LinuxCommandLibrary

knockpy

Perform subdomain enumeration

SYNOPSIS

python knockpy.py [OPTIONS] <TARGET_DOMAIN>
Example: python knockpy.py example.com -w custom_wordlist.txt --full -o results.txt

PARAMETERS

-h, --help
    Show the help message and exit.

-v, --version
    Show program's version number and exit.

-c, --config
    Specify path to config file.

-w, --wordlist
    Path to wordlist for DNS brute-force enumeration.

-r, --resolvers
    Path to a file containing custom DNS resolvers.

-t, --threads
    Number of threads to use for concurrent operations (default: 5).

-o, --output
    Specify the output file name for results.

-j, --json
    Output results in JSON format.

-x, --external
    Use external/online services for enumeration (deprecated, use specific flags).

--dnsbrute
    Perform DNS brute-force (default is on when a wordlist is provided).

--virustotal
    Utilize VirusTotal for subdomain discovery.

--sublist3r
    Utilize Sublist3r's techniques for subdomain discovery.

--crtsh
    Query crt.sh for subdomain information from SSL certificates.

--hackertarget
    Use HackerTarget's subdomain lookup service.

--netcraft
    Query Netcraft for subdomain and hostname information.

--riskiq
    Utilize RiskIQ PassiveTotal for subdomain discovery.

--exalead
    Use Exalead search engine for subdomain enumeration.

--threatcrowd
    Query ThreatCrowd for subdomain information.

--findsubdomains
    Utilize FindSubdomains.com for discovery.

--dogpile
    Use Dogpile search engine for subdomain enumeration.

--ipv4info
    Query IPv4Info for related subdomain information.

--bufferover
    Utilize BufferOver.run for subdomain discovery.

--securitytrails
    Use SecurityTrails for comprehensive subdomain data (may require API key).

--full
    Enable all available external sources for comprehensive subdomain enumeration.

DESCRIPTION

knockpy is a Python tool designed for fast and efficient subdomain enumeration. It leverages a multi-faceted approach, combining classic DNS brute-forcing with querying various online services and search engines like VirusTotal, crt.sh, Sublist3r, HackerTarget, and others. This comprehensive strategy helps uncover a broader range of subdomains for a given target domain. It's widely used by penetration testers, bug bounty hunters, and security researchers to expand the attack surface discovery during reconnaissance phases. The tool supports multithreading for speed and can output results in human-readable or JSON formats, making it suitable for integration into automated workflows. Its modular design allows users to specify which data sources to utilize, providing flexibility based on their needs and available API keys.

CAVEATS

knockpy requires Python 3.x and specific Python libraries, which can be installed via pip. Some external data sources may require API keys (e.g., SecurityTrails) or might rate-limit requests, leading to incomplete results or longer execution times. The accuracy of results depends on the quality of the wordlist used for DNS brute-forcing and the up-to-dateness of external data sources. Ensure proper network connectivity and permissions for execution.

INSTALLATION

To install knockpy, ensure you have Python 3 and pip installed. Then, run: pip3 install knockpy
Alternatively, clone the repository and install dependencies:
git clone https://github.com/guelfoweb/knock.git
cd knock
pip3 install -r requirements.txt

USAGE EXAMPLES

- Basic scan with full external sources: python knockpy.py example.com --full
- Scan with custom wordlist and output to JSON: python knockpy.py target.com -w my_wordlist.txt -j -o results.json
- Specify a custom resolver: python knockpy.py domain.com -r resolvers.txt

HISTORY

knockpy was developed as a Python-based alternative to earlier subdomain enumeration methods, focusing on speed and integrating multiple data sources. Its development aimed to provide a more comprehensive and efficient reconnaissance tool for security professionals, evolving to include a wide array of online services for broader coverage than traditional brute-force methods alone. It became a popular choice in the penetration testing and bug bounty communities due to its effectiveness and ease of use in discovery phases.

SEE ALSO

subfinder(1), assetfinder(1), amass(1), dnsenum(1), dig(1), host(1), nslookup(1)

Copied to clipboard