/knock

Knock Subdomain Scan

Primary LanguagePython

Knock Subdomain Scan v.4.0.0

Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled.

Very simply

$ knockpy domain.com
https://cloud.githubusercontent.com/assets/41558/21270690/f8854cb8-c3b7-11e6-933b-c47e358f4a70.png

Export full report in JSON

If you want to save full log like this one just type:

$ knockpy domain.com --json

Install

Prerequisites

  • Python 2.7.6

Dependencies

  • Dnspython
$ sudo apt-get install python-dnspython

Installing with pypi

$ sudo pip install https://github.com/guelfoweb/knock/archive/knock4.zip

Installing manually

Download zip and extract folder:

$ cd knock-knock4/

$ sudo python setup.py install

Installing from Debian repository (Stretch)

$ sudo apt-get update

$ sudo apt-ge install knockpy

Note that it's recommended to use Google DNS: 8.8.8.8 and 8.8.4.4

Knockpy arguments

$ knockpy -h
usage: knockpy [-h] [-v] [-w WORDLIST] [-r] [-c] [-j] domain

___________________________________________

knock subdomain scan
knockpy v.4.0beta
Author: Gianni 'guelfoweb' Amato
Github: https://github.com/guelfoweb/knock
___________________________________________

positional arguments:
  domain         target to scan, like domain.com

optional arguments:
  -h, --help     show this help message and exit
  -v, --version  show program's version number and exit
  -w WORDLIST    specific path to wordlist file
  -r, --resolve  resolve ip or domain name
  -c, --csv      save output in csv
  -j, --json     export full report in JSON

example:
  knockpy domain.com
  knockpy domain.com -w wordlist.txt
  knockpy -r domain.com or IP
  knockpy -c domain.com
  knockpy -j domain.com

Example

Subdomain scan with internal wordlist

$ knockpy domain.com

Subdomain scan with external wordlist

$ knockpy domain.com -w wordlist.txt

Resolve domain name and get response headers

$ knockpy -r domain.com [or IP]
+ checking for wildcard: NO
+ checking for zonetransfer: NO
+ resolving target: YES
{
    "zonetransfer": {
        "enabled": false,
        "list": []
    },
    "target": "google.com",
    "hostname": "google.com",
    "alias": [],
    "wildcard": {
        "detected": {},
        "test_target": "kfwpsxvdnt.google.com",
        "enabled": false,
        "http_response": {}
    },
    "ipaddress": [
        "216.58.205.142"
    ],
    "response_time": "0.0917398929596",
    "http_response": {
        "status": {
            "reason": "Found",
            "code": 302
        },
        "http_headers": {
            "date": "Thu, 22 Dec 2016 09:28:48 GMT",
            "content-length": "256",
            "content-type": "text/html; charset=UTF-8",
            "location": "http://www.google.it/?gfe_rd=cr&ei=0JxbWIGmLofCXruVhcgI",
            "cache-control": "private"
        }
    }
}

Save scan output in CSV

$ knockpy -c domain.com

Export full report in JSON

$ knockpy -j domain.com

Talk about

Ethical Hacking and Penetration Testing Guide Book by Rafay Baloch.

Knockpy comes pre-installed on the following security distributions for penetration test:

Other

This tool is currently maintained by Gianni 'guelfoweb' Amato, who can be contacted at guelfoweb@gmail.com or twitter @guelfoweb. Suggestions and criticism are welcome.

Sponsored by Security Side