Assetfinder

Assetfinder finds related domains and subdomains by querying certificate transparency logs. It’s fast, accurate, and relies on publicly available certificate data.

Installation

From Binary

# Linux/macOS
wget https://github.com/tomnomnom/assetfinder/releases/latest/download/assetfinder-linux-amd64
mv assetfinder-linux-amd64 assetfinder
chmod +x assetfinder
sudo mv assetfinder /usr/local/bin/

# macOS with Homebrew
brew install assetfinder

# Go install
go install github.com/tomnomnom/assetfinder@latest

Verify Installation

assetfinder --version
assetfinder -h

Basic Usage

Command	Description
assetfinder example.com	Find domains/subdomains
assetfinder -subs-only example.com	Only subdomains
assetfinder example.com | wc -l	Count results
assetfinder example.com | sort -u	Unique only
assetfinder example.com > domains.txt	Save to file

Asset Discovery

Basic Domain Enumeration

# Find all related domains and subdomains
assetfinder example.com

# Only subdomains (exclude root domain)
assetfinder -subs-only example.com

# Save results
assetfinder -subs-only example.com > subdomains.txt

# Get unique results
assetfinder example.com | sort -u

# Count findings
assetfinder example.com | wc -l

# Show verbose progress
assetfinder -v example.com

Multiple Targets

# Process list of domains
cat domains.txt | while read domain; do
  assetfinder $domain
done

# Combine and deduplicate
for domain in example.com test.com sample.org; do
  assetfinder $domain
done | sort -u > all_domains.txt

# Process in parallel
cat domains.txt | parallel assetfinder | sort -u

Advanced Techniques

OSINT Reconnaissance

#!/bin/bash
# Complete asset discovery for target

TARGET="example.com"
OUTPUT_DIR="assets"
mkdir -p "$OUTPUT_DIR"

# Step 1: Find all related domains
echo "[*] Discovering related domains..."
assetfinder $TARGET | sort -u > "$OUTPUT_DIR/all_domains.txt"

# Step 2: Separate root domain from subdomains
grep "^$TARGET$" "$OUTPUT_DIR/all_domains.txt" > "$OUTPUT_DIR/root_domain.txt"
assetfinder -subs-only $TARGET | sort -u > "$OUTPUT_DIR/subdomains.txt"

# Step 3: Find parent domains
echo "[*] Identifying parent domains..."
grep -v "\.$TARGET$" "$OUTPUT_DIR/all_domains.txt" > "$OUTPUT_DIR/parent_domains.txt"

# Step 4: Find third-level domains
echo "[*] Identifying third-level domains..."
grep "^[^.]*\.[^.]*\.$TARGET$" "$OUTPUT_DIR/all_domains.txt" > "$OUTPUT_DIR/third_level.txt"

# Step 5: Summary
echo ""
echo "=== Asset Discovery Summary ==="
echo "Total assets: $(wc -l < $OUTPUT_DIR/all_domains.txt)"
echo "Subdomains: $(wc -l < $OUTPUT_DIR/subdomains.txt)"
echo "Root domain: $(wc -l < $OUTPUT_DIR/root_domain.txt)"
echo "Parent domains: $(wc -l < $OUTPUT_DIR/parent_domains.txt)"
echo "Third-level domains: $(wc -l < $OUTPUT_DIR/third_level.txt)"

Subdomain Pattern Analysis

#!/bin/bash
# Analyze subdomain patterns

SUBDOMAINS="subdomains.txt"

# Common prefixes
echo "=== Common Subdomain Prefixes ==="
cut -d. -f1 $SUBDOMAINS | sort | uniq -c | sort -rn | head -20

# API/Backend indicators
echo ""
echo "=== API/Backend Subdomains ==="
grep -E "(api|gateway|backend|service|rest|graphql)" $SUBDOMAINS

# Development indicators
echo ""
echo "=== Development/Testing ==="
grep -E "(dev|test|staging|qa|sandbox|internal)" $SUBDOMAINS

# Infrastructure indicators
echo ""
echo "=== Infrastructure ==="
grep -E "(cdn|lb|proxy|cache|static|media|assets)" $SUBDOMAINS

# Geographic indicators
echo ""
echo "=== Geographic/Regional ==="
grep -E "(us|eu|asia|uk|jp|cn|au)" $SUBDOMAINS

Integration with Other Tools

Chain with Assetfinder + Dig

#!/bin/bash
# Discover assets and resolve IPs

DOMAIN="example.com"

echo "Discovering assets..."
assetfinder -subs-only $DOMAIN > subdomains.txt

echo "Resolving to IP addresses..."
while IFS= read -r subdomain; do
  ip=$(dig +short $subdomain @8.8.8.8 | head -1)
  [ ! -z "$ip" ] && echo "$subdomain -> $ip"
done < subdomains.txt | tee assets_with_ips.txt

echo "Total resolved: $(grep -c ' -> ' assets_with_ips.txt)"

Chain with Assetfinder + HTTP Probing

#!/bin/bash
# Discover assets and probe for web servers

DOMAIN="example.com"

assetfinder -subs-only $DOMAIN | while read sub; do
  # Try HTTP
  status=$(timeout 2 curl -s -o /dev/null -w "%{http_code}" http://$sub 2>/dev/null)
  if [ ! -z "$status" ] && [ "$status" != "000" ]; then
    echo "$sub: HTTP-$status"
  fi

  # Try HTTPS
  status=$(timeout 2 curl -s -o /dev/null -w "%{http_code}" https://$sub 2>/dev/null)
  if [ ! -z "$status" ] && [ "$status" != "000" ]; then
    echo "$sub: HTTPS-$status"
  fi
done | tee live_assets.txt

Chain with Assetfinder + Screenshot

#!/bin/bash
# Discover assets and take screenshots (requires aquatone/similar)

DOMAIN="example.com"

assetfinder -subs-only $DOMAIN > subdomains.txt

# Filter for web servers
while IFS= read -r sub; do
  curl -s -o /dev/null -w "%{http_code}" http://$sub 2>/dev/null | grep -q "200\|301\|302" && echo $sub
done < subdomains.txt > web_domains.txt

# Take screenshots (if aquatone installed)
cat web_domains.txt | aquatone

Large-Scale Enumeration

#!/bin/bash
# Enumerate multiple organizations

DOMAINS=(
  "google.com"
  "microsoft.com"
  "apple.com"
  "amazon.com"
)

RESULTS_DIR="enumeration_results"
mkdir -p "$RESULTS_DIR"

for domain in "${DOMAINS[@]}"; do
  echo "[*] Processing $domain..."

  # Discover assets
  assetfinder $domain | sort -u > "$RESULTS_DIR/$domain.txt"

  # Count results
  count=$(wc -l < "$RESULTS_DIR/$domain.txt")
  echo "  Found: $count assets"

  # Get unique subdomains
  assetfinder -subs-only $domain | sort -u > "$RESULTS_DIR/${domain}_subs.txt"
done

# Create summary
echo "=== Enumeration Summary ===" > "$RESULTS_DIR/SUMMARY.txt"
for file in "$RESULTS_DIR"/*.txt; do
  filename=$(basename "$file")
  count=$(wc -l < "$file")
  echo "$filename: $count" >> "$RESULTS_DIR/SUMMARY.txt"
done

echo "[+] Results saved to $RESULTS_DIR/"

Filtering & Analysis

Filter by Domain Type

#!/bin/bash
# Classify discovered assets

DOMAINS="domains.txt"

# Company/organization
echo "=== Primary Domains ==="
grep -E "^[a-z0-9-]+\.[a-z]{2,}$" $DOMAINS

# Subdomains only
echo ""
echo "=== Subdomains ==="
grep "\." $DOMAINS | grep -v "^[a-z0-9-]*\.[a-z]{2,}$"

# Multi-level subdomains
echo ""
echo "=== Multi-level Subdomains ==="
awk -F. '{print NF-1}' $DOMAINS | awk '$1 > 1' RS=" " | sort -u

# Count by TLD
echo ""
echo "=== By TLD ==="
sed 's/.*\.\([a-z]*\)$/\1/' $DOMAINS | sort | uniq -c | sort -rn

Find Interesting Patterns

#!/bin/bash
# Identify potentially valuable subdomains

DOMAINS="domains.txt"

# Administrative interfaces
echo "=== Admin/Control Panel Indicators ==="
grep -iE "(admin|dashboard|control|panel|manage)" $DOMAINS

# Development/Testing environments
echo ""
echo "=== Development Environments ==="
grep -iE "(dev|test|staging|qa|sandbox|beta)" $DOMAINS

# API endpoints
echo ""
echo "=== API Indicators ==="
grep -iE "(api|gateway|rest|graphql|service)" $DOMAINS

# Backup/Archive
echo ""
echo "=== Backup/Archive Indicators ==="
grep -iE "(backup|archive|old|legacy|archive)" $DOMAINS

# Network infrastructure
echo ""
echo "=== Infrastructure Indicators ==="
grep -iE "(vpn|proxy|lb|cache|cdn|mail)" $DOMAINS

Deduplication & Data Cleaning

Remove Duplicates

# Simple deduplication
sort -u domains.txt > unique_domains.txt

# With count
sort | uniq -c | sort -rn

# Find duplicates
sort domains.txt | uniq -d

# Case-insensitive deduplication
tr '[:upper:]' '[:lower:]' < domains.txt | sort -u

Filter Out Known Domains

#!/bin/bash
# Remove common/well-known domains

DOMAINS="all_domains.txt"
COMMON="common_domains.txt"

# Create list of common domains to exclude
cat > common.txt << 'EOF'
google.com
cloudflare.com
amazon.com
microsoft.com
facebook.com
twitter.com
github.com
EOF

# Remove common from results
grep -vFf common.txt $DOMAINS > filtered_domains.txt

echo "Original: $(wc -l < $DOMAINS)"
echo "Filtered: $(wc -l < filtered_domains.txt)"

Export & Reporting

Generate Report

#!/bin/bash
# Create formatted report

DOMAIN="example.com"
TIMESTAMP=$(date +%Y-%m-%d)
REPORT="assetfinder_report_${DOMAIN}_${TIMESTAMP}.txt"

cat > $REPORT << EOF
=== ASSETFINDER ENUMERATION REPORT ===
Domain: $DOMAIN
Date: $TIMESTAMP
Tool: assetfinder (github.com/tomnomnom/assetfinder)

=== SUMMARY ===
EOF

TOTAL=$(assetfinder $DOMAIN | wc -l)
SUBS=$(assetfinder -subs-only $DOMAIN | wc -l)

cat >> $REPORT << EOF
Total Assets Found: $TOTAL
Subdomains: $SUBS
Root Domain: 1

=== ASSETS ===
EOF

assetfinder $DOMAIN | sort -u >> $REPORT

echo "[+] Report saved to $REPORT"
cat $REPORT

CSV Export

#!/bin/bash
# Export findings as CSV

DOMAIN="example.com"
OUTPUT="assets.csv"

echo "domain,type,discovered_at" > $OUTPUT

assetfinder $DOMAIN | while read asset; do
  if [ "$asset" = "$DOMAIN" ]; then
    type="root"
  else
    type="subdomain"
  fi
  echo "$asset,$type,$(date -I)" >> $OUTPUT
done

echo "[+] Exported to $OUTPUT"

Performance Tips

• Assetfinder is fast (typically <5 seconds per domain)
• No rate limiting issues as it uses public certificate logs
• Can safely run many queries in parallel:

# Parallel processing
cat domains.txt | parallel assetfinder | sort -u > all_assets.txt

# Or with xargs
cat domains.txt | xargs -P 5 -I {} assetfinder {} | sort -u

Common Patterns

Organization Asset Discovery

# For all common TLDs
for tld in com org net io dev; do
  assetfinder example.$tld
done | sort -u

Related Company Discovery

# Find parent company assets
assetfinder company.com | grep -v "^company\.com$" | grep -oE "^[^.]+\.[^.]+$" | sort -u

Resources

• Assetfinder GitHub
• Certificate Transparency Logs
• OSINT Recon Tools

---

Last updated: 2026-03-30