✅ Fast & Async • 🔐 Recon + Brute • 🔧 Easy to Extend

KnockPy is a modular Python 3 tool to enumerate subdomains via passive reconnaissance and bruteforce, now with async/await support, enhanced performance, and modern HTTP/TLS handling.

• ✅ Async scanning with httpx and DNS resolution
• ✅ Modular: plug new passive sources easily
• 🔍 Supports passive recon, bruteforce, or both
• 🎨 Formatted terminal output with Rich (tables, progress, panels)
• 📜 Validates HTTP/HTTPS status, TLS cert, and IP
• ⚠️ Detects legacy TLS support (TLS 1.0/1.1) as warning in CLI/verbose/HTML report
• 🧾 Checks AXFR (zone transfer) on root domain during domain-mode scans
• 🔎 --verbose single-domain diagnostics (DNS/TCP/TLS/redirect chains/request errors + security checks)
• 💡 Supports wildcard DNS detection
• 🧪 SQLite reports with interactive catalog (show/delete/export/search)
• 🔐 Supports VirusTotal and Shodan API
• 🚀 Optimized bruteforce runtime with TLS-probe endpoint caching (no timeout changes required)

git clone https://github.com/guelfoweb/knockpy.git
cd knockpy
# recommended: install in a virtual environment
python3 -m venv .venv
. .venv/bin/activate
python3 -m pip install -U pip
pip install .

# alternative: install for the current user (no venv)
# python3 -m pip install --user .

⚠️ Recommended Python version: 3.9+

The codebase is organized by responsibility, with stable facades for backward compatibility:

knockpy/
  cli.py                   # CLI entrypoint (facade/orchestration)
  cli_parts/
    status.py              # runtime/status panel rendering
    setup.py               # interactive setup and persisted runtime defaults
    report.py              # interactive report mode
    scan_flow.py           # exclude rules, recon-test, wildcard helpers
  core.py                  # public core facade (compatibility)
  engine/
    runtime.py             # scanning engine implementation
  storage.py               # public storage facade (compatibility)
  storage_parts/
    db.py                  # SQLite persistence/settings
    export.py              # report export orchestration
    html_report.py         # HTML report rendering
  output.py                # terminal output rendering
  server_versions.py       # web-server versions catalog
  knockpy.py               # compatibility module exports

Compatibility note:

• Preferred external imports: import knockpy or from knockpy import KNOCKPY.
• Internal modules are split into engine/, cli_parts/, and storage_parts/.

Only after the stable version is released on GitHub

pip install knock-subdomains

knockpy -d domain.com [options]

These two options have the biggest impact on runtime for large scans.

• --threads controls concurrency (how many targets are processed in parallel)
• --timeout controls how long each network step waits before giving up

Trade-off:

• higher threads = faster scans, but more load on CPU/network/DNS and higher risk of remote rate-limits
• lower timeout = faster scans, but higher risk of missing slow yet valid targets (false negatives)

Recommended profiles:

• small/accurate scan (few domains): --threads 50 --timeout 5
• balanced scan: --threads 150 --timeout 4
• large scan (10k+ domains): start with --threads 250 --timeout 3

If you need both speed and completeness on very large lists, use 2-pass strategy:

1. fast pass: --threads 250 --timeout 3
2. retry pass only on missing/uncertain targets: --threads 80 --timeout 5 (or higher)

Notes:

• CLI values always override saved setup values
• saved setup values (--setup) override built-in defaults
• current built-in defaults are threads=250, timeout=3

knockpy -d example.com --recon --bruteforce

knockpy -d example.com --recon --test

knockpy --update-versions

knockpy --check-update

At first run, KnockPy creates:

~/.knockpy/recon_services.json

You can add/disable sources by editing the services array. You can also point to a custom file path without changing code:

export KNOCK_RECON_SERVICES=/path/to/recon_services.json

Each service supports:

• name
• enabled (true/false)
• parser
• url_template (supports {domain}, {virustotal_key}, {shodan_key})
• requires_api (virustotal or shodan, optional)

Supported parsers:

• csv_first_column
• rapiddns_html_td
• json_list
• virustotal_subdomains
• shodan_subdomains

echo "example.com" | knockpy -d

export API_KEY_VIRUSTOTAL=your-virustotal-api-key
export API_KEY_SHODAN=your-shodan-api-key

You can use .env file:

API_KEY_VIRUSTOTAL=your-virustotal-api-key
API_KEY_SHODAN=your-shodan-api-key

knockpy -d example.com --recon --bruteforce
knockpy --report list
knockpy --report latest
knockpy --report

Interactive report menu:

• 1 show
• 2 delete
• 3 export
• 4 search
• 0 reset db (asks explicit confirmation)

Exit report mode:

• press Enter on empty action prompt
• or press CTRL+C

knockpy -d forum.example.com --verbose

knockpy -d example.com --wildcard

KnockPy can be used as a Python module:

import knockpy

result = knockpy.KNOCKPY("example.com", timeout=5.0, threads=20)
print(result["domain"], result["ip"])

or:

from knockpy import KNOCKPY

domain = 'example.com'

results = KNOCKPY(
    domain,
    dns="8.8.8.8",
    useragent="Mozilla/5.0",
    timeout=5,
    threads=10,
    recon=True,
    bruteforce=True,
    wordlist=None,
    silent=False
)

for entry in results:
    print(entry['domain'], entry['ip'], entry['http'], entry['cert'])

A default wordlist is included in knockpy/wordlist/wordlist.txt. You can supply your own with --wordlist.

python3 -m pytest

# (optional) smoke-run example script
python3 examples/poc.py

Licensed under the GPLv3 license.

Gianni Amato (@guelfoweb)