Knock Subdomain Scan
๐ Knockpy Subdomain Scan v9.0
โ Fast & Async โข ๐ Recon + Brute โข ๐ง Easy to Extend
KnockPy is a modular Python 3 tool to enumerate subdomains via passive reconnaissance and bruteforce, now with async/await support, enhanced performance, and modern HTTP/TLS handling.
๐ Features (v9)
- โ
Async scanning with
httpxand DNS resolution - โ Modular: plug new passive sources easily
- ๐ Supports passive recon, bruteforce, or both
- ๐จ Formatted terminal output with Rich (tables, progress, panels)
- ๐ Validates HTTP/HTTPS status, TLS cert, and IP
- โ ๏ธ Detects legacy TLS support (TLS 1.0/1.1) as warning in CLI/verbose/HTML report
- ๐งพ Checks AXFR (zone transfer) on root domain during domain-mode scans
- ๐
--verbosesingle-domain diagnostics (DNS/TCP/TLS/redirect chains/request errors + security checks) - ๐ก Supports wildcard DNS detection
- ๐งช SQLite reports with interactive catalog (
show/delete/export/search) - ๐ Supports VirusTotal and Shodan API
- ๐ Optimized bruteforce runtime with TLS-probe endpoint caching (no timeout changes required)
๐ฆ Installation
From GitHub source (recommended)
git clone https://github.com/guelfoweb/knockpy.git
cd knockpy
recommended: install in a virtual environment
python3 -m venv .venv
. .venv/bin/activate
python3 -m pip install -U pip
pip install .
alternative: install for the current user (no venv)
python3 -m pip install --user .
โ ๏ธ Recommended Python version: 3.9+
๐งฑ Project Structure
The codebase is organized by responsibility, with stable facades for backward compatibility:
knockpy/
cli.py # CLI entrypoint (facade/orchestration)
cli_parts/
status.py # runtime/status panel rendering
setup.py # interactive setup and persisted runtime defaults
report.py # interactive report mode
scan_flow.py # exclude rules, recon-test, wildcard helpers
core.py # public core facade (compatibility)
engine/
runtime.py # scanning engine implementation
storage.py # public storage facade (compatibility)
storage_parts/
db.py # SQLite persistence/settings
export.py # report export orchestration
html_report.py # HTML report rendering
output.py # terminal output rendering
server_versions.py # web-server versions catalog
knockpy.py # compatibility module exports
Compatibility note:
- Preferred external imports:
import knockpyorfrom knockpy import KNOCKPY. - Internal modules are split into
engine/,cliparts/, andstorageparts/.
Using pip
Only after the stable version is released on GitHub
pip install knock-subdomains
๐งช Usage
knockpy -d domain.com [options]
Options
| Flag | Description | | ----------------- | ---------------------------------- | | -d, --domain | Target domain (or stdin if used without value) | | -f, --file | File with list of domains | | --recon | Enable passive reconnaissance | | --bruteforce, --brute | Enable bruteforce using wordlist | | --exclude TYPE VALUE | Exclude matches (status, length/lenght, body) | | --verbose | Deep diagnostics for single-domain scans only | | --wildcard | Test wildcard DNS and exit | | --test | With --recon, test each recon source (failed/empty/data) | | --setup | Interactive setup (runtime defaults + API keys in DB) | | --update-versions | Update local latest web-server versions catalog | | --report [ID\|latest\|list] | Report mode (interactive show/delete/export/search/reset db, export HTML) | | --check-update | Check online if a newer Knockpy release is available on PyPI | | --wordlist | Runtime override for wordlist | | --dns | Runtime override for DNS resolver | | --useragent | Runtime override for HTTP user-agent | | --timeout | Runtime override for timeout (seconds) | | --threads | Runtime override for concurrent workers | | --silent | Hide progress bar | | --json | JSON-only output (forces --silent) | | --status | Print runtime status and continue | | -h, --help | Show help message |
Performance Tuning: --threads and --timeout
These two options have the biggest impact on runtime for large scans.
--threadscontrols concurrency (how many targets are processed in parallel)--timeoutcontrols how long each network step waits before giving up
- higher
threads= faster scans, but more load on CPU/network/DNS and higher risk of remote rate-limits - lower
timeout= faster scans, but higher risk of missing slow yet valid targets (false negatives)
- small/accurate scan (few domains):
--threads 50 --timeout 5 - balanced scan:
--threads 150 --timeout 4 - large scan (10k+ domains): start with
--threads 250 --timeout 3
- fast pass:
--threads 250 --timeout 3 - retry pass only on missing/uncertain targets:
--threads 80 --timeout 5(or higher)
- CLI values always override saved setup values
- saved setup values (
--setup) override built-in defaults - current built-in defaults are
threads=250,timeout=3
๐ Examples
๐ Recon + Brute
knockpy -d example.com --recon --bruteforce
๐งช Recon services test
knockpy -d example.com --recon --test
๐ Update web-server latest versions catalog
knockpy --update-versions
๐ Check for Knockpy updates
knockpy --check-update
โ๏ธ Recon sources config (editable)
At first run, KnockPy creates:
~/.knockpy/recon_services.json
You can add/disable sources by editing the services array. You can also point to a custom file path without changing code:
export KNOCKRECONSERVICES=/path/to/recon_services.json
Each service supports:
nameenabled(true/false)parserurltemplate(supports{domain},{virustotalkey},{shodan_key})requires_api(virustotalorshodan, optional)
csvfirstcolumnrapiddnshtmltdjson_listvirustotal_subdomainsshodan_subdomains
๐ฅ Domain from stdin
echo "example.com" | knockpy -d
๐ง API Keys (optional)
export APIKEYVIRUSTOTAL=your-virustotal-api-key
export APIKEYSHODAN=your-shodan-api-key
You can use .env file:
APIKEYVIRUSTOTAL=your-virustotal-api-key
APIKEYSHODAN=your-shodan-api-key
๐พ Reports (SQLite + Interactive HTML export)
knockpy -d example.com --recon --bruteforce
knockpy --report list
knockpy --report latest
knockpy --report
Interactive report menu:
1 show2 delete3 export4 search0 reset db(asks explicit confirmation)
- press
Enteron empty action prompt - or press
CTRL+C
๐ Single-domain diagnostics
knockpy -d forum.example.com --verbose
๐งช Wildcard test only
knockpy -d example.com --wildcard
๐งฌ Python API Usage
KnockPy can be used as a Python module:
import knockpy
result = knockpy.KNOCKPY("example.com", timeout=5.0, threads=20) print(result["domain"], result["ip"])
or:
from knockpy import KNOCKPY
domain = 'example.com'
results = KNOCKPY( domain, dns="8.8.8.8", useragent="Mozilla/5.0", timeout=5, threads=10, recon=True, bruteforce=True, wordlist=None, silent=False )
for entry in results: print(entry['domain'], entry['ip'], entry['http'], entry['cert'])
๐ Wordlist
A default wordlist is included in knockpy/wordlist/wordlist.txt. You can supply your own with --wordlist.
Test
python3 -m pytest
(optional) smoke-run example script
python3 examples/poc.py
๐ License
Licensed under the GPLv3 license.
Gianni Amato (@guelfoweb)