Knock Subdomain Scan
Latest commit 7f25478 Dec 18, 2016 @guelfoweb committed on GitHub Update README.rst
Failed to load latest commit information.
knockpy ⬆️ Increase wordlist Nov 8, 2016
CHANGELOG.rst Use headers properly Jul 13, 2015
README.rst Update README.rst Dec 17, 2016 Update version number Apr 17, 2015


Knock Subdomain Scan v.3.0

Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.

NEW: TRY KNOCKPY v.4.0beta


knockpy [-h] [-v] [-w WORDLIST] [-r] [-z] domain

positional arguments:

domain         specific target domain, like

optional arguments:

-h, --help     show this help message and exit
-v, --version  show program's version number and exit
-w WORDLIST    specific path to wordlist file
-r, --resolve  resolve ip or domain name
-z, --zone     check for zone transfer

note: the ALIAS name is marked in yellow.


subdomain scan with internal wordlist


subdomain scan with external wordlist

knockpy -w wordlist.txt

resolve domain name and get response headers

knockpy -r

check zone transfer for domain name

knockpy -z


from pypi (as root)

pip install

or manually, download zip and extract folder

cd knock-knock3/

(as root)

python install

note: tested with python 2.7.6 | is recommended to use google dns ( |

Talk about

Ethical Hacking and Penetration Testing Guide Book by Rafay Baloch


This tool is currently maintained by Gianni 'guelfoweb' Amato, who can be contacted at or twitter @guelfoweb. Suggestions and criticism are welcome.

Sponsored by Security Side