Skip to main content

Assetfinder

What is the purpose of Assetfinder?

Assetfinder is a open source tool. In order to obtain a larger number of relevant subdomains of your target, we need to have a powerful and potential script that will automate our work and return a list of subdomains. That's why assetfinder is a tool to help us obtain subdomains of our target. Assetfinder is a Golang language based tool used to get potential subdomains of our target domain.

Here are the primary uses of Assetfinder:

  • Subdomain Enumeration: Assetfinder assists its users in searching for subdomains of a target domain, which is very useful during the preliminary analysis phase of the target system when conducting a penetration test or vulnerability assessment.

  • Asset Discovery: Assetfinder helps find various assets associated with a domain name to be able to have an overview of the attack surface that a target has. For example, associated services and IP address resolution.

  • Data Analysis Assetfinder provides options for analyzing discovered data, allowing users to filter, sort and visualize information. These features make it a user-friendly and efficient tool for providing preliminary information prior to vulnerability detection in the target system.

  • Integration with Other Tools: Assetfinder can be integrated with other tools and scripts in a security toolkit, enhancing overall capabilities for information gathering and vulnerability identification.

Core Features

  • Subdomain Discovery
  • IP Address Resolution
  • Domain Search
  • Customizable Output Formats
  • Filtering Options
  • Integration Capabilities

Data sources:

  • Assetfinder uses multiple data sources to perform its research, including:
  • crt.sh
  • certspotter
  • hackertarget
  • threatcrowd
  • Wayback Machine
  • dns.bufferover.run
  • Facebook Graph API
  • Virustotal
  • findsubdomains This expands coverage and increases the accuracy of results.

Common Assetfinder Commands

1. Basic Usage

  • This command discovers subdomains for the specified target domain.
assetfinder <target_domain>

2. File Input

  • This command reads a list of domains from a file and discovers subdomains for each one.
assetfinder -subs-only -f <file>

3. Output to File

  • This command saves the discovered subdomains to a specified output file.
assetfinder <target_domain> -o <output_file>

4. Include or Exclude Specific Domains

  • This command allows users to include or exclude specific domains during the discovery process.
assetfinder --include <domain> <target_domain>
assetfinder --exclude <domain> <target_domain>

5. Custom User-Agent

  • This command sets a custom User-Agent string for the requests made by Assetfinder.
assetfinder -user-agent "<User-Agent>"

6. Verbose Output

  • This command enables verbose output for detailed information about the discovery process.
assetfinder -v <target_domain>

7. Help and Usage Information

  • Displays help information, including available commands and options for using Assetfinder.
assetfinder -h

Alternative usage:

assetfinder --help

Output Examples of Assetfinder Commands

CommandExample UsageFunctionOutput Example
Basic Usageassetfinder example.comDiscovers subdomains for the specified target domain.Subdomains found: sub1.example.com, sub2.example.com
Subdomain Onlyassetfinder -subs-only example.comRetrieves only subdomains without resolving to IP addresses.Subdomains found: sub1.example.com, sub2.example.com
File Inputassetfinder -subs-only -f domains.txtReads a list of domains from a file and discovers subdomains for each one.Testing domains from domains.txt...
Output to Fileassetfinder example.com -o results.txtSaves the discovered subdomains to a specified output file.Results saved to results.txt
Include Specific Domainassetfinder --include sub.example.com example.comIncludes specific domains during the discovery process.Including sub.example.com in the results
Exclude Specific Domainassetfinder --exclude sub.example.com example.comExcludes specific domains from the discovery process.Excluding sub.example.com from the results
Custom User-Agentassetfinder -user-agent "Mozilla/5.0" example.comSets a custom User-Agent string for the requests.Request sent with custom User-Agent
Verbose Outputassetfinder -v example.comEnables verbose output for detailed information about the discovery process.Verbose mode enabled: ...
Help and Usage Informationassetfinder -hDisplays help information, including available commands and options.Usage: assetfinder [options] <target>
JSON Outputassetfinder example.com -o results.json -jsonSaves the discovered subdomains in JSON format for easier integration.Results saved in JSON format to results.json
Rate Limitassetfinder --rate-limit 100 example.comLimits the number of requests per second during discovery.Rate limit set to 100 requests per second
DNS Resolutionassetfinder -resolve example.comResolves the discovered subdomains to their corresponding IP addresses.Resolved: sub1.example.com -> 192.0.2.1
Check for Live Hostsassetfinder -live example.comChecks if the discovered subdomains are live.Live hosts found: sub1.example.com
Output Formatassetfinder example.com -o results.csv -format csvSpecifies the output format when saving results.Results saved to results.csv
Timeout Configurationassetfinder --timeout 10 example.comSets a timeout for requests to avoid hanging.Timeout set to 10 seconds