Knock: enumerate subdomains on a target domain

by ddos ·

Knock

Knock is a Python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled. Now knockpy supports queries to VirusTotal subdomains, you can set the API_KEY within the config.json file. Knockpy is a Python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled.

DNS zone transfer 

Install

$ git clone https://github.com/guelfoweb/knock.git

edit knockpy/config.json add your virustotal API_KEY

"api": {
"virustotal": "YOUR VIRUSTOTAL API_KEY HERE"
},

save.

$ sudo python setup.py install

Usage

$ knockpy -h
usage: knockpy [-h] [-v] [--no-local] [--no-remote] [--no-http] [-w WORDLIST] [-o FOLDER] [-t SEC] domain

positional arguments:
  domain         target to scan

optional arguments:
  -h, --help     show this help message and exit
  -v, --version  show program's version number and exit
  --no-local     local wordlist ignore
  --no-remote    remote wordlist ignore
  --no-http      http requests ignore

  --no-http-code CODE [CODE ...]
                 http code list to ignore

  -w WORDLIST    wordlist file to import
  -o FOLDER      report folder to store json results
  -t SEC         timeout in seconds

Full scan

$ knockpy domain.com

  • Attack type: dns + http(s) requests
  • Knockpy uses the internal file wordlist.txt. If you want to use an external dictionary you can use the -w option and specify the path to your dictionary text file.
  • Knockpy also tries to get subdomains from google, duckduckgo, and virustotal. The results will be added to the general dictionary.
  • It is highly recommended to use a virustotal API_KEY which you can get for free. The best results always come fromvirustotal.
  • But, if you only want to work with local word lists, without search engine queries, you can add –no-remote to bypass remote recon.
  • If you want to ignore http(s) responses with specific code, you can use the –no-http-code option followed by the code list 404 500 530

Fast scan

$ knockpy domain.com –no-http

  • Attack type: dns
  • DNS requests only, no http(s) requests will be made. This way the response will be much faster and you will get the IP address and the Subdomain.
  • The subdomain will be cyan in color if it is an alias and in that case, the real hostname will also be provided.

Set timeout

$ knockpy domain.com -t 5

  • default timeout = 3 seconds.

Show report

$ knockpy domain.com_yyyy_mm_dd_hh_mm_ss.json

  • Show the report in the terminal.

Output folder

$ knockpy domain.com -o /path/to/new/folder

  • All scans are saved in the default folder knock_report that you can edit in the config.json file.
  • Alternatively, you can use the o option to define the new folder path.

Report

  • At each scan, the report will be automatically saved in json format inside the file with the name domain.com_yyyy_mm_dd_hh_mm_ss.json.
  • If you don’t like autosave you can disable it from the config.json file by changing the value to “save”: false.
  • To read the report in a human format you can do as described in the Show report.

Copyright (C) 2021 @guelfoweb

Source: https://github.com/guelfoweb/

Tags: DNS zone transfer