered ports. It now only works on ports with state open.

Added

• Support for processing of multiple URLs on the same host by appending hash of URL path and fragment to file names
• Support for defining default output directory in AQUATONE_OUT_PATH environment variable

Added

• Automatic SSL/TLS detection on non-standard ports
• URL Screenshotter agent now takes extra steps to ensure that the browser process is killed after use
• Version flag to output current version (woah!!!)

Changed

• Packages and other dependencies have been updated to latest versions
• User-Agent list has been updated to current most common agents
• Wappalyzer technology fingerprints have been updated

The Sub Resource Integrity check on the external CSS resource caused it to not load as the file had unexpectedly changed. This broke the HTML report generated by Aquatone. This version removes the SRI attribute to make sure the resource is always loaded.

Added

• Responsive URLs are now written to aquatone_urls.txt. Thanks eur0pa!
• A warning is printed when older versions of Chromium is detected which has known problems with screenshotting HTTPS URLs

Fixed

• Aquatone had trouble processing a single or very few targets. A small delay has been added to give agents time to emit all their events

Fixes a bug where the random User-Agent and other spoofing request headers where not properly set when requesting URLs.

Web technology in use on websites are now detected and displayed in reports. Detection of domain takeover vulnerabilities is now also detected across 20 different services. 💣

Aquatone has been simplified and rewritten in Golang. Read about it here.