assetfinder

assetfinder [-all|-subs-only] [-hc hides] [-o output] [-r] [-timeout duration] [-t threads] [-wordlist list] [domains...]

-all
    Query all available sources (crt.sh, fdns, rpzdns, hackertarget, threatcrowd, alienvault, virustotal, passivetotal, urlscan, censys, chaos)

-subs-only
    Return only subdomains (no wildcards or root domain)

-hc string
    Hide these clean results (comma-separated list, e.g., '*.example.com,example.com')

-o string
    Output file name

-r
    Recursive subdomain enumeration

-timeout int
    HTTP request timeout in seconds (default 10)

-t int
    Number of concurrent threads (default 20)

-wordlist string
    Path to custom wordlist for permutation

-afapi-key string
    AlienVault API key (defaults to $AF_API_KEY env var)

Assetfinder is a fast, lightweight command-line tool designed for passive subdomain enumeration during reconnaissance phases of security assessments and bug bounty hunting. Developed in Go by Tom NomNom, it queries multiple public sources without sending traffic to the target domain, making it stealthy and efficient.

It aggregates subdomains from certificate transparency logs (crt.sh), passive DNS datasets like Rapid7's (fdns, rpzdns), and threat intelligence feeds including AlienVault OTX, VirusTotal, PassiveTotal, URLScan, Censys, and Chaos. By default, it uses a focused set of high-yield sources for speed, but the -all flag enables exhaustive querying.

Assetfinder supports threading for concurrency, recursion for wildcard expansion, custom wordlists for permutation, and output filtering to hide common or irrelevant results. It's particularly valued for its speed—often completing scans in seconds—and reliability, outputting unique, live subdomains ready for further tools like httpx or nuclei. Ideal for OSINT and initial attack surface mapping, it avoids active DNS queries to minimize footprint.

Not installed by default; requires Go 1.16+. Some sources may rate-limit or require API keys. Recursive mode (-r) can generate high output volume. Results may include stale or parked domains.

Run go install github.com/tomnomnom/assetfinder@latest
Requires Go toolchain.

assetfinder -all -o subs.txt example.com
Enumerates all sources and saves to file.

cat subs.txt | httpx -silent
Pipe to httpx for live host probing.

Created by Tom NomNom (Twitter: @tomnomnom) in 2018 as a Go binary for rapid recon. Gained popularity in bug bounty communities via HackerOne/TwitchCon talks. Actively maintained on GitHub with source additions like Chaos dataset integration. Version 0.1.2+ introduced threading and recursion.

amass(1), subfinder(1), dnsrecon(1), sublist3r(1)