Assetfinder Command List
Assetfinder Command Guide
Assetfinder is a simple yet powerful Go tool by TomNomNom used to find domains and subdomains related to a given domain. It leverages sources like Facebook, builtwith, and crt.sh.
Top 10 Useful Commands
1. Basic Usage
assetfinder example.com
Explanation: Finds subdomains for example.com and prints them to stdout.
2. Only Subdomains
assetfinder --subs-only example.com
Explanation: Filters out results that aren't strict subdomains (e.g., removes example.com itself if not desired, or unrelated domains).
3. Save to File
assetfinder example.com > domains.txt
Explanation: Redirects the output to a file for later use.
4. Combo with Httprobe
assetfinder example.com | httprobe
Explanation: Pipes found domains into httprobe to see which ones actually have running web servers.
5. Combo with Subjack
assetfinder example.com | subjack -w fingerprints.json -t 100 -ssl
Explanation: Pipes domains to subjack to checking for subdomain takeover vulnerabilities.
6. Unique Sort
assetfinder example.com | sort -u
Explanation: Ensures no duplicate domains are listed.
7. Recursive Hunting
echo example.com | assetfinder | tee -a domains.txt
Explanation: Echo a domain into it (scripting friendly) and append to a file.
8. Find Related Domains
assetfinder example.com
Explanation: Sometimes finds related domains (not just subdomains) depending on the data source.
9. Silent Mode (Bash Scripting)
assetfinder example.com > /dev/null
Explanation: Assetfinder is silent by default (no banners), making it perfect for scripts.
10. API Keys (Environment)
export VIRUSTOTAL_API_KEY=xxx; assetfinder example.com
Explanation: Assetfinder automatically picks up API keys from environment variables for deeper searches.
The Most Powerful Command
assetfinder --subs-only example.com | sort -u | httprobe | tee alive_hosts.txt
Explanation: The "Recon Pipeline" starter: Finds unique subdomains, checks if they are alive (http/https), and saves the working list.