assetfinder is a Go-based tool to find related domains and subdomains that are potentially related to a given domain from a variety of sources including Facebook, ThreatCrowd, Virustotal and more.
assetfinder uses a variety of sources including those in the infosec space and social networks which can give relevant info:
- crt.sh
- certspotter
- hackertarget
- threatcrowd
- wayback machine
- dns.bufferover.run
- facebook – Needs FB_APP_ID and FB_APP_SECRET environment variables set (https://developers.facebook.com/) and you need to be careful with your app’s rate limits
- virustotal – Needs VT_API_KEY environment variable set (https://developers.virustotal.com/reference)
- findsubdomains – Needs SPYSE_API_TOKEN environment variable set (the free version always gives the first response page, and you also get “25 unlimited requests”) — (https://spyse.com/apidocs)
Sources to be implemented:
- http://api.passivetotal.org/api/docs/
- https://community.riskiq.com/ (?)
- https://riddler.io/
- http://www.dnsdb.org/
- https://certdb.com/api-documentation
Usage of assetfinder to Find Related Domains and Subdomains
The usage is very simple with only one option basically, to limit the search to subdomains only – by default it will scan for all associated domains and subdomains.
1 |
assetfinder [--subs-only] <domain> |
Installing assetfinder to Find Related Domains and Subdomains
If you have Go installed and configured (i.e. with $GOPATH/bin
in your $PATH
):
1 |
go get -u github.com/tomnomnom/assetfinder |
Another similar and recent tool that uses many of these sources and more and is also worth checking out is The OWASP Amass Project- DNS Enumeration, Attack Surface Mapping & External Asset Discovery.
You can download assetfinder here:
Source: assetfinder-master.zip
Linux: assetfinder-linux-386-0.1.1.tgz
Windows: assetfinder-windows-386-0.1.1.zip
Or read more here.