AssetFinder: A Handy Subdomain and Domain Discovery Tool

Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version. IP and DNS intelligence gathering has become a critical part of any organization's cybersecurity outlook. The process of discovering "what service is hosted where" can prevent most common causes of security-related incidents. Things like outdated installs, abandoned installations and in-development software running on publicly accessible domains are a major source of such attacks. Domain and specially subdomain discovery is a critical skill for hackers, security researchers and pentesters. Therefore, using different recon strategies and software is essential, no matter if you are a beginner or an infosec veteran. Today we will introduce you to a handy tool we discovered recently, called Asset Finder. What is Asset Finder? Asset Finder is an open source project aimed at simplifying information gathering for subdomains and domains of an organization. Asset Finder leverages many publicly available data sources to help you during your asset discovery process. It does so by building a list of subdomains related to a domain, sourced from popular data sources such as crt.sh, certspotter, HackerTarget, Threat Crowd, Wayback Machine and more, all of which give Asset Finder multiple data sources to fetch data from. Asset Finder installation Installing Asset Finder is pretty straightforward. This solid tool provides pre-compiled binaries for multiple operating system platforms including Darwin (OSX), Windows, Free BSD and Linux, along with the ability to also compile a build of Asset Finder straight from source. To grab the latest build binaries available, head over to. At the time of this article, Asset Finder v0.1.1 is the latest available version, which is the version we'll use in our guide below. To begin with, download Asset Finder with the following command: Next, extract the file: To verify if Asset Finder runs fine on your system, run the command: This should then give you the following output: Testing and Results Using Asset Finder is quite easy. It utilizes the following command syntax: For example, to find both subdomains and domains associated with GE.com, use: If you wish to find only the subdomains associated with GE.com, use: Popular Asset Finder alternatives Asset Finder can certainly help during your reconnaissance process, but if you ever feel this tool comes up short for your domain and subdomain gathering needs, you can always rely on other DNS discovery apps and tools. Let's now explore the leading Asset Finder alternatives. DNS Map DNS Map is a popular tool that's frequently included in the Kali Linux operating system toolkit, relying on built-in word lists to map and list subdomains belonging to a domain. To install DNS Map execute the following commands: Using DNS Map: Replace domain.com with the domain for which you're seeking subdomains. For example: Subfinder Subfinder is another popular Asset Finder alternative, which allows you to find and list subdomains associated with a domain. Installing Subfinder is easy, you just need to download the latest release of Subfinder from GitHub:/ At the time of this writing, the latest version is 2.4.8: Extract the downloaded archive: The syntax to run Subfinder is as follows: For example: Security Trails API The Security Trails API allows you to perform information gathering and asset discovery tasks with ease. As seen with the tools detailed above, most rely on 3rd-party datasets and inbuilt wordlists. And while these tools may cover most of your attack surface, a single undetected asset can lead to serious security implications. One single undetected and vulnerable domain or subdomain in your organization can lead to further intrusions. Another notable advantage of the Security Trails API is its ability to filter out inactive subdomains, as larger organizations frequently create multiple subdomains when working on deploying web applications being tested. F...