Assetfinder
What is the purpose of Assetfinder?
Assetfinder is a open source tool. In order to obtain a larger number of relevant subdomains of your target, we need to have a powerful and potential script that will automate our work and return a list of subdomains. That's why assetfinder is a tool to help us obtain subdomains of our target. Assetfinder is a Golang language based tool used to get potential subdomains of our target domain.
Here are the primary uses of Assetfinder:
-
Subdomain Enumeration: Assetfinder assists its users in searching for subdomains of a target domain, which is very useful during the preliminary analysis phase of the target system when conducting a penetration test or vulnerability assessment.
-
Asset Discovery: Assetfinder helps find various assets associated with a domain name to be able to have an overview of the attack surface that a target has. For example, associated services and IP address resolution.
-
Data Analysis Assetfinder provides options for analyzing discovered data, allowing users to filter, sort and visualize information. These features make it a user-friendly and efficient tool for providing preliminary information prior to vulnerability detection in the target system.
-
Integration with Other Tools: Assetfinder can be integrated with other tools and scripts in a security toolkit, enhancing overall capabilities for information gathering and vulnerability identification.
Core Features
- Subdomain Discovery
- IP Address Resolution
- Domain Search
- Customizable Output Formats
- Filtering Options
- Integration Capabilities
Data sources:
- Assetfinder uses multiple data sources to perform its research, including:
- crt.sh
- certspotter
- hackertarget
- threatcrowd
- Wayback Machine
- dns.bufferover.run
- Facebook Graph API
- Virustotal
- findsubdomains This expands coverage and increases the accuracy of results.
Common Assetfinder Commands
1. Basic Usage
- This command discovers subdomains for the specified target domain.
assetfinder <target_domain>
2. File Input
- This command reads a list of domains from a file and discovers subdomains for each one.
assetfinder -subs-only -f <file>
3. Output to File
- This command saves the discovered subdomains to a specified output file.
assetfinder <target_domain> -o <output_file>
4. Include or Exclude Specific Domains
- This command allows users to include or exclude specific domains during the discovery process.
assetfinder --include <domain> <target_domain>
assetfinder --exclude <domain> <target_domain>
5. Custom User-Agent
- This command sets a custom User-Agent string for the requests made by Assetfinder.
assetfinder -user-agent "<User-Agent>"
6. Verbose Output
- This command enables verbose output for detailed information about the discovery process.
assetfinder -v <target_domain>
7. Help and Usage Information
- Displays help information, including available commands and options for using Assetfinder.
assetfinder -h
Alternative usage:
assetfinder --help
Output Examples of Assetfinder Commands
Command | Example Usage | Function | Output Example |
---|---|---|---|
Basic Usage | assetfinder example.com | Discovers subdomains for the specified target domain. | Subdomains found: sub1.example.com, sub2.example.com |
Subdomain Only | assetfinder -subs-only example.com | Retrieves only subdomains without resolving to IP addresses. | Subdomains found: sub1.example.com, sub2.example.com |
File Input | assetfinder -subs-only -f domains.txt | Reads a list of domains from a file and discovers subdomains for each one. | Testing domains from domains.txt... |
Output to File | assetfinder example.com -o results.txt | Saves the discovered subdomains to a specified output file. | Results saved to results.txt |
Include Specific Domain | assetfinder --include sub.example.com example.com | Includes specific domains during the discovery process. | Including sub.example.com in the results |
Exclude Specific Domain | assetfinder --exclude sub.example.com example.com | Excludes specific domains from the discovery process. | Excluding sub.example.com from the results |
Custom User-Agent | assetfinder -user-agent "Mozilla/5.0" example.com | Sets a custom User-Agent string for the requests. | Request sent with custom User-Agent |
Verbose Output | assetfinder -v example.com | Enables verbose output for detailed information about the discovery process. | Verbose mode enabled: ... |
Help and Usage Information | assetfinder -h | Displays help information, including available commands and options. | Usage: assetfinder [options] <target> |
JSON Output | assetfinder example.com -o results.json -json | Saves the discovered subdomains in JSON format for easier integration. | Results saved in JSON format to results.json |
Rate Limit | assetfinder --rate-limit 100 example.com | Limits the number of requests per second during discovery. | Rate limit set to 100 requests per second |
DNS Resolution | assetfinder -resolve example.com | Resolves the discovered subdomains to their corresponding IP addresses. | Resolved: sub1.example.com -> 192.0.2.1 |
Check for Live Hosts | assetfinder -live example.com | Checks if the discovered subdomains are live. | Live hosts found: sub1.example.com |
Output Format | assetfinder example.com -o results.csv -format csv | Specifies the output format when saving results. | Results saved to results.csv |
Timeout Configuration | assetfinder --timeout 10 example.com | Sets a timeout for requests to avoid hanging. | Timeout set to 10 seconds |