assetfinder

Find subdomains and related assets

$ assetfinder [example.com]

$ assetfinder --subs-only [example.com]

assetfinder [--subs-only] domain

assetfinder discovers domains and subdomains related to a target organization. It queries various sources including certificate transparency logs, DNS databases, and web archives to find associated assets.
The tool is useful for reconnaissance in security assessments and for discovering an organization's external attack surface.

--subs-only

Only show subdomains

Target domain to investigate

Passive reconnaissance only; generates no traffic to target. Results depend on public data sources. May include old or inactive domains.

assetfinder was created by Tom Hudson (tomnomnom) as a fast, simple subdomain discovery tool for security reconnaissance.

amass(1), subfinder(1), findomain(1)