Sign in or Sign up

Knock - Sub-domain bruteforce [TUT]
Started by Dox


Rate this topic
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5


2 posts in this topic
Dox Offline
Cyber Security Student
***


Contributor
Posts: 414
Threads: 125
Joined: Mon Oct 2017
Reputation: 6

CZPoints: 136 CZP
OnFireContributor
11-03-2017, 12:01 PM -
#1
What is Knock?

This is a small sub-domain bruteforce tool that uses Python. It uses a word list to find them. It is designed to scan DNS zone transfer and tries to bypass Wildcard DNS records automatically it it's enabled. It's now supporting queries to VirusTotal sub-domains, which you can edit in API_KEY in the config.json file.

Requirements


Dnspython: 
Code:
$ sudo apt-get install python-dnspython
Python2.7.6: https://www.python.org/download/releases/2.7.6/


Installation

Code:
$ git clone https://github.com/guelfoweb/knock.git
$ cd Knock
$ nano knockpy/config.json <- set your virustotal API_KEY (This step is not required, but can be used if wanted to.)
$ sudo python setup.py install

(Note that it's recommended to use Google DNS: 8.8.8.8 and 8.8.4.4)


Usage/Commands

Export the log file to a json file:
Code:
$ knockpy domain.com --json

Usage for the all commands & it's output:
Code:
$ knockpy -h
usage: knockpy [-h] [-v] [-w WORDLIST] [-r] [-c] [-j] domain

Code:
___________________________________________

knock subdomain scan
knockpy v.4.1
Author: Gianni 'guelfoweb' Amato
Github: https://github.com/guelfoweb/knock
___________________________________________

positional arguments:
 domain         target to scan, like domain.com

optional arguments:
 -h, --help      show this help message and exit
 -v, --version   show program's version number and exit
 -w WORDLIST     specific path to wordlist file
 -r, --resolve   resolve ip or domain name
 -c, --csv       save output in csv
 -f, --csvfields add fields name to the first row of csv output file
 -j, --json      export full report in JSON

example:
 knockpy domain.com
 knockpy domain.com -w wordlist.txt
 knockpy -r domain.com or IP
 knockpy -c domain.com
 knockpy -j domain.com

Subdomain scan with internal wordlist: (Wordlist provided by the Github source. You can edit the sub-domains in the file)
Code:
$ knockpy domain.com
Sub-domain scan with external wordlist:

Code:
$ knockpy domain.com -w wordlist.txt

Resolve domain name and get response headers:

Code:
$ knockpy -r domain.com [or IP]
+ checking for virustotal subdomains: YES
[
       "partnerissuetracker.corp.google.com",
       "issuetracker.google.com",
       "r5---sn-ogueln7k.c.pack.google.com",
       "cse.google.com",

       .......too long.......

       "612.talkgadget.google.com",
       "765.talkgadget.google.com",
       "973.talkgadget.google.com"
]
+ checking for wildcard: NO
+ checking for zonetransfer: NO
+ resolving target: YES
{
       "zonetransfer": {
           "enabled": false,
           "list": []
       },
       "target": "google.com",
       "hostname": "google.com",
       "virustotal": [
           "partnerissuetracker.corp.google.com",
           "issuetracker.google.com",
           "r5---sn-ogueln7k.c.pack.google.com",
           "cse.google.com",
           "mt0.google.com",
           "earth.google.com",
           "clients1.google.com",
           "pki.google.com",
           "www.sites.google.com",
           "appengine.google.com",
           "fcmatch.google.com",
           "dl.google.com",
           "translate.google.com",
           "feedproxy.google.com",
           "hangouts.google.com",
           "news.google.com",

           .......too long.......

           "100.talkgadget.google.com",
           "services.google.com",
           "301.talkgadget.google.com",
           "857.talkgadget.google.com",
           "600.talkgadget.google.com",
           "992.talkgadget.google.com",
           "93.talkgadget.google.com",
           "storage.cloud.google.com",
           "863.talkgadget.google.com",
           "maps.google.com",
           "661.talkgadget.google.com",
           "325.talkgadget.google.com",
           "sites.google.com",
           "feedburner.google.com",
           "support.google.com",
           "code.google.com",
           "562.talkgadget.google.com",
           "190.talkgadget.google.com",
           "58.talkgadget.google.com",
           "612.talkgadget.google.com",
           "765.talkgadget.google.com",
           "973.talkgadget.google.com"
       ],
       "alias": [],
       "wildcard": {
           "detected": {},
           "test_target": "eqskochdzapjbt.google.com",
           "enabled": false,
           "http_response": {}
       },
       "ipaddress": [
           "216.58.205.142"
       ],
       "response_time": "0.0351989269257",
       "http_response": {
           "status": {
               "reason": "Found",
               "code": 302
           },
           "http_headers": {
               "content-length": "256",
               "location": "http://www.google.it/?gfe_rd=cr&ei=60WIWdmnDILCXoKbgfgK",
               "cache-control": "private",
               "date": "Mon, 07 Aug 2017 10:50:19 GMT",
               "referrer-policy": "no-referrer",
               "content-type": "text/html; charset=UTF-8"
           }
       }
}

Save scan output as CSV: 

Code:
$ knockpy -c domain.com


Credits:

Creator's Github: https://github.com/guelfoweb

Hope you found this useful. And I beat you to it. You know who you are and I'm not going to say names. <3
My tut now!
This post was last modified: 11-03-2017, 12:03 PM by Dox. Edit Reason: Python2.7.6 URL was in an e-mail format :/
Contact E-Mail: [email protected]
BTC Address: 1JmJrbmQn4Bg24r68bSyZ7TxNZGad3iPWM
[NS]D1G174L Offline
Pentester
***


NulledSystems
Posts: 95
Threads: 19
Joined: Fri Mar 2017
Reputation: 8

CZPoints: 14 CZP
ContributorDiamondBomb ContentDonator
11-03-2017, 08:54 PM -
#2
I see you like the red text ;3
Send me BTC 1HQCPvWN1Be2UDWCBfZtsGatvQumTdYsVk
Dox Offline
Cyber Security Student
***


Contributor
Posts: 414
Threads: 125
Joined: Mon Oct 2017
Reputation: 6

CZPoints: 136 CZP
OnFireContributor
11-04-2017, 01:01 PM -
#3
(11-03-2017, 08:54 PM)D1G174L Wrote: I see you like the red text ;3
Yeah lul. I stole it from the best.
Cringe.
Contact E-Mail: [email protected]
BTC Address: 1JmJrbmQn4Bg24r68bSyZ7TxNZGad3iPWM




Users browsing this thread: 1 Guest(s)