Knock Subdomain Scan



Knock Subdomain Scan v5.3.0

Knockpy is a python3 tool designed to quickly enumerate subdomains on a target domain through dictionary attack.

Very simply



You need python3, pip3, git.

git clone
cd knock
pip3 install -r requirements.txt
python3 <DOMAIN>


Knockpy image hosted at DockerHub Page and automatically updated with RAUDI

docker run -it --rm secsi/knockpy <domain>

Knockpy -h

usage: knockpy [-h] [-v] [--no-local] [--no-remote] [--no-http] [--no-http-code CODE [CODE ...]] 
               [-w WORDLIST] [-o FOLDER] [-t SEC] [-th NUM] domain

full scan:    knockpy
ignore code:  knockpy --no-http-code 404 500 530
threads:      knockpy -th 50
timeout:      knockpy -t 2

show report:  knockpy --report knockpy_report/domain.com_yyyy_mm_dd_hh_mm_ss.json
plot report:  knockpy --plot knockpy_report/domain.com_yyyy_mm_dd_hh_mm_ss.json
csv report:   knockpy --csv knockpy_report/domain.com_yyyy_mm_dd_hh_mm_ss.json

set apikey:   knockpy --set apikey-virustotal=APIKEY
set timeout:  knockpy --set timeout=sec
set threads:  knockpy --set threads=num

positional arguments:
  domain                target to scan

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  --no-local            local wordlist ignore
  --no-remote           remote wordlist ignore
  --no-http             http requests ignore
  --no-http-code CODE [CODE ...]
                        http code list to ignore

  --dns DNS             use custom DNS ex.                        

  -w WORDLIST           wordlist file to import
  -o FOLDER             report folder to store json results
  -t SEC                timeout in seconds
  -th NUM               threads num


Full scan

$ knockpy

  • Attack type: dns + http(s) requests
  • Knockpy uses internal file wordlist.txt. If you want to use an external dictionary you can use the -w option and specify the path to your dictionary text file.
  • Knockpy also tries to get subdomains from googleduckduckgo, and virustotal. The results will be added to the general dictionary.
  • It is highly recommended to use a virustotal API_KEY which you can get for free. The best results always come from virustotal.
  • But, if you only want to work with local word lists, without search engines queries, you can add --no-remote to bypass remote recon.
  • If you want to ignore http(s) responses with specific code, you can use the --no-http-code option followed by the code list 404 500 530

Fast scan

$ knockpy --no-http

  • Attack type: dns
  • DNS requests only, no http(s) requests will be made. This way the response will be much faster and you will get the IP address and the Subdomain.
  • The subdomain will be cyan in color if it is an alias and in that case the real host name will also be provided.

Custom DNS

$ knockpy --dns

  • by default it uses the pre-configured DNS on your system (ex. /etc/resolv.conf).

Set threads

$ knockpy -th 50

  • default threads = 30

Set timeout

$ knockpy -t 5

  • default timeout = 3 seconds.

Virustotal APIKEY

$ knockpy --set apikey-virustotal=APIKEY

Show report

$ knockpy --report knockpy_report/domain.com_yyyy_mm_dd_hh_mm_ss.json

  • Show the report in the terminal.

Csv report

$ knockpy --csv knockpy_report/domain.com_yyyy_mm_dd_hh_mm_ss.json

  • Save report as csv file.

Plot report

$ knockpy --plot knockpy_report/domain.com_yyyy_mm_dd_hh_mm_ss.json

  • Plot relationships.

Output folder

$ knockpy -o /path/to/new/folder

  • All scans are saved in the default folder knockpy_report that you can edit in the config.json file.
  • Alternatively, you can use the -o option to define the new folder path.


  • At each scan the report will be automatically saved in json format inside the file with the name domain.com_yyyy_mm_dd_hh_mm_ss.json.
  • If you don’t like autosave you can disable it from the config.json file by changing the value to "save": false.
  • To read the report in a human format you can do as described in Show report.

Report example domain.com_yyyy_mm_dd_hh_mm_ss.json:

    "": {
        "domain": "host.domain.ext",
        "alias": [""],
        "ipaddr": [
        "code": 200,
        "server": "Microsoft-IIS/8.5"
               -- cut --
        "domain": "",
        "alias": [],
        "ipaddr": [
        "code": 500,
        "server": "nginx/1.15.6 "
    "_meta": {
        "name": "knockpy",
        "version": "5.1.0",
        "time_start": 1616353591.2510355,
        "time_end": 1616353930.6632543,
        "domain": "",
        "wordlist": 2120

_meta is a reserved key that contains the basic information of the scan.

The knock is a github repository by Gianni Amato