Knockpy - A Subdomain Scanner

Knockpy Subdomain Scanner

Knockpy is a Python script written by security researcher Gianni 'guelfoweb' Amato, that can enumerate subdomains on a target domain through a wordlist. In other words, it is a subdomain scanner that allows you to use your own wordlist.

It is designed to scan for DNS zone transfer and to bypass the wildcard DNS record automatically if it is enabled.

Note: Knockpy requires Python 2.7.6

How To Use Knockpy (Windows Tutorial)

First, download Knock onto your computer (download link is at the end of this article), extract the zip file, open the folder, then right-click on the empty part of the window while holding the Shift key down. Then select "Open command window here". You will see a window as shown below.

Command Line Screenshot

Now, type " install" ( without quotes), and then hit the Enter key. Then wait for few seconds... 

Installing Knockpy Screenshot

Now, go to the "Scripts" folder which is located in the Python directory ( C:\Python27\Scripts). 

Then run the "knockpy.exe" using the command-line (right-click while holding the "Shift" key down and select "Open command window here").


knockpy [-h] [-v] [-w WORDLIST] [-r] [-c] [-j] domain

Positional arguments:
domain         target to scan, like

Optional arguments:
-h, --help     show this help message and exit
-v, --version  show program's version number and exit
-w WORDLIST    specific path to wordlist file
-r, --resolve  resolve IP or domain name
-c, --csv      save output in CSV
-j, --json     export full report in JSON


  • Subdomain scan with internal wordlist

  • Subdomain scan with external wordlist
knockpy -w wordlist.txt

  • Resolve domain name and get response headers
knockpy -r or IP

  • Save scan output in CSV
knockpy -c

  • Export full report in JSON
knockpy -j

Knockpy Running Screenshot

That's all. I hope you liked this article. If you did, please share...

Knockpy - A Subdomain Scanner Knockpy - A Subdomain Scanner Reviewed by Anonymous on 11:39 PM Rating: 5