Assetfinder – Find domains and subdomains related to a given domain

Approaching our target is very important while testing a web-based application. Suppose the scope of the target is large, then rather than testing the main domain every researcher should go with associated subdomains, as sometimes these subdomains can be vulnerable to many new vulnerabilities like XSS, SQL, CSRF, etc. So to get more number of related subdomains of your target, we need to have a strong and potential script that will automate our work and return a list of subdomains. So assetfinder is the tool that will help to get subdomains of our target. Assetfinder is a Golang language-based tool used to get potential subdomains of our target domain.

Note: As Assetfinder is a Golang language-based tool, so you need to have a Golang environment on your system. So check this link to install Golang in your system – How to Install Go Programming Language in Linux

Installation of Assetfinder Tool in Kali Linux

Step 1: If you have downloaded Golang in your system, verify the installation by checking the version of Golang, use the following command.

go version

Step 2: Get the Assetfinder repository or clone the Assetfinder tool from Github, use the following command.

sudo  go get -u github.com/tomnomnom/assetfinder

Step 3: Copy the Assetfinder tool in the bin directory so we can easily use the tool without running the tool manually by golang, use the following command.

sudo cp /root/go/bin/assetfinder /usr/local/go/bin/

Step 4: Check the help menu page to get a better understanding of the Assetfinder tool, use the following command.

assetfinder -h

Working with Assetfinder Tool

Example 1 :

assetfinder geeksforgeeks.org

In the below screenshot our target domain is geeksforgeeks.org we are trying to find the possible subdomains which are associated with the parent domain geeksforgeeks.org. No extra flags or tags are provided while scanning. So assetfinder will find all the domains + subdomains. 

Example 2: Only subdomains –subs-only

assetfinder --subs-only geeksforgeeks.org

In this example, the –subs-only tag is provided which has the meaning of finding only the subdomains of the inputted domain. In the below screenshot, we have passed the –subs-only with the geeksforgeeks.org domain, so assetfinder will only fetch the subdomains of geeksforgeeks.org. No associated domains will be retrieved.

Example 3: Only subdomains –subs-only on uber.com

assetfinder --subs-only uber.com

In this example, our target domain is uber.com and the –subs-only tag is provided which has the meaning of finding only the subdomains of the inputted domain. In the below screenshot, we have passed the –subs-only with the uber.com domain, so assetfinder will only fetch the subdomains of uber.com. No associated domains will be retrieved.

Example 4: Only subdomains –subs-only on tesla.com

assetfinder --subs-only tesla.com

In this example, our target domain is tesla.com and the –subs-only tag is provided which has the meaning of finding only the subdomains of the inputted domain. In the below screenshot, we have passed the –subs-only with the tesla.com domain, so assetfinder will only fetch the subdomains of tesla.com  No associated domains will be retrieved.

Assetfinder tool is the fastest tool to return the subdomains of the target domain. You can add this tool to your Web App Penetration Testing Toolkit.