LinuxCommandLibrary

knockpy

Perform subdomain enumeration

SYNOPSIS

knockpy [-w WORDLIST] [-r RATE] [-t THREADS] [-s SUFFIXES] [-p PREFIXES] [--csv] [--extended] domain

PARAMETERS

-w WORDLIST, --wordlist WORDLIST
    Path to custom wordlist file.
Default: built-in optimized list.

-r RATE, --rate RATE
    DNS requests per second (throttling).
Default: 100.

-t THREADS, --threads THREADS
    Number of concurrent threads.
Default: 30.

-s SUFFIXES, --suffix SUFFIXES
    Comma-separated suffixes to append (e.g., "-s .dev,.staging").

-p PREFIXES, --prefix PREFIXES
    Comma-separated prefixes to prepend (e.g., "-p api,www").

--csv
    Output results in CSV format.

--extended
    Perform extended subdomain scan with additional permutations.

-h, --help
    Show help message and exit.

DESCRIPTION

Knockpy is a Python-based reconnaissance tool designed for discovering subdomains of a target domain through dictionary-based brute-forcing. It sends DNS queries for potential subdomain names derived from a wordlist, efficiently identifying valid subdomains.

Key features include customizable request rates to avoid overwhelming DNS servers, multi-threading for speed, and support for prefixes/suffixes to expand the search space (e.g., dev., api., .com). Output includes discovered subdomains with IP addresses, and optional CSV export or extended scans.

Ideal for penetration testing and OSINT, it helps map attack surfaces by revealing hidden subdomains. Default wordlist is optimized for common names, but users can supply custom lists. Rate limiting prevents detection/DoS accusations, making it stealthier than unthrottled tools.

CAVEATS

High rates/threads may trigger rate-limiting or appear as DoS; use responsibly on authorized targets only. Not for production DNS; requires Python 3 and dnspython library.

INSTALLATION

pip3 install knockpy
or git clone https://github.com/guelfoweb/knock && cd knock && python3 setup.py install

EXAMPLE USAGE

knockpy -w /usr/share/wordlists/subdomains.txt -r 50 -t 20 example.com
Discovers subdomains like api.example.com, mail.example.com.

HISTORY

Developed by Gianni 'guelfoweb' Amato in 2016 as open-source Python tool on GitHub. Evolved for efficient DNS recon, with updates for threading/rate control; widely used in Kali Linux pentesting distros.

SEE ALSO

dnsenum(1), dnsrecon(1), fierce(1)

Copied to clipboard