knockpy
Perform subdomain enumeration
SYNOPSIS
python knockpy.py [OPTIONS] <TARGET_DOMAIN>
Example: python knockpy.py example.com -w custom_wordlist.txt --full -o results.txt
PARAMETERS
-h, --help
Show the help message and exit.
-v, --version
Show program's version number and exit.
-c, --config
Specify path to config file.
-w, --wordlist
Path to wordlist for DNS brute-force enumeration.
-r, --resolvers
Path to a file containing custom DNS resolvers.
-t, --threads
Number of threads to use for concurrent operations (default: 5).
-o, --output
Specify the output file name for results.
-j, --json
Output results in JSON format.
-x, --external
Use external/online services for enumeration (deprecated, use specific flags).
--dnsbrute
Perform DNS brute-force (default is on when a wordlist is provided).
--virustotal
Utilize VirusTotal for subdomain discovery.
--sublist3r
Utilize Sublist3r's techniques for subdomain discovery.
--crtsh
Query crt.sh for subdomain information from SSL certificates.
--hackertarget
Use HackerTarget's subdomain lookup service.
--netcraft
Query Netcraft for subdomain and hostname information.
--riskiq
Utilize RiskIQ PassiveTotal for subdomain discovery.
--exalead
Use Exalead search engine for subdomain enumeration.
--threatcrowd
Query ThreatCrowd for subdomain information.
--findsubdomains
Utilize FindSubdomains.com for discovery.
--dogpile
Use Dogpile search engine for subdomain enumeration.
--ipv4info
Query IPv4Info for related subdomain information.
--bufferover
Utilize BufferOver.run for subdomain discovery.
--securitytrails
Use SecurityTrails for comprehensive subdomain data (may require API key).
--full
Enable all available external sources for comprehensive subdomain enumeration.
DESCRIPTION
knockpy is a Python tool designed for fast and efficient subdomain enumeration. It leverages a multi-faceted approach, combining classic DNS brute-forcing with querying various online services and search engines like VirusTotal, crt.sh, Sublist3r, HackerTarget, and others. This comprehensive strategy helps uncover a broader range of subdomains for a given target domain. It's widely used by penetration testers, bug bounty hunters, and security researchers to expand the attack surface discovery during reconnaissance phases. The tool supports multithreading for speed and can output results in human-readable or JSON formats, making it suitable for integration into automated workflows. Its modular design allows users to specify which data sources to utilize, providing flexibility based on their needs and available API keys.
CAVEATS
knockpy requires Python 3.x and specific Python libraries, which can be installed via pip. Some external data sources may require API keys (e.g., SecurityTrails) or might rate-limit requests, leading to incomplete results or longer execution times. The accuracy of results depends on the quality of the wordlist used for DNS brute-forcing and the up-to-dateness of external data sources. Ensure proper network connectivity and permissions for execution.
INSTALLATION
To install knockpy, ensure you have Python 3 and pip installed. Then, run: pip3 install knockpy
Alternatively, clone the repository and install dependencies:git clone https://github.com/guelfoweb/knock.gitcd knockpip3 install -r requirements.txt
USAGE EXAMPLES
- Basic scan with full external sources: python knockpy.py example.com --full
- Scan with custom wordlist and output to JSON: python knockpy.py target.com -w my_wordlist.txt -j -o results.json
- Specify a custom resolver: python knockpy.py domain.com -r resolvers.txt
HISTORY
knockpy was developed as a Python-based alternative to earlier subdomain enumeration methods, focusing on speed and integrating multiple data sources. Its development aimed to provide a more comprehensive and efficient reconnaissance tool for security professionals, evolving to include a wide array of online services for broader coverage than traditional brute-force methods alone. It became a popular choice in the penetration testing and bug bounty communities due to its effectiveness and ease of use in discovery phases.
