Kn0ck is an automated scanner that can be used during a penetration testing to enumerate and scan for vulnerabilities.
- Automatically collects basic recon
- Automatically launches Google hacking queries against a target domain
- Automatically enumerates open ports via NMap port scanning
- Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
- Automatically checks for sub-domain hijacking
- Automatically runs targeted NMap scripts against open ports
- Automatically runs targeted Metasploit scan and exploit modules
- Automatically scans all web applications for common vulnerabilities
- Automatically brute forces ALL open services
- Automatically test for anonymous FTP access
- Automatically runs WPScan, Arachni and Nikto for all web services
- Automatically enumerates NFS shares
- Automatically test for anonymous LDAP access
- Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
- Automatically enumerate SNMP community strings, services and users
- Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
- Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
- Automatically tests for open X11 servers
- Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
- Performs high level enumeration of multiple hosts and subnets
- Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
- Automatically gathers screenshots of all web sites
- Create individual workspaces to store all scan output
- Apache Struts CVE-2018-11776 RCE exploit
- Android Insecure ADB RCE auto exploit
- Apache Tomcat CVE-2017-12617 RCE exploit
- Oracle WebLogic WLS-WSAT Component Deserialisation RCE CVE-2017-10271 exploit
- Drupal Drupalgedon2 RCE CVE-2018-7600
- GPON Router RCE CVE-2018-10561
- Apache Struts 2 RCE CVE-2017-5638
- Apache Struts 2 RCE CVE-2017-9805
- Apache Jakarta RCE CVE-2017-5638
- Shellshock GNU Bash RCE CVE-2014-6271
- HeartBleed OpenSSL Detection CVE-2014-0160
- Default Apache Tomcat Creds CVE-2009-3843
- MS Windows SMB RCE MS08-067
- Webmin File Disclosure CVE-2006-3392
- Anonymous FTP Access
- PHPMyAdmin Backdoor RCE
- PHPMyAdmin Auth Bypass
- JBoss Java De-Serialization RCEs
-> knock.conf
CENSYS_APP_ID="REDACTED"
CENSYS_API_SECRET="REDACTED"
chmod +x install.sh
./install.sh
chmod +x install_for_debian_ubuntu.sh
./install_for_debian_ubuntu.sh
[*] NORMAL MODE
knock -t <TARGET>
[*] NORMAL MODE + OSINT + RECON
knock -t <TARGET> | -o (Osint) | -re (Recon)
[*] STEALTH MODE + OSINT + RECON
knock -t <TARGET> | -m stealth | -o (Osint) | -re (Recon)
[*] DISCOVER MODE
knock -t <Target> | -m discover | -w <WORSPACE_ALIAS>
[*] SCAN ONLY SPECIFIC PORT
knock -t <TARGET> | -m port | -p <portnum>
[*] FULLPORTONLY SCAN MODE
knock -t <TARGET> | -fp (Fullportonly)
[*] PORT SCAN MODE
knock -t <TARGET> | -m port -p <PORT_NUM>
[*] WEB MODE - PORT 80 + 443 ONLY!
knock -t <TARGET> | -m web
[*] HTTP WEB PORT MODE
knock -t <TARGET> | -m webporthttp | -p <port>
[*] HTTPS WEB PORT MODE
knock -t <TARGET> | -m webporthttps | -p <port>
[*] ENABLE BRUTEFORCE
knock -t <TARGET> | -b (Bruteforce)
[*] LIST WORKSPACES
knock --list
[*] DELETE WORKSPACE
knock -w <WORKSPACE_ALIAS> -d
[*] DELETE HOST FROM WORKSPACE
knock -w <WORKSPACE_ALIAS> -t <TARGET> -dh
[*] GET knock SCAN STATUS
knock --status
[*] LOOT REIMPORT FUNCTION
knock -w <WORKSPACE_ALIAS> --reimport
- NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.
- STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.
- DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a knock scan against each host. Useful for internal network scans.
- PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
- FULLPORTONLY: Performs a full detailed port scan and saves results to XML.
- WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
- WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.
- WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.