Subdomain takeover and prevention using Knockpy

Subdomain takeover and phishing attack

What is a subdomain?

A subdomain is basically your second website with its own unique name. There is no new domain created instead, you use your existing domain name but points the www to another name.


What is a phishing attack?

Phishing is a form of social engineering attack that attempts to steal sensitive information. They do so by sending emails or creating web pages that are designed to collect information about individuals.

How do the hackers takeover subdomains?

There are a lot of ways the hackers take control over one’s subdomain. Given below is a basic example.


  • Consider you use a service as “assert” in your website
  • The service is hosted in bitbucket in the URL
  • Bitbucket has stopped this service and you are still using it
  • Now hacker can claim the service
  • Now, when you visit you are actually visiting the hackers site
  • Hackers now can post a defacement or put an HTML Form and asks users to login (Perform phishing attack)

Attackers generally can claim subdomains with the external services. In this case, you cannot trace back on the attack and it affects a lot. We can find it out with the tools available(Like Knockpy) or go through all of your DNS entries and remove the ones which are active and unused or the ones pointing to the external services which are not in use anymore.

What is Knockpy
Knockpy is a python tool designed to bruteforce and find the list of Subdomains for a particular Domain. It internally uses a wordlist file which comes with the tool to bruteforce. But, we can also have our own wordlist to bruteforce the domain.

Python 2.7.6 or later

Git Link

Installing Knockpy
Note: I am using Kali linux
kali> git clone

Run Knockpy
kali> python [Domain name] or [IP]

Run Knockpy with different wordlist
kali>python [Domain name]or[IP] wordlist.txt

Knock results

From the above image, you can see that there is a domain which points to heroku services. >>>

You should visit the subdomain to check whether it is vulnerable or not. your subdomain is vulnerable if you find errors like ‘No such app’.