✅ Fast & Async • 🔐 Recon + Brute • 🔧 Easy to Extend
KnockPy is a modular Python 3 tool to enumerate subdomains via passive reconnaissance and bruteforce, now with async/await support, enhanced performance, and modern HTTP/TLS handling.
httpx and DNS resolution--verbose single-domain diagnostics (DNS/TCP/TLS/redirect chains/request errors + security checks)show/delete/export/search)git clone https://github.com/guelfoweb/knockpy.git
cd knockpy
# recommended: install in a virtual environment
python3 -m venv .venv
. .venv/bin/activate
python3 -m pip install -U pip
pip install .
# alternative: install for the current user (no venv)
# python3 -m pip install --user .
⚠️ Recommended Python version: 3.9+
The codebase is organized by responsibility, with stable facades for backward compatibility:
knockpy/
cli.py # CLI entrypoint (facade/orchestration)
cli_parts/
status.py # runtime/status panel rendering
setup.py # interactive setup and persisted runtime defaults
report.py # interactive report mode
scan_flow.py # exclude rules, recon-test, wildcard helpers
core.py # public core facade (compatibility)
engine/
runtime.py # scanning engine implementation
storage.py # public storage facade (compatibility)
storage_parts/
db.py # SQLite persistence/settings
export.py # report export orchestration
html_report.py # HTML report rendering
output.py # terminal output rendering
server_versions.py # web-server versions catalog
knockpy.py # compatibility module exports
Compatibility note:
- Preferred external imports: import knockpy or from knockpy import KNOCKPY.
- Internal modules are split into engine/, cli_parts/, and storage_parts/.
Only after the stable version is released on GitHub
pip install knock-subdomains
knockpy -d domain.com [options]
| Flag | Description |
|---|---|
-d, --domain |
Target domain (or stdin if used without value) |
-f, --file |
File with list of domains |
--recon |
Enable passive reconnaissance |
--bruteforce, --brute |
Enable bruteforce using wordlist |
--exclude TYPE VALUE |
Exclude matches (status, length/lenght, body) |
--verbose |
Deep diagnostics for single-domain scans only |
--wildcard |
Test wildcard DNS and exit |
--test |
With --recon, test each recon source (failed/empty/data) |
--setup |
Interactive setup (runtime defaults + API keys in DB) |
--update-versions |
Update local latest web-server versions catalog |
--report [ID|latest|list] |
Report mode (interactive show/delete/export/search/reset db, export HTML) |
--check-update |
Check online if a newer Knockpy release is available on PyPI |
--wordlist |
Runtime override for wordlist |
--dns |
Runtime override for DNS resolver |
--useragent |
Runtime override for HTTP user-agent |
--timeout |
Runtime override for timeout (seconds) |
--threads |
Runtime override for concurrent workers |
--silent |
Hide progress bar |
--json |
JSON-only output (forces --silent) |
--status |
Print runtime status and continue |
-h, --help |
Show help message |
--threads and --timeoutThese two options have the biggest impact on runtime for large scans.
--threads controls concurrency (how many targets are processed in parallel)--timeout controls how long each network step waits before giving upTrade-off:
threads = faster scans, but more load on CPU/network/DNS and higher risk of remote rate-limitstimeout = faster scans, but higher risk of missing slow yet valid targets (false negatives)Recommended profiles:
--threads 50 --timeout 5--threads 150 --timeout 4--threads 250 --timeout 3If you need both speed and completeness on very large lists, use 2-pass strategy:
--threads 250 --timeout 3--threads 80 --timeout 5 (or higher)Notes:
--setup) override built-in defaultsthreads=250, timeout=3knockpy -d example.com --recon --bruteforce
knockpy -d example.com --recon --test
knockpy --update-versions
knockpy --check-update
At first run, KnockPy creates:
~/.knockpy/recon_services.json
You can add/disable sources by editing the services array.
You can also point to a custom file path without changing code:
export KNOCK_RECON_SERVICES=/path/to/recon_services.json
Each service supports:
nameenabled (true/false)parserurl_template (supports {domain}, {virustotal_key}, {shodan_key})requires_api (virustotal or shodan, optional)Supported parsers:
csv_first_columnrapiddns_html_tdjson_listvirustotal_subdomainsshodan_subdomainsecho "example.com" | knockpy -d
export API_KEY_VIRUSTOTAL=your-virustotal-api-key
export API_KEY_SHODAN=your-shodan-api-key
You can use .env file:
API_KEY_VIRUSTOTAL=your-virustotal-api-key
API_KEY_SHODAN=your-shodan-api-key
knockpy -d example.com --recon --bruteforce
knockpy --report list
knockpy --report latest
knockpy --report
Interactive report menu:
1 show2 delete3 export4 search0 reset db (asks explicit confirmation)Exit report mode:
Enter on empty action promptCTRL+Cknockpy -d forum.example.com --verbose
knockpy -d example.com --wildcard
KnockPy can be used as a Python module:
import knockpy
result = knockpy.KNOCKPY("example.com", timeout=5.0, threads=20)
print(result["domain"], result["ip"])
or:
from knockpy import KNOCKPY
domain = 'example.com'
results = KNOCKPY(
domain,
dns="8.8.8.8",
useragent="Mozilla/5.0",
timeout=5,
threads=10,
recon=True,
bruteforce=True,
wordlist=None,
silent=False
)
for entry in results:
print(entry['domain'], entry['ip'], entry['http'], entry['cert'])
A default wordlist is included in knockpy/wordlist/wordlist.txt.
You can supply your own with --wordlist.
python3 -m pytest
# (optional) smoke-run example script
python3 examples/poc.py
Licensed under the GPLv3 license.
Gianni Amato (@guelfoweb)
$ claude mcp add knockpy \
-- python -m otcore.mcp_server <graph>