This is a recon tool which allows you to discover the subdomains used by a target web application on both client and server side. Afterwards, it runs dirsearch on the resulted text file. It can also scan for open ports using NMAP and finds hidden parameters on every live Host.
Hello everyone, in this post we are going to talk about a script which we created for recon. This script finds most of the discoverable subdomains by using tools like Subfinder, Sublist3r,amass and so on. Then it runs httprobe on resulted text file to find out alive subdomains and passes the list of urls to dirsearch to find directories. Optionally we’ve added some more tools to make your recon process easier which are nmap, arjun, knockpy, and photon.
gem and golang are required for this tool to work. To install these, follow these steps:
sudo apt-get install gem
sudo apt-get install golang
brew install gem
Download the go .pkg file from this link.
After running the pkg installer, go will be successfully installed in your system.
Now Follow these Steps:
- Clone the repository
git clone https://github.com/hackerspider1/echopwn.git
- Downloading the required pre-compiled binaries in the same folder.
Note: Darwin files are for MacOS
If you have any of these installed, skip downloading them and edit the
EchoPwn.shto point to correct binary. (For example, removing
./from the starting of tool name if its path is properly configured.)
Creating Slack Web-hook URL:
1. If you have owner/admin permission on slack workspace, skip to step 3.
2. Create a slack account and workspace.
3. Locate the add apps option.
4. Search for Incoming webhooks and add it to the channel.
5. Choose the channel for this integration. (Channel where you want to get the notification)
After Web-hook Integration, you’ll get access to your Web-hook URL.
Place this URL in
Apart from the tokens required by individual tools, this script requires 5 additional values:
- FaceBook Token
- Github Token
- Spyse Token
- VirusTotal Token
- Slack WebHook URL
Place these values in
tokens.txt before running
install.sh makes environment to run
EchoPwn.sh creates a directory
EchoPwn/domain_name in current working directory.
- Subdomain Enumeration:
Subdomain enumeration is an essential part of the reconnaissance phase.
- custom bruteforcer with
subdomains.txtas input file.
- Optional: knockpy
- Sorts and removes duplicates.
- Checks for live subdomains
- Screenshot of all subdomains
- Directory Bruteforce
- -nmap Probe open ports to determine service/version info
- -arjun Scans for hidden parameters on live hosts
- -photon Crawls all live hosts [takes time and creates lots of files]
- -knock Bruteforce subdomains [takes time and saves output in current working directory (in json format)]
- Save result in
- Slack Notification
- WebHook URL placed in
tokens.txtwill be used to notify the user once the script has finished running.
- WebHook URL placed in
./EchoPwn.sh domain.com //For Default Scan. ./EchoPwn.sh domain.com -nmap //To run nmap on your results ./EchoPwn.sh domain.com -arjun //To run arjun on your results ./EchoPwn.sh domain.com -photon //To run photon on each subdomain ./EchoPwn.sh domain.com -knock //To bruteforce subdomain using knockpy ./EchoPwn.sh domain.com -nmap -arjun -photon -knock //For Full Scan Output will be saved in EchoPwn/domain.com/ directory
Script in action:
Echopwn.sh v1.1 is now updated on github however installation steps are still the same.
Stay Tuned 🙂