Road to Recon with EchoPwn.sh

Posted on by admin

This is a recon tool which allows you to discover the subdomains used by a target web application on both client and server side. Afterwards, it runs dirsearch on the resulted text file. It can also scan for open ports using NMAP and finds hidden parameters on every live Host.

Summary:

Hello everyone, in this post we are going to talk about a script which we created for recon. This script finds most of the discoverable subdomains by using tools like Subfinder, Sublist3r,amass and so on. Then it runs httprobe on resulted text file to find out alive subdomains and passes the list of urls to dirsearch to find directories. Optionally we’ve added some more tools to make your recon process easier which are nmap, arjun, knockpy, and photon.

Installation Process:

Installing prerequisites.
gem and golang are required for this tool to work. To install these, follow these steps:

For Linux
sudo apt-get install gem
sudo apt-get install golang

For MacOS
brew install gem
Download the go .pkg file from this link.
After running the pkg installer, go will be successfully installed in your system.

Now Follow these Steps:

  • Clone the repository
    git clone https://github.com/hackerspider1/echopwn.git
    cd EchoPwn
  • Downloading the required pre-compiled binaries in the same folder.
    Subfinder
    Assestfinder
    Aquatone
    Note: Darwin files are for MacOS
    If you have any of these installed, skip downloading them and edit the EchoPwn.sh to point to correct binary. (For example, removing ./ from the starting of tool name if its path is properly configured.)
  • Run ./install.sh

Creating Slack Web-hook URL:

1. If you have owner/admin permission on slack workspace, skip to step 3.
2. Create a slack account and workspace.

3. Locate the add apps option.

4. Search for Incoming webhooks and add it to the channel.

5. Choose the channel for this integration. (Channel where you want to get the notification)

After Web-hook Integration, you’ll get access to your Web-hook URL.
Place this URL in tokens.txt.

Set Tokens
Apart from the tokens required by individual tools, this script requires 5 additional values:

  • FaceBook Token
  • Github Token
  • Spyse Token
  • VirusTotal Token
  • Slack WebHook URL

Place these values in tokens.txt before running EchoPwn.sh

Workflow:

install.sh makes environment to run EchoPwn.sh 

EchoPwn.sh creates a directory EchoPwn/domain_name in current working directory.

  1. Subdomain Enumeration:
    Subdomain enumeration is an essential part of the reconnaissance phase.
    • Sublist3r
    • crt.sh
    • amass
    • subfinder
    • assetfinder
    • aquatone-discover
    • findomain
    • github-subdomains
    • custom bruteforcer with subdomains.txt as input file.
    • Optional: knockpy
  2. Sorts and removes duplicates.
  3. Checks for live subdomains
    • httprobe
  4. Screenshot of all subdomains
    • aquatone
  5. Directory Bruteforce
    • Dirsearch
  6. Optional
    • -nmap     Probe open ports to determine service/version info
    • -arjun      Scans for hidden parameters on live hosts
    • -photon    Crawls all live hosts [takes time and creates lots of files]
    • -knock     Bruteforce subdomains [takes time and saves output in current working directory (in json format)]
  7. Save result in domain.com folder
  8. Slack Notification
    • WebHook URL placed in tokens.txt will be used to notify the user once the script has finished running.

Usage:

./EchoPwn.sh domain.com                 	      //For Default Scan.
./EchoPwn.sh domain.com -nmap            	      //To run nmap on your results
./EchoPwn.sh domain.com -arjun   		      //To run arjun on your results
./EchoPwn.sh domain.com -photon                       //To run photon on each subdomain
./EchoPwn.sh domain.com -knock                        //To bruteforce subdomain using knockpy
./EchoPwn.sh domain.com -nmap -arjun -photon -knock   //For Full Scan

Output will be saved in EchoPwn/domain.com/ directory

Script in action:

Echopwn.sh v1.1 is now updated on github however installation steps are still the same.
Stay Tuned 🙂

Comments (8)
BugBounty Recon

8 Replies to “Road to Recon with EchoPwn.sh”

  1. Beau says: Reply
    April 13, 2020 at 7:14 pm

    I am having trouble installing echoPwn to my Kali Linux. I followed the instructions but i’m pretty sure there are some missing step that i need to take to make it work properly.. Any help would definitely be appreciated!

    1. admin says: Reply
      April 17, 2020 at 7:34 pm

      Please send a mail to admin@echopwn.com explaining the issue you are facing.

  2. anil arelli says: Reply
    April 17, 2020 at 4:18 am

    tool was not working throwing lot of errors

    1. admin says: Reply
      April 17, 2020 at 7:38 pm

      Hey, we would like to follow up with you on this issue. Please leave a mail at admin@echopwn.com

  3. fawad says: Reply
    April 21, 2020 at 10:30 am

    HTTPSConnectionPool(host=’searchdns.netcraft.com’, port=443): Max retries exceeded with url: /?restriction=site+ends+with&host=example.com (Caused by NewConnectionError(‘: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution’))
    Process NetcraftEnum-7:
    Traceback (most recent call last):
    File “/usr/lib/python3.8/multiprocessing/process.py”, line 315, in _bootstrap
    self.run()
    File “Sublist3r/sublist3r.py”, line 269, in run
    domain_list = self.enumerate()
    File “Sublist3r/sublist3r.py”, line 570, in enumerate
    cookies = self.get_cookies(resp.headers)
    AttributeError: ‘NoneType’ object has no attribute ‘headers’
    ^CTraceback (most recent call last):
    File “Sublist3r/sublist3r.py”, line 1013, in
    Process BaiduEnum-2:
    interactive()
    File “Sublist3r/sublist3r.py”, line 1010, in interactive
    res = main(domain, threads, savefile, ports, silent=False, verbose=verbose, enable_bruteforce=enable_bruteforce, engines=engines)
    File “Sublist3r/sublist3r.py”, line 954, in main
    enum.join()
    Traceback (most recent call last):
    File “/usr/lib/python3.8/multiprocessing/process.py”, line 149, in join
    File “/usr/lib/python3.8/multiprocessing/process.py”, line 315, in _bootstrap
    self.run()
    File “Sublist3r/sublist3r.py”, line 269, in run
    domain_list = self.enumerate()
    File “Sublist3r/sublist3r.py”, line 254, in enumerate
    self.should_sleep()
    File “Sublist3r/sublist3r.py”, line 511, in should_sleep
    time.sleep(random.randint(2, 5))
    KeyboardInterrupt
    res = self._popen.wait(timeout)
    File “/usr/lib/python3.8/multiprocessing/popen_fork.py”, line 47, in wait
    return self.poll(os.WNOHANG if timeout == 0.0 else 0)
    File “/usr/lib/python3.8/multiprocessing/popen_fork.py”, line 27, in poll
    pid, sts = os.waitpid(self.pid, flag)
    KeyboardInterrupt
    Process ThreatCrowd-10:
    Traceback (most recent call last):
    File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 156, in _new_conn
    conn = connection.create_connection(
    File “/usr/lib/python3/dist-packages/urllib3/util/connection.py”, line 61, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
    File “/usr/lib/python3.8/socket.py”, line 918, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
    socket.gaierror: [Errno -3] Temporary failure in name resolution

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
    File “/usr/lib/python3.8/multiprocessing/process.py”, line 315, in _bootstrap
    self.run()
    File “Sublist3r/sublist3r.py”, line 269, in run
    domain_list = self.enumerate()
    File “Sublist3r/sublist3r.py”, line 750, in enumerate
    resp = self.req(url)
    File “Sublist3r/sublist3r.py”, line 742, in req
    resp = self.session.get(url, headers=self.headers, timeout=self.timeout)
    File “/usr/local/lib/python3.8/dist-packages/requests/sessions.py”, line 546, in get
    return self.request(‘GET’, url, **kwargs)
    File “/usr/local/lib/python3.8/dist-packages/requests/sessions.py”, line 533, in request
    resp = self.send(prep, **send_kwargs)
    File “/usr/local/lib/python3.8/dist-packages/requests/sessions.py”, line 646, in send
    r = adapter.send(request, **kwargs)
    File “/usr/local/lib/python3.8/dist-packages/requests/adapters.py”, line 439, in send
    resp = conn.urlopen(
    File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 665, in urlopen
    httplib_response = self._make_request(
    File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 376, in _make_request
    self._validate_conn(conn)
    File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 996, in _validate_conn
    conn.connect()
    File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 300, in connect
    conn = self._new_conn()
    File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 156, in _new_conn
    conn = connection.create_connection(

    show this when ever i run the script

  4. dipak says: Reply
    May 13, 2020 at 3:30 pm

    giving this error. and only subdomains gathering nothing further.
    “Starting subfinder…
    ./EchoPwn.sh: line 40: ./subfinder: No such file or directory”

    1. vinay says: Reply
      June 22, 2020 at 6:48 am

      check your subfinder path install or not.. if install follow step 1 … if not install 1st install then follow 1 step 😂
      1. edit EchoPwn.sh line 40: ./subfinder to subfinder save without ./

  5. ปั้มไลค์ says: Reply
    May 19, 2020 at 4:19 am

    Like!! Thank you for publishing this awesome article.

Leave a Reply