assetfinder Cheatsheet
Type: Simple, lightweight subdomain finder using multiple passive data sources — ideal for quick recon
Installation
go install github.com/tomnomnom/assetfinder@latest
# Binary ends up in ~/go/bin/assetfinder
# Or download pre-built binary
wget https://github.com/tomnomnom/assetfinder/releases/latest/download/assetfinder-linux-amd64.tgz
tar xf assetfinder-linux-amd64.tgz
mv assetfinder /usr/local/bin/
Basic Usage
assetfinder <domain>
assetfinder example.com
Flags
| Flag | Description |
|---|---|
--subs-only |
Show only subdomains (filter out related domains / TLD variants) |
Common Commands
# All results (subdomains + related domains)
assetfinder example.com
# Subdomains only (most common usage)
assetfinder --subs-only example.com
# Save to file
assetfinder --subs-only example.com > subdomains.txt
# Multiple domains from stdin
cat domains.txt | xargs -I{} assetfinder --subs-only {}
# Pipe into other tools
assetfinder --subs-only example.com | httprobe # Check live hosts
assetfinder --subs-only example.com | sort -u # Deduplicate
Data Sources Used
crt.sh (Certificate transparency logs)
certspotter (SSL cert monitoring)
hackertarget (Passive DNS)
threatcrowd (Threat intelligence)
wayback (Wayback Machine / archive.org)
dnsdumpster (DNS recon service)
facebook CT (Facebook certificate transparency)
virustotal (Passive DNS)
findsubdomains.com
Pipeline Examples
# Find subdomains → probe for live web servers → save
assetfinder --subs-only example.com | httprobe | tee live_hosts.txt
# Find subdomains → resolve to IPs
assetfinder --subs-only example.com | \
xargs -I{} dig +short {} | grep -v "^$" | sort -u
# Find subdomains → run nmap on live ones
assetfinder --subs-only example.com | \
httprobe | sed 's/https\?:\/\///' | \
xargs -I{} nmap -p 80,443 {}
# Combine with other tools for coverage
(assetfinder --subs-only example.com; \
subfinder -d example.com -silent; \
amass enum -passive -d example.com) | sort -u > all_subs.txt
Notes
- Passive only — does not brute force DNS or make queries to the target
- Fast and lightweight — great first pass before heavier tools
- No API keys needed for most sources (some may be rate-limited)
- Output may contain duplicates — always pipe through
sort -u