pax_global_header00006660000000000000000000000064126320320230014503gustar00rootroot0000000000000052 comment=64cacf883f4e8401e77ce78a3273ded2ab6d9e63 knock-3.0.0/000077500000000000000000000000001263203202300126105ustar00rootroot00000000000000knock-3.0.0/CHANGELOG.rst000066400000000000000000000004361263203202300146340ustar00rootroot000000000000003.0 rc1 - 2014-02-21 ==================== - release v.3.0 rc1 2.0 - 2014-02-20 ================ - rewrite code and options - detect ALIAS name - automatic wildcard bypass - resolve single domain 1.x - 2011 ========== - old version on Google Code -> http://code.google.com/p/knock/ knock-3.0.0/README.rst000066400000000000000000000042221263203202300142770ustar00rootroot00000000000000========================== Knock Subdomain Scan v.3.0 ========================== Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. .. figure:: https://cloud.githubusercontent.com/assets/41558/6314173/d22644d6-b9d3-11e4-9e95-e3a72a946bcb.jpg :align: center :width: 90% :figwidth: 85% Usage ----- .. code-block:: bash knockpy [-h] [-v] [-w WORDLIST] [-r] [-z] domain positional arguments: .. code-block:: bash domain specific target domain, like domain.com optional arguments: .. code-block:: bash -h, --help show this help message and exit -v, --version show program's version number and exit -w WORDLIST specific path to wordlist file -r, --resolve resolve ip or domain name -z, --zone check for zone transfer note: the ALIAS name is marked in yellow. Example ------- subdomain scan with internal wordlist .. code-block:: bash knockpy domain.com subdomain scan with external wordlist .. code-block:: bash knockpy domain.com -w wordlist.txt resolve domain name and get response headers .. code-block:: bash knockpy -r domain.com check zone transfer for domain name .. code-block:: bash knockpy -z domain.com ======= Install ======= from pypi (as root) .. code-block:: bash pip install https://github.com/guelfoweb/knock/archive/knock3.zip or manually, `download zip `_ and extract folder .. code-block:: bash cd knock-knock3/ (as root) .. code-block:: bash python setup.py install note: tested with python 2.7.6 | is recommended to use `google dns `_ (8.8.8.8 | 8.8.4.4) ========== Talk about ========== `Ethical Hacking and Penetration Testing Guide `_ Book by Rafay Baloch ===== Other ===== This tool is currently maintained by Gianni 'guelfoweb' Amato, who can be contacted at guelfoweb@gmail.com or twitter `@guelfoweb `_. Suggestions and criticism are welcome. Sponsored by `Security Side `_ knock-3.0.0/knockpy/000077500000000000000000000000001263203202300142665ustar00rootroot00000000000000knock-3.0.0/knockpy/__init__.py000066400000000000000000000001771263203202300164040ustar00rootroot00000000000000import os _ROOT = os.path.abspath(os.path.dirname(__file__)) def get_data(path): return os.path.join(_ROOT, 'wordlist', path) knock-3.0.0/knockpy/knockpy.py000066400000000000000000000067101263203202300163220ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- # Knock subdomain scan (aka knockpy) # # Knock is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Knock is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Knock. If not, see . from modules import core import argparse __version__='3.0' __description__='''\ ___________________________________________ knock subdomain scan (aka knockpy) | v.'''+__version__+''' Author: Gianni 'guelfoweb' Amato Github: https://github.com/guelfoweb/knock ___________________________________________ ''' def getinfo(domain, resolve): # Resolve domain core.header_target(domain) # if [knockpy domain.com] -> resolve is False # if [knockpy -r domain.com] -> resolve is True core.show_resolved(domain,resolve) # Status code core.header_response_code() core.get_banner(domain) core.show_banner('code') # Headers core.header_response_head() core.show_banner('head') # Wildcard core.show_wildcard(domain) def get_wordlist_targetlist(domain, path_to_worlist=False): # Wordlist, targetlist core.get_wordlist(domain, path_to_worlist) core.get_targetlist(domain) def start(domain): # Start core.header_start_scan(domain) core.subdomain_scan() def statistics(): # Statistics core.header_stats_summary() core.report() def savescan(domain): # Save result core.save_in_csv(domain) def getzone(domain): core.getzone(domain) def main(): parser = argparse.ArgumentParser( version=__version__, formatter_class=argparse.RawTextHelpFormatter, prog='knockpy', description=__description__, epilog = '''\ EXAMPLE: subdomain scan with internal wordlist knockpy domain.com resolve domain name and get response headers knockpy -r domain.com check zone transfer for domain name knockpy -z domain.com The ALIAS name is marked in yellow''') parser.add_argument('domain', help='specific target domain, like domain.com') parser.add_argument('-w', help='specific path to wordlist file', nargs=1, dest='wordlist', required=False) parser.add_argument('-r', '--resolve', help='resolve ip or domain name', action='store_true', required=False) parser.add_argument('-z', '--zone', help='check for zone transfer', action='store_true', required=False) args = parser.parse_args() # args strings domain = args.domain wlist = args.wordlist if wlist: wlist = wlist[0] # args True or False resolve = args.resolve zone = args.zone # [knockpy -r domain.com] if domain and resolve and not zone: # resolve = True getinfo(domain, resolve) # [knockpy -z domain.com] elif domain and zone and not resolve: getzone(domain) # [knockpy domain.com] elif domain and not resolve and not zone: # resolve = False getinfo(domain, resolve) if wlist: get_wordlist_targetlist(domain, wlist) else: # get_wordlist_targetlist(domain,path_to_worlist=False) # no wlist get_wordlist_targetlist(domain) start(domain) statistics() savescan(domain) else: exit('error arguments: use knockpy -h to help') if __name__ == '__main__': main() knock-3.0.0/knockpy/modules/000077500000000000000000000000001263203202300157365ustar00rootroot00000000000000knock-3.0.0/knockpy/modules/__init__.py000066400000000000000000000000021263203202300200370ustar00rootroot00000000000000 knock-3.0.0/knockpy/modules/core.py000066400000000000000000000143461263203202300172500ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- # ---------------------------------------------------------------------- # This file is part of Knock subdomain scan (aka knockpy) # # Knock is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Knock is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Knock. If not, see . # ---------------------------------------------------------------------- import getheader import headers import stats import target import utilipy import wildcard import wordlist import subscan import zonetransfer import font def get_header(url, path, method): return getheader.req(url, path, method) def subscan_start(target): return subscan.start(target) def get_info_wordlist(path_to_worlist=False): return wordlist.check_status(path_to_worlist) def prepare_targetlist(domain, wordlist): targets = [] for sub in wordlist: targets.append(sub+'.'+domain) return targets def get_target(_target, verbose, test): # call from bypass_wildcard(target, wcode) return target.get(_target, verbose, test) def stats_general_summary(targetlist): return stats.start(found, targetlist) def bypass_wildcard(target, wcode): # call from subdomain_scan() if wildcard.bypass(target, wcode): return get_target(target, True, False) def test_wildcard(target): return wildcard.test(target) host_not_found = False wildcard_detected = False # Resolve domain def header_target(domain): print headers.target(domain) def show_resolved(domain, resolve): # if [knockpy domain.com] -> resolve is False # resolve is True only if use -r option # return alias and host test_host = subscan.start(domain) # HOST NOT FOUND for: # [knockpy domain.com] or [knockpy -r domain.com] if not test_host: print font.color('red')+'\n: unknown '+domain+font.color('end') # if [knockpy -r domain.com] # bye bye if resolve: exit() # if [knockpy domain.com] # prepare query [c] -> continue, [enter] -> exit query = 'press '+font.color('bold')+'[c]'\ +font.color('end')+' to continue to scan or '\ +font.color('bold')+'[enter]'+font.color('end')\ +' to exit: ' # prompt res = raw_input(query) if res != 'c': exit() # set values host_not_found = True # I don't test wildcard, so: wildcard_detected = False return # HOST NOT FOUND for: # [knockpy domain.com] or [knockpy -r domain.com] # get alias and host list (alias, host) = test_host[0], test_host[1] output = '' # if alias exist if alias: for name in alias: (ipaddr, aliasn) = str(name[1]), str(name[0]) output += font.color('yellow')+ipaddr.ljust(18)+aliasn+'\n'+font.color('end') # host always exists len_host = len(host) for i in xrange(0, len_host): # get hostname by ip (ipaddr, hostname) = host[i][1], host[i][0] if ipaddr == hostname: hostname = subscan.hostbyip(domain) output += ipaddr.ljust(18)+hostname+'\n' print output # Code and headers def get_banner(domain): # host_not_found is False by default # or set to True by show_resolved(domain, resolve) if host_not_found: return # return [headers] # status, reason, headers # len = 3 getinfo_header = getheader.req(domain,'/','HEAD') # set to global for show_banner(domain) global code, reason, header if not getinfo_header: (code, header) = False, False return (code, reason, header) = str(getinfo_header[0]), str(getinfo_header[1]), getinfo_header[2] def header_response_code(): # host_not_found is False by default # or set to True by show_resolved(domain, resolve) if host_not_found: return print headers.response_code() def header_response_head(): # host_not_found is False by default # or set to True by show_resolved(domain, resolve) if host_not_found: return print headers.response_head() def show_banner(typo): # host_not_found is False by default # or set to True by show_resolved(domain, resolve) if host_not_found: return # code is global variable from get_banner(domain) # return code, reason, header # print code, reason if typo == 'code' and code: print code.ljust(18)+reason+'\n' # print headers if typo == 'head' and header: for head in header: # output first chars: 17 fields | 61 values print str(head[0])[0:17].ljust(18)+str(head[1])[0:61] # Wildcard, wordlist, targetlist def show_wildcard(domain): # host_not_found is False by default # or set to True by show_resolved(domain, resolve) if host_not_found: return # test wildcard global wildcard_detected wildcard_detected = False wildcard_test = wildcard.test(domain) if wildcard_test[0]: wildcard_detected = True # set a new value for code # from random subdomain response headers global wcode wcode = str(wildcard_test[0][0]) print font.color('red')+'\n: wildcard detected: '+wcode+font.color('end') def get_wordlist(domain, path_to_worlist=False): # import wordlist getinfo_wordlist = get_info_wordlist(path_to_worlist) global wordlist (location, wordlist) = getinfo_wordlist[0], getinfo_wordlist[1] print headers.status_wordlist(location, wordlist) def get_targetlist(domain): # prepare subdomain.domain.com global targetlist targetlist = prepare_targetlist(domain, wordlist) # Start def header_start_scan(domain): print headers.start_scan(domain) def subdomain_scan(): for target in targetlist: if wildcard_detected: result = bypass_wildcard(target, wcode) else: result = get_target(target, False, False) if result: print result # Statistics def header_stats_summary(): return headers.stats_summary() def report(): print target.get_report(targetlist) # Save result in csv def save_in_csv(domain): print target.save_csv(domain) # Zone transfer def getzone(domain): detected = zonetransfer.check(domain) if not detected: exit('zone transfer not found') print headers.start_scan_zt(domain) for item in detected: (ip, subdomain) = str(item[0]), str(item[1]) print ip.ljust(18)+subdomain knock-3.0.0/knockpy/modules/font.py000066400000000000000000000020771263203202300172640ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- # ---------------------------------------------------------------------- # This file is part of Knock subdomain scan (aka knockpy) # # Knock is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Knock is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Knock. If not, see . # ---------------------------------------------------------------------- def color(style): if style == 'yellow': return '\033[93m' if style == 'red': return '\033[91m' if style == 'ciano': return '\033[36m' if style == 'bold': return '\033[1m' if style == 'end': return '\033[0m' knock-3.0.0/knockpy/modules/getheader.py000066400000000000000000000027311263203202300202430ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- # ---------------------------------------------------------------------- # This file is part of Knock subdomain scan (aka knockpy) # # Knock is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Knock is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Knock. If not, see . # ---------------------------------------------------------------------- import httplib agent = "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:35.0) Gecko/20100101 Firefox/35.0" def req(url, path, method): try: conn = httplib.HTTPConnection(url) conn.putrequest(method, path) conn.putheader("User-Agent", agent) ''' #conn.putheader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8") #conn.putheader("Connection", "keep-alive") # Test for XST conn.putheader('Via', '') conn.request(method, path) ''' conn.endheaders() res = conn.getresponse() conn.close() return res.status, res.reason, res.getheaders() except: return False knock-3.0.0/knockpy/modules/headers.py000066400000000000000000000041461263203202300177300ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- # ---------------------------------------------------------------------- # This file is part of Knock subdomain scan (aka knockpy) # # Knock is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Knock is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Knock. If not, see . # ---------------------------------------------------------------------- import font def status_wordlist(location, wlist): return font.color('ciano')+'\nLoaded '+font.color('bold')+location+font.color('end')\ +font.color('ciano')+' wordlist with '+font.color('bold')+str(len(wlist))+font.color('end')\ +font.color('ciano')+' item(s)\n'+font.color('end') def start_scan(domain): text = font.color('bold') + 'Getting subdomain for ' + domain + font.color('end') + '\n\n' text += 'Ip Address'.ljust(18) + 'Domain Name\n' text += '----------'.ljust(18) + '-----------' return text def target(domain): text = font.color('bold')+'Target information '+domain+font.color('end')+'\n\n' text += 'Ip Address'.ljust(18) + 'Target Name\n' text += '----------'.ljust(18) + '-----------' return text def response_code(): text = 'Code'.ljust(18) + 'Reason\n' text += '----------'.ljust(18) + '-----------' return text def response_head(): text = 'Field'.ljust(18) + 'Value\n' text += '----------'.ljust(18) + '-----------' return text def stats_summary(): return font.color('bold')+'\nSummary\n'+font.color('end') def start_scan_zt(domain): text = font.color('bold') + 'Getting zone transfer for ' + domain + font.color('end') + '\n\n' text += 'Ip Address'.ljust(18) + 'Domain Name\n' text += '----------'.ljust(18) + '-----------' return text knock-3.0.0/knockpy/modules/stats.py000066400000000000000000000034361263203202300174540ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- # ---------------------------------------------------------------------- # This file is part of Knock subdomain scan (aka knockpy) # # Knock is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Knock is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Knock. If not, see . # ---------------------------------------------------------------------- import socket import font def cogito(found, targetlist): # print found # enable for debug ipaddr = [] subdomain = [] subdomain_in_wlist = [] subdomain_for_ip = [] len_found = len(found) # ip address discovered for i in xrange(0, len_found): ipaddr.append(found[i][1]) uniq_ipaddr = set(ipaddr) # subdomain discovered for i in xrange(0, len_found): subdomain.append(found[i][2]) uniq_subdomain = set(subdomain) # subdomain in wordlist for subdomain in uniq_subdomain: if subdomain in targetlist: subdomain_in_wlist.append(subdomain) uniq_wlist = set(subdomain_in_wlist) report = '\nFound '+font.color('bold')+str(len(uniq_subdomain))\ +font.color('end')+' subdomain(s) in '+font.color('bold')+str(len(uniq_ipaddr))+font.color('end')+' host(s).\n'\ +font.color('bold')+str(len(uniq_wlist))+font.color('end')+'/'+font.color('bold')+str(len(uniq_subdomain))+font.color('end')\ +' subdomain(s) are in wordlist.' return report knock-3.0.0/knockpy/modules/subscan.py000066400000000000000000000032101263203202300177420ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- # ---------------------------------------------------------------------- # This file is part of Knock subdomain scan (aka knockpy) # # Knock is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Knock is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Knock. If not, see . # ---------------------------------------------------------------------- import socket # set the default timeout on sockets to 5 seconds if hasattr(socket, 'setdefaulttimeout'): socket.setdefaulttimeout(5) # <- here def start(target): found_alias = [] found_host = [] try: ipv4 = socket.gethostbyname(target) # Ip Address format if ipv4: soc = socket.gethostbyname_ex(target) # print soc, target # enable for debug for alias in soc[1]: try: # alias -> ip ipaddr = socket.gethostbyname(alias) found_alias.append([alias, ipaddr]) except: pass hostname = soc[0] for ipaddr in soc[2]: found_host.append([hostname, ipaddr]) soc.close() except: pass if found_alias or found_host: return found_alias, found_host else: return False def hostbyip(ip): try: return socket.gethostbyaddr(ip)[0] except: return False knock-3.0.0/knockpy/modules/target.py000066400000000000000000000045061263203202300176030ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- # ---------------------------------------------------------------------- # This file is part of Knock subdomain scan (aka knockpy) # # Knock is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Knock is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Knock. If not, see . # ---------------------------------------------------------------------- import font import subscan import utilipy import stats global found found = [] def get(target, verbose, test): text = '' result = subscan.start(target) if result: (alias, host) = result[0], result[1] else: return # Detect alias for item in alias: found.append([target, item[1], item[0], 'alias']) text += font.color('yellow') + str(item[1]).ljust(18) + str(item[0]) + font.color('end') + '\n' # Test wildcard to detect host if verbose and not test: for item in host: found.append([target, item[1], item[0], 'host']) text += str(item[1]).ljust(18) + str(item[0]) + '\n' # Test subdomain to detect host if not verbose and not test: for item in host: found.append([target, item[1], item[0], 'host']) text += str(item[1]).ljust(18) + str(item[0]) + '\n' # Test root domain to detect host if test: for item in host: found.append([target, item[1], item[0], 'host']) text += str(item[1]).ljust(18) + str(item[0]) + '\n' return text.rstrip() def save_csv(domain): if not found: exit() timestamp = utilipy.timestamp() filename = domain.replace('.', '_')+'_'+str(timestamp)+'.csv' try: utilipy.touch(filename) with open(filename, 'a') as f: f.write('target,ip address,domain name,type\n') for row in found: f.write(row[0]+','+row[1]+','+row[2]+','+row[3]+'\n') f.close() return '\nOutput saved in CSV format: '+filename except: return '\nCannot write csv file: '+filename def get_report(targetlist): return stats.cogito(found, targetlist) knock-3.0.0/knockpy/modules/utilipy.py000066400000000000000000000044431263203202300200140ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- # ---------------------------------------------------------------------- # This file is part of Knock subdomain scan (aka knockpy) # # Knock is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Knock is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Knock. If not, see . # ---------------------------------------------------------------------- import re import os.path import urllib2 import string import time ''' v.0.1 This module contains the following functions: . replace_url_to_link(text) . loadfile_wordlist(filename) . isfile(filename) . touch(filename) . downloadfile(fileurl) . timestamp() . uniqlist(lista) ''' def replace_url_to_link(text): # Replace url text to link. # Credit: https://gist.github.com/guillaumepiot/4539986 urls = re.compile(r"((https?):((//)|(\\\\))+[\w\d:#@%/;$()~_?\+-=\\\.&]*)", re.MULTILINE|re.UNICODE) text = urls.sub(r'\1', text) ''' Replace email to mailto ''' urls = re.compile(r"([\w\-\.]+@(\w[\w\-]+\.)+[\w\-]+)", re.MULTILINE|re.UNICODE) text = urls.sub(r'\1', text) return text def loadfile_wordlist(filename): # Load wordlist from file (rows read per fetched row) and return list. filename = open(filename,'r') wlist = filename.read().split('\n') filename.close return filter(None, wlist) def isfile(filename): # Verify if file exist. return os.path.isfile(filename) def touch(filename): # Create empty file. fname = filename file = open(fname, 'w') file.close() def downloadfile(fileurl): # Get content remote file via http(s) and return contenet. try: response = urllib2.urlopen(fileurl) return response.read() except: pass def timestamp(): return time.time() def uniqlist(lista): ulist = [] [ulist.append(x) for x in lista if x not in ulist] return ulist knock-3.0.0/knockpy/modules/wildcard.py000066400000000000000000000032531263203202300201040ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- # ---------------------------------------------------------------------- # This file is part of Knock subdomain scan (aka knockpy) # # Knock is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Knock is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Knock. If not, see . # ---------------------------------------------------------------------- import getheader import random import socket def bypass(target, wcode): # beta feature text = '' header = getheader.req(target,'/','HEAD') # bypass status code -> header[0] = 301 or 302 if header and str(header[0]) != wcode: return True else: return False def test(target): # call from show_wildcard(domain) rndString = rnd('abcdefghijklmnopqrstuvwxyz') rndSubdomain = str(rndString)+'.'+target try: host = socket.gethostbyname(rndSubdomain) if host: httpreq = getheader.req(rndSubdomain,'/','HEAD') return httpreq, True except: return False, False def rnd(alphabet): # random string # alphabet = 'abcdefghijklmnopqrstuvwxyz' min = 5 max = 15 total = 2 rndstring = '' for count in xrange(1,total): for x in random.sample(alphabet,random.randint(min,max)): rndstring+=x return rndstring knock-3.0.0/knockpy/modules/wordlist.py000066400000000000000000000041371263203202300201640ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- # ---------------------------------------------------------------------- # This file is part of Knock subdomain scan (aka knockpy) # # Knock is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Knock is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Knock. If not, see . # ---------------------------------------------------------------------- import utilipy import font import os _ROOT = os.path.abspath(os.path.dirname(__file__)) def get_data(path): return os.path.join(_ROOT, 'wordlist', path) internal_wlist = get_data('wordlist.txt').replace('modules/', '') remote_wlist = 'https://raw.github.com/guelfoweb/knock/master/wordlist.txt' def check_status(path_to_wordlist=False): if path_to_wordlist: local_wlist=path_to_wordlist else: local_wlist=internal_wlist if utilipy.isfile(local_wlist): # local wordlist wlist = utilipy.loadfile_wordlist(local_wlist) location = 'local' else: # remote wordlist print font.color('red')+'\nwarning: wordlist not found '+local_wlist+font.color('end') res = raw_input('\npress [c] to download remote wordlist or [enter] to exit: ') if res != 'c': exit() wlist = utilipy.downloadfile(remote_wlist) if wlist: wlist = wlist.split('\n') location = 'remote' if wlist and location: return location, filter(None, wlist) else: exit('Local wordlist not found\n'+local_wlist+'\n\nRemote wordlist not found or connection error\n'+remote_wlist) def prepare(domain): wordlist = [] get_info_wordlist = check_status() location = get_info_wordlist[0] wlist = get_info_wordlist[1] for sub in wlist: wordlist.append(sub+'.'+domain) return worlist knock-3.0.0/knockpy/modules/zonetransfer.py000066400000000000000000000040621263203202300210320ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- # ---------------------------------------------------------------------- # This file is part of Knock subdomain scan (aka knockpy) # # Knock is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Knock is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Knock. If not, see . # ---------------------------------------------------------------------- import socket # set the default timeout on sockets to 5 seconds if hasattr(socket, 'setdefaulttimeout'): socket.setdefaulttimeout(5) # <- here try: import dns.resolver, dns.query, dns.zone except: exit('ImportError: No module named dnspython\ninstall python-dnspython') def zonetransfer(domain): # Zone Transfer ns = [] try: answers = dns.resolver.query(domain,'NS') except: exit('zone transfer not found') for rdata in answers: rdata = str(rdata).rstrip('.') ns.append(hostbyname(rdata)) for n in ns: zt = [] try: zone = dns.zone.from_xfr(dns.query.xfr(n, domain)) except: exit('zone transfer not found') if zone: for name, node in zone.nodes.items(): rdataset = node.rdatasets for record in rdataset: name = str(name) if name != '@' and name != '*': zt.append(name+'.'+domain) return zt def hostbyname(domain): try: # translate a host name to IPv4 address format return socket.gethostbyname(domain) except: return False def check(domain): found_list = [] if hostbyname(domain): detected = zonetransfer(domain) for subdomain in detected: ip = hostbyname(subdomain) if ip: found_list.append([ip, subdomain]) return found_list else: return False knock-3.0.0/knockpy/wordlist/000077500000000000000000000000001263203202300161355ustar00rootroot00000000000000knock-3.0.0/knockpy/wordlist/wordlist.txt000066400000000000000000000272361263203202300205570ustar00rootroot0000000000000001 02 03 1 10 11 12 13 14 15 16 17 18 19 2 20 3 3com 4 5 6 7 8 9 a a.auth-ns a01 a02 a1 a2 abc about ac academico acceso access accounting accounts acid activestat ad adam adkit admin administracion administrador administrator administrators admins ads adsense adserver adsl ae af affiliate affiliates affiliati afiliados ag agenda agent ai aix ajax ak akamai al alabama alaska albuquerque alerts alpha alterwind am amarillo americas an anaheim analyzer announce announcements antivirus ao ap apache apollo app app01 app1 apple application applications apps appserver aq ar archie arcsight argentina arizona arkansas arlington as as400 asia asterix at athena atlanta atlas att au auction austin auth auto av aw ayuda az b b.auth-ns b01 b02 b1 b2 b2b b2c ba back backend backup baker bakersfield balance balancer baltimore banking bayarea bb bbdd bbs bd bdc be bea beta bf bg bh bi billing biz biztalk bj black blackberry blog blogs blue bm bn bnc bo bob bof boise bolsa border boston boulder boy br bravo brazil britian broadcast broker bronze brown bs bsd bsd0 bsd01 bsd02 bsd1 bsd2 bt bug buggalo bugs bugzilla build bulletins burn burner buscador buy bv bw by bz c c.auth-ns ca cache cafe calendar california call calvin canada canal canon careers catalog cc cd cdburner cdn cert certificates certify certserv certsrv cf cg cgi ch channel channels charlie charlotte chat chats chatserver check checkpoint chi chicago ci cims cincinnati cisco citrix ck cl class classes classifieds classroom cleveland clicktrack client clientes clients club clubs cluster clusters cm cmail cms cn co cocoa code coldfusion colombus colorado columbus com comunicare comunicati comunicazione commerce commerceserver communigate community compaq compras con concentrator conf conference conferencing confidential connect connecticut consola console consult consultant consultants consulting consumer contact content contracts core core0 core01 corp corpmail corporate correo correoweb cortafuegos counterstrike courses cr cricket crm crs cs cso css ct cu cust1 cust10 cust100 cust101 cust102 cust103 cust104 cust105 cust106 cust107 cust108 cust109 cust11 cust110 cust111 cust112 cust113 cust114 cust115 cust116 cust117 cust118 cust119 cust12 cust120 cust121 cust122 cust123 cust124 cust125 cust126 cust13 cust14 cust15 cust16 cust17 cust18 cust19 cust2 cust20 cust21 cust22 cust23 cust24 cust25 cust26 cust27 cust28 cust29 cust3 cust30 cust31 cust32 cust33 cust34 cust35 cust36 cust37 cust38 cust39 cust4 cust40 cust41 cust42 cust43 cust44 cust45 cust46 cust47 cust48 cust49 cust5 cust50 cust51 cust52 cust53 cust54 cust55 cust56 cust57 cust58 cust59 cust6 cust60 cust61 cust62 cust63 cust64 cust65 cust66 cust67 cust68 cust69 cust7 cust70 cust71 cust72 cust73 cust74 cust75 cust76 cust77 cust78 cust79 cust8 cust80 cust81 cust82 cust83 cust84 cust85 cust86 cust87 cust88 cust89 cust9 cust90 cust91 cust92 cust93 cust94 cust95 cust96 cust97 cust98 cust99 customer customers cv cvs cx cy cz d dallas data database database01 database02 database1 database2 databases datastore datos david db db0 db01 db02 db1 db2 dc de dealers dec def default defiant delaware dell delta delta1 demo demonstration demos denver depot des desarrollo descargas design designer detroit dev dev0 dev01 dev1 devel develop developer developers development device devserver devsql dhcp dial dialup digital dilbert dir direct directory disc discovery discuss discussion discussions disk disney distributer distributers dj dk dm dmail dmz dnews dns dns-2 dns0 dns1 dns2 dns3 do docs documentacion documentos domain domains dominio domino dominoweb doom download downloads downtown dragon drupal dsl dyn dynamic dynip dz e e-com e-commerce e0 eagle earth east ec echo ecom ecommerce edi edu education edward ee eg eh ejemplo elpaso email employees empresa empresas en enable eng eng01 eng1 engine engineer engineering enterprise epsilon er erp es esd esm espanol estadisticas esx et eta europe events domain exchange exec extern external extranet f f5 falcon farm faststats fax feedback feeds fi field file files fileserv fileserver filestore filter find finger firewall fix fixes fj fk fl flash florida flow fm fo foobar formacion foro foros fortworth forum forums foto fotos foundry fox foxtrot fr france frank fred freebsd freebsd0 freebsd01 freebsd02 freebsd1 freebsd2 freeware fresno front frontdesk fs fsp ftp ftp- ftp0 ftp2 ftp_ ftpserver fw fw-1 fw1 fwsm fwsm0 fwsm01 fwsm1 g ga galeria galerias galleries gallery games gamma gandalf gate gatekeeper gateway gauss gd ge gemini general george georgia germany gf gg gh gi gl glendale gm gmail gn go gold goldmine golf gopher gp gq gr green group groups groupwise gs gsx gt gu guest gw gw1 gy h hal halflife hawaii hello help helpdesk helponline henry hermes hi hidden hk hm hn hobbes hollywood home homebase homer honeypot honolulu host host1 host3 host4 host5 hotel hotjobs houstin houston howto hp hpov hr ht http https hu hub humanresources i ia ias ibm ibmdb id ida idaho ids ie iis il illinois im image images imail imap imap4 img img0 img01 img02 in inbound inc include incoming india indiana indianapolis info informix inside install int intern internal international internet intl intranet invalid investor investors invia invio io iota iowa iplanet ipmonitor ipsec ipsec-gw iq ir irc ircd ircserver ireland iris irvine irving is isa isaserv isaserver ism israel isync it italy ix j japan java je jedi jm jo jobs john jp jrun juegos juliet juliette juniper k kansas kansascity kappa kb ke kentucky kerberos keynote kg kh ki kilo king km kn knowledgebase knoxville koe korea kp kr ks kw ky kz l la lab laboratory labs lambda lan laptop laserjet lasvegas launch lb lc ldap legal leo li lib library lima lincoln link linux linux0 linux01 linux02 linux1 linux2 lista lists listserv listserver live lk load loadbalancer local localhost log log0 log01 log02 log1 log2 logfile logfiles logger logging loghost login logs london longbeach losangeles lotus louisiana lr ls lt lu luke lv ly lyris m ma mac mac1 mac10 mac11 mac2 mac3 mac4 mac5 mach macintosh madrid mail mail2 mailer mailgate mailhost mailing maillist maillists mailroom mailserv mailsite mailsrv main maine maint mall manage management manager manufacturing map mapas maps marketing marketplace mars marvin mary maryland massachusetts master max mc mci md mdaemon me media member members memphis mercury merlin messages messenger mg mgmt mh mi miami michigan mickey midwest mike milwaukee minneapolis minnesota mirror mis mississippi missouri mk ml mm mn mngt mo mobile mom monitor monitoring montana moon moscow movies mozart mp mp3 mpeg mpg mq mr mrtg ms ms-exchange ms-sql msexchange mssql mssql0 mssql01 mssql1 mt mta mtu mu multimedia music mv mw mx my mysql mysql0 mysql01 mysql1 mz n na name names nameserv nameserver nas nashville nat nc nd nds ne nebraska neptune net netapp netdata netgear netmeeting netscaler netscreen netstats network nevada new newhampshire newjersey newmexico neworleans news newsfeed newsfeeds newsgroups newton newyork newzealand nf ng nh ni nigeria nj nl nm nms nntp no node nokia nombres nora north northcarolina northdakota northeast northwest noticias novell november np nr ns ns- ns0 ns01 ns02 ns1 ns2 ns3 ns4 ns5 ns_ nt nt4 nt40 ntmail ntp ntserver nu null nv ny nz o oakland ocean odin office offices oh ohio ok oklahoma oklahomacity old om omaha omega omicron online ontario open openbsd openview operations ops ops0 ops01 ops02 ops1 ops2 opsware or oracle orange order orders oregon orion orlando oscar out outbound outgoing outlook outside ov owa owa01 owa02 owa1 owa2 ows oxnard p pa page pager pages paginas papa paris parners partner partners patch patches paul payroll pbx pc pc01 pc1 pc10 pc101 pc11 pc12 pc13 pc14 pc15 pc16 pc17 pc18 pc19 pc2 pc20 pc21 pc22 pc23 pc24 pc25 pc26 pc27 pc28 pc29 pc3 pc30 pc31 pc32 pc33 pc34 pc35 pc36 pc37 pc38 pc39 pc4 pc40 pc41 pc42 pc43 pc44 pc45 pc46 pc47 pc48 pc49 pc5 pc50 pc51 pc52 pc53 pc54 pc55 pc56 pc57 pc58 pc59 pc6 pc60 pc7 pc8 pc9 pcmail pda pdc pe pegasus pennsylvania peoplesoft personal pf pg pgp ph phi philadelphia phoenix phoeniz phone phones photos pi pics picture pictures pink pipex-gw pittsburgh pix pk pki pl plano platinum pluto pm pm1 pn po policy polls pop pop3 portal portals portfolio portland post posta posta01 posta02 posta03 postales postoffice ppp1 ppp10 ppp11 ppp12 ppp13 ppp14 ppp15 ppp16 ppp17 ppp18 ppp19 ppp2 ppp20 ppp21 ppp3 ppp4 ppp5 ppp6 ppp7 ppp8 ppp9 pptp pr prensa press priv privacy private problemtracker products profiles project projects promo proxy prueba pruebas ps psi pss pt pub public pubs purple pw py q qa qmail qotd quake quebec queen quotes r r01 r02 r1 r2 ra radio radius rapidsite raptor ras rc rcs rd re read realserver recruiting red redhat ref reference reg register registro registry regs relay rem remote remstats reports research reseller reserved resumenes rho rhodeisland ri ris rmi ro robert romeo root rose route router router1 rs rss rtelnet rtr rtr01 rtr1 ru rune rw rwhois s s1 s2 sa sac sacramento sadmin safe sales saltlake sam san sanantonio sandiego sanfrancisco sanjose saskatchewan saturn sb sbs sc scanner schedules scotland scotty sd se search seattle sec secret secure secured securid security sendmail seri serv serv2 server server1 servers service services servicio servidor setup sg sh shared sharepoint shareware shipping shop shoppers shopping si siebel sierra sigma signin signup silver sim sirius site sj sk skywalker sl slackware slmail sm smc sms smtp smtphost sn sniffer snmp snmpd snoopy snort so social software sol solaris solutions soporte source sourcecode sourcesafe south southcarolina southdakota southeast southwest spain spam spider spiderman splunk spock spokane springfield sqa sql sql0 sql01 sql1 sql7 sqlserver squid sr ss ssh ssl ssl0 ssl01 ssl1 st staff stage staging start stat static statistics stats stlouis stock storage store storefront streaming stronghold strongmail studio submit subversion sun sun0 sun01 sun02 sun1 sun2 superman supplier suppliers support sv sw sw0 sw01 sw1 sweden switch switzerland sy sybase sydney sysadmin sysback syslog syslogs system sz t tacoma taiwan talk tampa tango tau tc tcl td team tech technology techsupport telephone telephony telnet temp tennessee terminal terminalserver termserv test test2k testbed testing testlab testlinux testo testserver testsite testsql testxp texas tf tftp tg th thailand theta thor tienda tiger time titan tivoli tj tk tm tn to tokyo toledo tom tool tools toplayer toronto tour tp tr tracker train training transfers trinidad trinity ts ts1 tt tucson tulsa tumb tumblr tunnel tv tw tx tz u ua uddi ug uk um uniform union unitedkingdom unitedstates unix unixware update updates upload ups upsilon uranus urchin us usa usenet user users ut utah utilities uy uz v va vader vantive vault vc ve vega vegas vend vendors venus vermont vg vi victor video videos viking violet vip virginia vista vm vmserver vmware vn vnc voice voicemail voip voyager vpn vpn0 vpn01 vpn02 vpn1 vpn2 vt vu w w1 w2 w3 wa wais wallet wam wan wap warehouse washington wc3 web webaccess webadmin webalizer webboard webcache webcam webcast webdev webdocs webfarm webhelp weblib weblogic webmail webmaster webproxy webring webs webserv webserver webservices website websites websphere websrv websrvr webstats webstore websvr webtrends welcome west westvirginia wf whiskey white whois wi wichita wiki wililiam win win01 win02 win1 win2 win2000 win2003 win2k win2k3 windows windows01 windows02 windows1 windows2 windows2000 windows2003 windowsxp wingate winnt winproxy wins winserve winxp wire wireless wisconsin wlan wordpress work world write ws ws1 ws10 ws11 ws12 ws13 ws2 ws3 ws4 ws5 ws6 ws7 ws8 ws9 wusage wv ww www www- www-01 www-02 www-1 www-2 www-int www0 www01 www02 www1 www2 www3 www_ wwwchat wwwdev wwwmail wy wyoming x x-ray xi xlogan xmail xml xp y yankee ye yellow young yt yu z z-log za zebra zera zeus zlog zm zulu zw knock-3.0.0/setup.py000066400000000000000000000051771263203202300143340ustar00rootroot00000000000000#!/usr/bin/env python # -*- coding: utf-8 -*- # ---------------------------------------------------------------------- # This file is part of Knock subdomain scan (aka knockpy) # # Knock is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Knock is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Knock. If not, see . # ---------------------------------------------------------------------- from setuptools import setup from codecs import open # To use a consistent encoding from os import path here = path.abspath(path.dirname(__file__)) # Get the long description from the relevant file with open(path.join(here, 'CHANGELOG.rst'), encoding='utf-8') as f: long_description = f.read() setup( name='knockpy', version='3.0', description='Knock is a python tool designed to enumerate subdomains on a target domain through a wordlist.', long_description=long_description, url='https://github.com/guelfoweb/knock', author='Gianni \'guelfoweb\' Amato', author_email='guelfoweb@gmail.com', license='GNU', # See https://pypi.python.org/pypi?%3Aaction=list_classifiers classifiers=[ # How mature is this project? Common values are # 3 - Alpha # 4 - Beta # 5 - Production/Stable 'Development Status :: 3 - Production/Stable', # Indicate who your project is intended for 'Intended Audience :: Developers', 'Topic :: Software Development :: Build Tools', # Pick your license as you wish (should match "license" above) 'License :: OSI Approved :: GNU General Public License (GPL)', # Specify the Python versions you support here. In particular, ensure # that you indicate whether you support Python 2, Python 3 or both. 'Programming Language :: Python :: 2', 'Programming Language :: Python :: 2.6', 'Programming Language :: Python :: 2.7', ], keywords='knock sudbomain scan', packages=["knockpy", "knockpy.modules"], package_data={'knockpy': ['wordlist/wordlist.txt']}, install_requires = ['dnspython>=1.3.5'], entry_points={ 'console_scripts': [ 'knockpy=knockpy.knockpy:main', ], }, )