assetfinder

assetfinder [OPTIONS] <TARGET>
or
cat domains.txt | assetfinder [OPTIONS]

--burp
    Outputs the discovered assets in a format compatible with Burp Suite.

--help, -h
    Displays the help message, detailing available options and usage.

--json
    Outputs the results in JSON format, useful for programmatic parsing.

--output <file>, -o <file>
    Writes the discovered assets to the specified output file.

--relations
    Includes not only subdomains but also other related domains that assetfinder discovers for the target.

--subs-only
    A frequently used option; it restricts the output to only the discovered subdomains, excluding other related assets.

--version, -v
    Displays the version number of assetfinder.

--wafs
    Attempts to detect if the discovered domains are protected by Web Application Firewalls (WAFs).

--wapps
    Outputs information about the web technologies (e.g., web servers, frameworks) running on the discovered domains.

assetfinder is a command-line utility designed for rapidly discovering domains and subdomains associated with a given target organization or domain. Developed by TomNomNom and written in Go, it's a popular open-source tool primarily utilized by penetration testers, bug bounty hunters, and security researchers during the reconnaissance phase of security assessments.

It functions by querying various public data sources, including Certificate Transparency logs (like crt.sh), VirusTotal, and other publicly available information, to identify assets that might be overlooked by traditional DNS enumeration methods. Its strength lies in its ability to quickly gather a broad list of potential targets, which can then be fed into other tools for further analysis, such as port scanning, HTTP probing, or vulnerability scanning. assetfinder is highly valued for its speed and simplicity, making it an essential first step in many attack surface discovery workflows.

assetfinder relies on publicly available data sources, meaning it might not discover all internal or private assets of a target. It can generate a large volume of results, which often requires further filtering and processing using other command-line tools. An active internet connection is mandatory for its operation as it queries external services. The `--wafs` and `--wapps` options may increase the execution time.

One of assetfinder's most powerful features is its ability to integrate with other command-line tools through piping. For example, to find all subdomains and then check their HTTP/S status, you can use: assetfinder example.com | httpx -silent

assetfinder can also read a list of domains from standard input, allowing you to process multiple targets efficiently. This is useful when you have a file containing a list of domains: cat domains.txt | assetfinder --subs-only

assetfinder was created by TomNomNom (Tom Hudson), a well-known figure in the cybersecurity community recognized for developing efficient and straightforward command-line tools for penetration testing and bug bounty hunting. Written in Go, its development was motivated by the need for a fast, reliable, and passive subdomain discovery tool that aggregates data from various public sources. It quickly gained significant popularity within the bug bounty and red teaming communities due to its effectiveness and its seamless integration into automated reconnaissance workflows, often piped with other tools like httpx or nuclei.

subfinder(1), amass(1), findomain(1), dnsenum(1), httpx(1), nuclei(1)