This is a recon tool which allows you to discover the subdomains used by a target web application on both client and server side. Afterwards, it runs dirsearch on the resulted text file. It can also scan for open ports using NMAP and finds hidden parameters on every live Host.
Summary:
Hello everyone, in this post we are going to talk about a script which we created for recon. This script finds most of the discoverable subdomains by using tools like Subfinder, Sublist3r,amass and so on. Then it runs httprobe on resulted text file to find out alive subdomains and passes the list of urls to dirsearch to find directories. Optionally we’ve added some more tools to make your recon process easier which are nmap, arjun, knockpy, and photon.
Installation Process:
Installing prerequisites.
gem and golang are required for this tool to work. To install these, follow these steps:
For Linuxsudo apt-get install gem
sudo apt-get install golang
For MacOSbrew install gem
Download the go .pkg file from this link.
After running the pkg installer, go will be successfully installed in your system.
Now Follow these Steps:
- Clone the repository
git clone https://github.com/hackerspider1/echopwn.git
cd EchoPwn
- Downloading the required pre-compiled binaries in the same folder.
Subfinder
Assestfinder
Aquatone
Note: Darwin files are for MacOS
If you have any of these installed, skip downloading them and edit theEchoPwn.sh
to point to correct binary. (For example, removing./
from the starting of tool name if its path is properly configured.) - Run
./install.sh

Creating Slack Web-hook URL:
1. If you have owner/admin permission on slack workspace, skip to step 3.
2. Create a slack account and workspace.

3. Locate the add apps option.

4. Search for Incoming webhooks and add it to the channel.

5. Choose the channel for this integration. (Channel where you want to get the notification)

After Web-hook Integration, you’ll get access to your Web-hook URL.
Place this URL in tokens.txt
.

Set Tokens
Apart from the tokens required by individual tools, this script requires 5 additional values:
- FaceBook Token
- Github Token
- Spyse Token
- VirusTotal Token
- Slack WebHook URL
Place these values in tokens.txt
before running EchoPwn.sh
Workflow:

install.sh
makes environment to run EchoPwn.sh
EchoPwn.sh
creates a directory EchoPwn/domain_name
in current working directory.
- Subdomain Enumeration:
Subdomain enumeration is an essential part of the reconnaissance phase.- Sublist3r
- crt.sh
- amass
- subfinder
- assetfinder
- aquatone-discover
- findomain
- github-subdomains
- custom bruteforcer with
subdomains.txt
as input file. - Optional: knockpy
- Sorts and removes duplicates.
- Checks for live subdomains
- httprobe
- Screenshot of all subdomains
- aquatone
- Directory Bruteforce
- Dirsearch
- Optional
- -nmap Probe open ports to determine service/version info
- -arjun Scans for hidden parameters on live hosts
- -photon Crawls all live hosts [takes time and creates lots of files]
- -knock Bruteforce subdomains [takes time and saves output in current working directory (in json format)]
- Save result in
domain.com
folder - Slack Notification
- WebHook URL placed in
tokens.txt
will be used to notify the user once the script has finished running.
- WebHook URL placed in
Usage:
./EchoPwn.sh domain.com //For Default Scan. ./EchoPwn.sh domain.com -nmap //To run nmap on your results ./EchoPwn.sh domain.com -arjun //To run arjun on your results ./EchoPwn.sh domain.com -photon //To run photon on each subdomain ./EchoPwn.sh domain.com -knock //To bruteforce subdomain using knockpy ./EchoPwn.sh domain.com -nmap -arjun -photon -knock //For Full Scan Output will be saved in EchoPwn/domain.com/ directory
Script in action:

Echopwn.sh v1.1 is now updated on github however installation steps are still the same.
Stay Tuned 🙂
I am having trouble installing echoPwn to my Kali Linux. I followed the instructions but i’m pretty sure there are some missing step that i need to take to make it work properly.. Any help would definitely be appreciated!
Please send a mail to admin@echopwn.com explaining the issue you are facing.
tool was not working throwing lot of errors
Hey, we would like to follow up with you on this issue. Please leave a mail at admin@echopwn.com
HTTPSConnectionPool(host=’searchdns.netcraft.com’, port=443): Max retries exceeded with url: /?restriction=site+ends+with&host=example.com (Caused by NewConnectionError(‘: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution’))
Process NetcraftEnum-7:
Traceback (most recent call last):
File “/usr/lib/python3.8/multiprocessing/process.py”, line 315, in _bootstrap
self.run()
File “Sublist3r/sublist3r.py”, line 269, in run
domain_list = self.enumerate()
File “Sublist3r/sublist3r.py”, line 570, in enumerate
cookies = self.get_cookies(resp.headers)
AttributeError: ‘NoneType’ object has no attribute ‘headers’
^CTraceback (most recent call last):
File “Sublist3r/sublist3r.py”, line 1013, in
Process BaiduEnum-2:
interactive()
File “Sublist3r/sublist3r.py”, line 1010, in interactive
res = main(domain, threads, savefile, ports, silent=False, verbose=verbose, enable_bruteforce=enable_bruteforce, engines=engines)
File “Sublist3r/sublist3r.py”, line 954, in main
enum.join()
Traceback (most recent call last):
File “/usr/lib/python3.8/multiprocessing/process.py”, line 149, in join
File “/usr/lib/python3.8/multiprocessing/process.py”, line 315, in _bootstrap
self.run()
File “Sublist3r/sublist3r.py”, line 269, in run
domain_list = self.enumerate()
File “Sublist3r/sublist3r.py”, line 254, in enumerate
self.should_sleep()
File “Sublist3r/sublist3r.py”, line 511, in should_sleep
time.sleep(random.randint(2, 5))
KeyboardInterrupt
res = self._popen.wait(timeout)
File “/usr/lib/python3.8/multiprocessing/popen_fork.py”, line 47, in wait
return self.poll(os.WNOHANG if timeout == 0.0 else 0)
File “/usr/lib/python3.8/multiprocessing/popen_fork.py”, line 27, in poll
pid, sts = os.waitpid(self.pid, flag)
KeyboardInterrupt
Process ThreatCrowd-10:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 156, in _new_conn
conn = connection.create_connection(
File “/usr/lib/python3/dist-packages/urllib3/util/connection.py”, line 61, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File “/usr/lib/python3.8/socket.py”, line 918, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File “/usr/lib/python3.8/multiprocessing/process.py”, line 315, in _bootstrap
self.run()
File “Sublist3r/sublist3r.py”, line 269, in run
domain_list = self.enumerate()
File “Sublist3r/sublist3r.py”, line 750, in enumerate
resp = self.req(url)
File “Sublist3r/sublist3r.py”, line 742, in req
resp = self.session.get(url, headers=self.headers, timeout=self.timeout)
File “/usr/local/lib/python3.8/dist-packages/requests/sessions.py”, line 546, in get
return self.request(‘GET’, url, **kwargs)
File “/usr/local/lib/python3.8/dist-packages/requests/sessions.py”, line 533, in request
resp = self.send(prep, **send_kwargs)
File “/usr/local/lib/python3.8/dist-packages/requests/sessions.py”, line 646, in send
r = adapter.send(request, **kwargs)
File “/usr/local/lib/python3.8/dist-packages/requests/adapters.py”, line 439, in send
resp = conn.urlopen(
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 665, in urlopen
httplib_response = self._make_request(
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 376, in _make_request
self._validate_conn(conn)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 996, in _validate_conn
conn.connect()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 300, in connect
conn = self._new_conn()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 156, in _new_conn
conn = connection.create_connection(
show this when ever i run the script
giving this error. and only subdomains gathering nothing further.
“Starting subfinder…
./EchoPwn.sh: line 40: ./subfinder: No such file or directory”
check your subfinder path install or not.. if install follow step 1 … if not install 1st install then follow 1 step 😂
1. edit EchoPwn.sh line 40: ./subfinder to subfinder save without ./
Like!! Thank you for publishing this awesome article.