May 18, 2024

OSINT Tools: Knockpy

3 min read

What is Knockpy?

Knockpy is a Python-based subdomain reconnaissance tool that utilizes various techniques and data sources to efficiently identify subdomains of a given domain. It is a handy tool for security professionals, penetration testers, and bug bounty hunters to expand their attack surface and uncover potential security vulnerabilities.


Knockpy is relatively straightforward to install, as it is a Python script. Here’s how to set it up:


Ensure that you have Python and pip installed on your system. Most Linux distributions come with Python preinstalled, but you can install pip if it’s not already available.

Installation Steps

  1. Open a Terminal: Launch a terminal window on your system.
  2. Install Knockpy Using pip:bash

pip install knockpy

This command will download and install the Knockpy package along with its dependencies.

Verify the Installation:

To ensure that Knockpy is successfully installed, run the following command:


  1. knockpy -h This command should display the help menu, confirming that Knockpy is correctly installed.

Using Knockpy

Knockpy is user-friendly and offers various options to customize your subdomain enumeration process. Here’s how to get started:

Basic Usage

To perform a basic subdomain enumeration, simply run Knockpy with the target domain as an argument:



Knockpy will initiate queries to different data sources and DNS records to discover subdomains associated with the target domain. The results will be displayed in your terminal.

Enumerate Subdomains with Output

You can save the enumeration results to a file using the -o or --output flag:


knockpy -o output.txt

This command will create a text file (output.txt) containing the discovered subdomains.

Specify a Custom Wordlist

You can use a custom wordlist to improve the accuracy of subdomain discovery. Use the -w or --wordlist flag to specify a wordlist file:


knockpy -w custom_wordlist.txt

Replace custom_wordlist.txt with the path to your custom wordlist file.

Output Format

Knockpy provides various output formats, including text, CSV, and JSON. Use the -f or --format flag followed by the desired output format:


knockpy -f json

This command will save the results in JSON format.

Verbose Mode

To get more detailed information about the enumeration process, you can enable verbose mode using the -v or --verbose flag:


knockpy -v

Verbose mode will display additional information during the enumeration process.


Knockpy is a valuable tool for subdomain enumeration, offering simplicity and flexibility in discovering subdomains associated with a target domain. Whether you’re a cybersecurity professional, penetration tester, or bug bounty hunter, integrating Knockpy into your toolkit can significantly enhance your reconnaissance capabilities.

Always use Knockpy responsibly and within the boundaries of applicable laws and regulations. With its ease of use and customization options, Knockpy is a valuable addition to your cybersecurity toolbox for information gathering and reconnaissance tasks.

For advanced features and options, you can refer to the official Knockpy GitHub repository: Knockpy GitHub Repository.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed

Discover more from

Subscribe now to keep reading and get access to the full archive.

Continue reading