Enumeration, Footprinting

Enumerate subdomains through a wordlist

Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.


knockpy [-h] [-v] [-w WORDLIST] [-r] [-z] domain
positional arguments:
domain         specific target domain, like domain.com
optional arguments:
-h, --help     show this help message and exit
-v, --version  show program's version number and exit
-w WORDLIST    specific path to wordlist file
-r, --resolve  resolve ip or domain name
-z, --zone     check for zone transfer

Download from Github.

git clone https://github.com/guelfoweb/knock


pip install https://github.com/guelfoweb/knock/archive/v3.0.0.zip
python setup.py install

note: tested with python 2.7.6 | is recommended to use google dns ( |

subdomain scan with internal wordlist

knockpy domain.com

subdomain scan with external wordlist

knockpy domain.com -w wordlist.txt

resolve domain name and get response headers

knockpy -r domain.com

check zone transfer for domain name

knockpy -z domain.com