Knockpy是一款基于python的子域名枚举工具。用户可以通过其自带的字典列表或添加自定义字典列表,来对目标域的子域尝试暴力枚举。此外,Knockpy会扫描DNS区域传输,并尝试自动绕过通配符DNS记录(如已启用)。当前knockpy支持VirusTotal子域查询,你可以在config.json文件中设置API_KEY。
$ knockpy domain.com
只需输入以下命令:
$ knockpy domain.com --json
安装环境
依赖
$ sudo apt-get install python-dnspython
安装
$ git clone https://github.com/guelfoweb/knock.git
$ cd knock
$ nano knockpy/config.json <- set your virustotal API_KEY
$ sudo python setup.py install
注意,在这里我建议大家使用Google DNS:8.8.8.8和8.8.4.4
$ knockpy -h
usage: knockpy [-h] [-v] [-w WORDLIST] [-r] [-c] [-j] domain
___________________________________________
knock subdomain scan
knockpy v.4.1
Author: Gianni 'guelfoweb' Amato
Github: https://github.com/guelfoweb/knock
___________________________________________
positional arguments:
domain 目标域名,例如domain.com
optional arguments:
-h, --help 显示帮助信息并退出
-v, --version 显示项目版本号并退出
-w WORDLIST 指定字典列表文件位置
-r, --resolve 解析IP或域名
-c, --csv 以csv格式保存输出
-j, --json 以json格式导出完整报告
示例:
knockpy domain.com
knockpy domain.com -w wordlist.txt
knockpy -r domain.com or IP
knockpy -c domain.com
knockpy -j domain.com
VirusTotal子域查询,你可以在config.json文件中设置API_KEY。
使用自带字典扫描子域
$ knockpy domain.com
使用指定字典扫描子域
$ knockpy domain.com -w wordlist.txt
解析域名并获取响应头信息
$ knockpy -r domain.com [or IP]
+ checking for virustotal subdomains: YES
[
"partnerissuetracker.corp.google.com",
"issuetracker.google.com",
"r5---sn-ogueln7k.c.pack.google.com",
"cse.google.com",
.......too long.......
"612.talkgadget.google.com",
"765.talkgadget.google.com",
"973.talkgadget.google.com"
]
+ checking for wildcard: NO
+ checking for zonetransfer: NO
+ resolving target: YES
{
"zonetransfer": {
"enabled": false,
"list": []
},
"target": "google.com",
"hostname": "google.com",
"virustotal": [
"partnerissuetracker.corp.google.com",
"issuetracker.google.com",
"r5---sn-ogueln7k.c.pack.google.com",
"cse.google.com",
"mt0.google.com",
"earth.google.com",
"clients1.google.com",
"pki.google.com",
"www.sites.google.com",
"appengine.google.com",
"fcmatch.google.com",
"dl.google.com",
"translate.google.com",
"feedproxy.google.com",
"hangouts.google.com",
"news.google.com",
.......too long.......
"100.talkgadget.google.com",
"services.google.com",
"301.talkgadget.google.com",
"857.talkgadget.google.com",
"600.talkgadget.google.com",
"992.talkgadget.google.com",
"93.talkgadget.google.com",
"storage.cloud.google.com",
"863.talkgadget.google.com",
"maps.google.com",
"661.talkgadget.google.com",
"325.talkgadget.google.com",
"sites.google.com",
"feedburner.google.com",
"support.google.com",
"code.google.com",
"562.talkgadget.google.com",
"190.talkgadget.google.com",
"58.talkgadget.google.com",
"612.talkgadget.google.com",
"765.talkgadget.google.com",
"973.talkgadget.google.com"
],
"alias": [],
"wildcard": {
"detected": {},
"test_target": "eqskochdzapjbt.google.com",
"enabled": false,
"http_response": {}
},
"ipaddress": [
"216.58.205.142"
],
"response_time": "0.0351989269257",
"http_response": {
"status": {
"reason": "Found",
"code": 302
},
"http_headers": {
"content-length": "256",
"location": "http://www.google.it/?gfe_rd=cr&ei=60WIWdmnDILCXoKbgfgK",
"cache-control": "private",
"date": "Mon, 07 Aug 2017 10:50:19 GMT",
"referrer-policy": "no-referrer",
"content-type": "text/html; charset=UTF-8"
}
}
}
以CSV格式保存扫描输出
$ knockpy -c domain.com
以JSON格式导出完整报告
$ knockpy -j domain.com
在以下环境中已预安装了Knockpy:
- BackBox Linux
- PentestBox for Windows
- Buscador