Knock v7.0 releases: Subdomain Scan
Knock is a Python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled. Now knockpy supports queries to VirusTotal subdomains, you can set the API_KEY within the config.json file. Knockpy is a Python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled.
Changelog v7.0
- rewritten code
Install
$ git clone https://github.com/guelfoweb/knock.git
edit knockpy/config.json add your virustotal API_KEY
"api": { "virustotal": "YOUR VIRUSTOTAL API_KEY HERE" },
save.
$ sudo python setup.py install
Usage
Full scan
$ knockpy domain.com
- Attack type: dns + http(s) requests
- Knockpy uses the internal file wordlist.txt. If you want to use an external dictionary you can use the -w option and specify the path to your dictionary text file.
- Knockpy also tries to get subdomains from google, duckduckgo, and virustotal. The results will be added to the general dictionary.
- It is highly recommended to use a virustotal API_KEY which you can get for free. The best results always come fromvirustotal.
- But, if you only want to work with local word lists, without search engine queries, you can add –no-remote to bypass remote recon.
- If you want to ignore http(s) responses with specific code, you can use the –no-http-code option followed by the code list 404 500 530
Fast scan
$ knockpy domain.com –no-http
- Attack type: dns
- DNS requests only, no http(s) requests will be made. This way the response will be much faster and you will get the IP address and the Subdomain.
- The subdomain will be cyan in color if it is an alias and in that case, the real hostname will also be provided.
Set timeout
$ knockpy domain.com -t 5
- default timeout = 3 seconds.
Show report
$ knockpy domain.com_yyyy_mm_dd_hh_mm_ss.json
- Show the report in the terminal.
Output folder
$ knockpy domain.com -o /path/to/new/folder
- All scans are saved in the default folder knock_report that you can edit in the config.json file.
- Alternatively, you can use the o option to define the new folder path.
Report
- At each scan, the report will be automatically saved in json format inside the file with the name domain.com_yyyy_mm_dd_hh_mm_ss.json.
- If you don’t like autosave you can disable it from the config.json file by changing the value to “save”: false.
- To read the report in a human format you can do as described in the Show report.
Copyright (C) 2021 @guelfoweb
Source: https://github.com/guelfoweb/