Reviewing Automated HTTP Screenshot Tools
Another blog, another screenshot tool for our Screenshot Tool blog series! This White Oak Security series reviews a few of the top HTTP screenshot tools that are currently available for penetration testers or bug bounty hunters. Each part has covered the available features within the selected tool, how easy the tool is to use, and any problems that may occur while using it. At the end of the Screenshot Tool series (part 6 – stay tuned!), we will put all the tools to the test to compare their effectiveness against a set of metrics, to find the most useful tool.
If you’ve read part 1, part 2, part 3, or part 4 – then feel free to jump over the criteria section below down to the featured tool section, Aquatone.
Screenshot Tools
We, at White Oak Security, use HTTP screenshotting tools on internal, external, and red team engagements to quickly analyze the footprint of web servers and services exposed across the target environment.
Below are the items that represent the criteria for how I define ‘usefulness’ for a given HTTP screenshot tool. These criteria are skewed towards attack surfacing reconnaissance and penetration testing techniques.
Note: this series was written in early 2022.
SOURCES & CUSTOMIZATION
- Are common network scanner output formats supported as input sources by the tool? (Nmap/Masscan/Nessus)
- Can we append a second scan to the results of the first scan within the Database?
- Can you set a custom User-Agent?
- Can you set custom request headers and/or cookies?
PERFORMANCE
- How accurate is the tool? How many errors does it generate? Does it successfully capture screenshots (no white or blank screenshots)?
- How quickly does the tool perform the task? Can we speed the scan up without degrading the accuracy of the scan?
- Can we easily proxy the network traffic to http and socks proxies?
- Can we provide a navigation timeout against slow assets?
REPORTING
- Does the tool group or categorize similar hosts based on their screenshots?
- Does the tool provide useful output? Can it export to PDF/HTML/JSON/CSV?
- Is the UI/UX functional and enjoyable to use?
GENERAL
- Is the tool actively maintained with updates?
- Any Cross-Platform compatibility?
- How easy is it to build and install the project?
Aquatone
The last major HTTP Screenshot tool that will be reviewed in this blog series is also a golang project, aquatone. The project’s description is as follows: “Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.”
Aquatone Notable Features
Aquatone was one of the more popular HTTP Screenshot tools in previous years, originally created in Ruby and then ported over to golang several years ago. Similar to gowitness, Aquatone’s most notable feature is the ability to categorize similar assets based on their image differential using context differentials. Aquatone also attempts to fingerprint hosts with their technology stack using Wappalyzer.
A snapshot of the CLI arguments can be seen below which provides a window into the tool’s feature set.
Aquatone Sources & Customization
Aquatone supports nmap and flat files as the source of input and Aquatone can additionally scan a range of hosts to capture. Aquatone has the ability to proxy traffic and supports both navigation timeouts and navigation delays. There is no built-in support for a custom-user agent or custom headers.
Aquatone Reporting
One of the nice features of Aquatone is its HTML report, where it categorizes similar screenshots into a single row within the HTML template. This allows the HTML report to be much more condensed and having all of the similar items in one single row is a very helpful feature to quickly recognize the similar assets.
However, a lack of pagination within the report means that using Aquatone in the real world with hundreds of assets becomes very tedious. At the bottom of the page is a “show more” button which then reveals another small amount of screenshots. If you want to go back and revisit the hosts near the end of the report, you will have to manually navigate or edit the HTML to show all the hosts. Additionally, like Snapback, since all the images are on one page, the browser speed degrades as each image is loaded into memory.
Aquatone General Setup
Aquatone’s setup should be fairly easy, with makefiles and build scripts provided for the repository. However, since Aquatone has not been updated since 2019, the build process is now full of errors and I could not generate a working Linux binary with the current project state. Either the base build or some of the dependencies no longer support the latest version of golang. Even the differential library is no longer maintained as a package. Therefore, I was not able to tweak the current build of Aquatone in order to add some potential performance improvements.
Aquatone Out-Of-The-Box Tests
Now that we’ve covered some of the high-level features of aquatone, it’s time to actually try the utility out. As previously discussed, I was unable to build my own binary so I was forced to use the latest release binary on the GitHub page.
I was able to successfully pipe my URL list into Aquatone for processing. However, even though it successfully opened a HTTP connection to 957 hosts (grabbing their HTML source), Aquatone failed to capture over half of the screenshots for various issues.
Aquatone also did not successfully clean up after itself, even after the Aquatone process was terminated leaving stuck chrome processes open eating memory.
At least the report did successfully generate and I was able to view the captured screenshots inline.
Part 5 – Aquatone Conclusion
Overall, I think aquatone once was one of the best tools to use for HTTP screenshot capturing, but has been surpassed by most of the other tools within this blog post series. It no longer provides any unique features, and the author of the project no longer maintains the code. The GitHub page is full of open pull requests and issues, which might solve some of the problems that I had with using the tool. I would not recommend anyone use Aquatone at this point when even EyeWitness executes a test in a much more effective manner and performs similar screenshot categorizing. For a modern golang project, gowitness provides all the same features as aquatone and actually works.
If you use Aquatone, please support and contribute to these Open-Source projects.
Authors Note: This blog series is my personal take on the state of screenshot tools. My network environment and physical setup may differ from yours when using these tools and you may notice your tool is more or less successful. I’ve done the best I can to be platform agnostic to provide the best environment for success. If you run into any errors, remember to check the individual project’s issues page for support.
Our Screenshot Tool Series
Here is Part 1 – EyeWitness blog post.
Check out Part 2 – WitnessMe blog post.
Read the Part 3 – Snapback blog post here.
Discover more with the Part 4 – Gowitness blog post.
The final comprehensive post is next! Stay tuned for part 6 to see how these tools fare against one another.
MORE FROM WHITE OAK SECURITY
White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.