Identify vulnerable Subdomain using knock

Subdomain take over is a security issue where attacker takes over subdomain name that points to expired hosting space.

Knock is a python tool that scans the target domain to enumerate its subdomains. I personally recommend this tool as it performs much more accurate level of subdomain enumeration compared to other tools. Knock provides also with HTTP Status Codes to identify chances of taking over subdomains.

You can download Knock from GitHub/knock

Prerequisites Installation:

All our discussion in this article refers to Kali Linux platform.

Knock requires python 2.7 version, use $python –version command to verify the running python version.

If 2.7 version is not already installed, follow the commands to install.

$ sudo apt-get update

$ sudo apt-get install python2.7

Knock requires dnspython, so install it.

$ sudo apt-get install python-dnspython

Knock Installation:

Now you are ready to install knock

$ git clone

$ cd knock

$ sudo python install

Type $knockpy on the terminal to ensure proper installation.

Use knock to enumerate subdomains:

You can start using knock by simply typing the target domain name as


This command produces results of list of subdomain, IP address, HTTP status code, DNS record type and server info.

In the results, here are some points that you need to note to quickly identify subdomains that can be taken over.

  • Ignore these HTTP status codes – 200 (Ok), 301 (Permanently Moved), 302 (Temporary URI), 308 ( Permanently Redirect), 403 (Forbidden)
  • Consider these HTTP status codes – 404 (Not Found) and empty HTTP status codes.

In case you need to save scan output in CSV, use

$knockpy -c

In the continuation article, we will see about how to further analyze the results and take over vulnerable subdomains.

You may also like...