Knockpy : How to scan Subdomains of a website

Knockpy : How to scan Subdomains of a website
Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled. Now knockpy supports queries to VirusTotal subdomains, you can setting the API_KEY within the config.json file.

So its main features are it can search for sub domains using virustotal API, scan for zone transfer vulnerabilities and look for to bypass wildcard DNS records.

Well inorder to search for subdomains I use dnsdumpster. But today i gave Knockpy a shot and I must say it is really nice tool written in python and work in a very efficient way, It scans subdomains via virustotal API. So in order to use it you need to get a virustotal API by signing up of the virustotal website.

  • You need a linux environment installed on your system(Ubuntu/Kali).
  • Dependencis : Dnspython

    sudo apt-get install python-dnspython
  • Knockpy.

How to Install Knockpy to scan Subdomains:

You need to download Knockpy first. You can easily download it from the github or clone it using the following command:

git clone  

Once cloned, edit the config.json file and add your VIRUSTOTAL API.

nano  /knock/knockpy/config.json

now go back to /knock directory and type following to install

python install

How to scan Subdomains of a Website using Knockpy


In order to use it simply enter
knockpy <your_URL>
example: knockpy
There are other options also available simple hit the following on the terminal.
knockpy -h  
knockpy [-h] [-v] [-w WORDLIST] [-r] [-c] [-j] domain

Positional arguments:
domain         target to scan, like

Optional arguments:
-h, --help     show this help message and exit
-v, --version  show program's version number and exit
-w WORDLIST    specific path to wordlist file
-r, --resolve  resolve IP or domain name
-c, --csv      save output in CSV
-j, --json     export full report in JSON


  knockpy -w wordlist.txt
  knockpy -r or IP
  knockpy -c
  knockpy -j

And this will scan all the subdomains of the url you have provided  and will give the list of IP address,type, and server etc.

No comments:

Powered by Blogger.