AssetFinder: A Handy Subdomain and Domain Discovery Tool

AssetFinder: A Handy Subdomain and Domain Discovery Tool

The process of discovering “what service is hosted where” can prevent most common causes of security-related incidents. Things like outdated installs, abandoned installations and in-development software running on publicly accessible domains are a major source of such attacks.

Domain and specially subdomain discovery is a critical skill for hackers, security researchers and pentesters. Therefore, using different recon strategies and software is essential, no matter if you are a beginner or an infosec veteran. Today we will introduce you to a handy tool we discovered recently, called AssetFinder.

What is AssetFinder?

AssetFinder is an open source project aimed at simplifying information gathering for subdomains and domains of an organization.

AssetFinder leverages many publicly available data sources to help you during your asset discovery process. It does so by building a list of subdomains related to a domain, sourced from popular data sources such as crt.sh, certspotter, HackerTarget, ThreatCrowd, Wayback Machine and more, all of which give AssetFinder multiple data sources to fetch data from.

AssetFinder installation

Installing AssetFinder is pretty straightforward. This solid tool provides pre-compiled binaries for multiple operating system platforms including Darwin (OSX), Windows, FreeBSD and Linux, along with the ability to also compile a build of AssetFinder straight from source.

To grab the latest build binaries available, head over to https://github.com/tomnomnom/assetfinder/releases

At the time of this article, AssetFinder v0.1.1 is the latest available version, which is the version we’ll use in our guide below.

To begin with, download AssetFinder with the following command:

wget https://github.com/tomnomnom/assetfinder/releases/download/v0.1.1/assetfinder-linux-amd64-0.1.1.tgz

Next, extract the file:

tar -xf assetfinder-linux-amd64-0.1.1.tgz

To verify if AssetFinder runs fine on your system, run the command:

./assetfinder --help

This should then give you the following output:

Usage of ./assetfinder: -subs-only Only include subdomains of search domain

Testing and Results

Using AssetFinder is quite easy. It utilizes the following command syntax:

./assetfinder [--subs-only] <domain>

For example, to find both subdomains and domains associated with GE.com, use:

root@Ubuntu ~ # ./assetfinder ge.com
blizzard000.ge.com
blizzard00.ge.com
ns0.ge.com
milan1-1.ge.com
milan2-1.ge.com
na2001.ge.com
crpeomusanyca01.ge.com
corpuwb01.ge.com
consind01.ge.com
blizzard01.ge.com
....
...
..

If you wish to find only the subdomains associated with GE.com, use:

root@Ubuntu ~ # ./assetfinder --subs-only ge.com
blizzard00.ge.com
ns0.ge.com
na2001.ge.com
corpuwb01.ge.com
blizzard01.ge.com
lmindobedge1.ge.com
lmcnqhdedge1.ge.com
lmbrspiedge1.ge.com
namedge1.ge.com
lmdkjupedge1.ge.com
....
...
..

Output example:

Find subdomains

AssetFinder can certainly help during your reconnaissance process, but if you ever feel this tool comes up short for your domain and subdomain gathering needs, you can always rely on other DNS discovery apps and tools as well. Let’s now explore the leading AssetFinder alternatives.

DNSMap

DNSMap is a popular tool that’s frequently included in the Kali Linux operating system toolkit, relying on built-in wordlists to map and list subdomains belonging to a domain.

To install DNSMap execute the following commands:

apt install git gcc make git clone https://gitlab.com/kalilinux/packages/dnsmap
cd dnsmap/
make

Using DNSMap:

dnsmap domain.com

Replace domain.com with the domain for which you’re seeking subdomains.

Find subdomains and domains

For example:

root@home ~/dnsmap # ./dnsmap ge.com
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org) [+] searching (sub)domains for ge.com using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests helpdesk.ge.com
IP address #1: 52.234.209.94 ns.ge.com
IP address #1: 156.154.67.6 ns0.ge.com
IP address #1: 65.90.203.194 ns1.ge.com
IP address #1: 156.154.68.6 ns2.ge.com
IP address #1: 156.154.69.6 research.ge.com
IP address #1: 192.35.44.9 sc.ge.com
IP address #1: 12.183.116.205
IP address #2: 8.29.116.205
....
...

Subfinder

Subfinder is another popular AssetFinder alternative, which allows you to find and list subdomains associated with a domain.

Installing Subfinder is easy, you just need to download the latest release of Subfinder from GitHub (https://github.com/projectdiscovery/subfinder/releases/)

At the time of this writing, the latest version is 2.4.8:

wget https://github.com/projectdiscovery/subfinder/releases/download/v2.4.8/subfinder_2.4.8_linux_amd64.tar.gz

Extract the downloaded archive:

tar -xzvf subfinder_2.4.8_linux_amd64.tar.gz

The syntax to run Subfinder is as follows:

subfinder-linux-amd64 -d domain.com

Subfinder

For example:

root@home ~ # ./subfinder-linux-amd64 -d ge.com
[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used. [INF] Configuration file saved to /root/.config/subfinder/config.yaml
[INF] Enumerating subdomains for ge.com
blizzard00.ge.com
ns0.ge.com
na2001.ge.com
corpuwb01.ge.com
blizzard01.ge.com
lmindobedge1.ge.com
lmcnqhdedge1.ge.com
lmbrspiedge1.ge.com
namedge1.ge.com
lmdkjupedge1.ge.com
euredge1.ge.com
webfarm1.ge.com
milan1.ge.com
ns1.ge.com
supersearch.ge.com
....
...

SecurityTrails™ API

The SecurityTrails™ API allows you to perform information gathering and asset discovery tasks with ease.

As seen with the tools detailed above, most rely on 3rd-party datasets and inbuilt wordlists. And while these tools may cover most of your attack surface, a single undetected asset can lead to serious security implications. One single undetected and vulnerable domain or subdomain in your organization can lead to further intrusions.

Another notable advantage of the SecurityTrails™ API is its ability to filter out inactive subdomains, as larger organizations frequently create multiple subdomains when working on/deploying web applications being tested. Filtering out inactive subdomains during the initial subdomain information gathering process can help reduce the time spent and the number of subdomains to check for.

Let’s take a look at the SecurityTrails™ API to list the subdomains of the domain “ge.com”:

curl --request GET \ --url 'https://api.securitytrails.com/v1/domain/ge.com/subdomains?children_only=true&include_inactive=false' \ --header 'APIKEY: YOUR-API-KEY-HERE' \ --header 'Accept: application/json'

(Replace, YOUR-API-KEY-HERE with your actual SecurityTrails™ API key)

The above API query calls the SecurityTrails™ API to fetch subdomains of the domain “ge.com” and only lists the active subdomains.

List active subdomains

Listing only the active subdomains saves a lot of time when filtering for live subdomains. This is especially true when dealing with larger organizations where hundreds, if not thousands, of subdomains are seen.

If you wish to view inactive subdomains as well, include_inactive can be set to true as shown here:

curl --request GET \ --url 'https://api.securitytrails.com/v1/domain/ge.com/subdomains?children_only=true&include_inactive=true' \ --header 'APIKEY: YOUR-API-KEY-HERE' \ --header 'Accept: application/json'

Summary

Discovering and mapping domains and subdomains that belong to your organization is an essential part of your organization’s information gathering and security recon process.

In modern organizations, subdomains are frequently used during development and testing processes to emulate live/public environments. Combined with CI/CD software, this can leave teams with hundreds if not thousands of subdomains during a product’s testing lifecycle. And products being tested can have vulnerabilities that, if left publicly accessible via subdomains, can lead to security issues within your organization—allowing attackers to inject malicious code into your application.

While AssetFinder is a good start, if you need to enhance your recon process, using the SecurityTrails™ API will allow you to take your subdomain and domain discovery to the next level, as it allows you to filter and find your organization’s live subdomains. It’s an effective way to reduce your organization’s attack surface, by locating and shutting off unwanted subdomains left open to the public.

Using this powerful API also allows further integration with existing security processes and scripts, making detection and action on your organization’s unwanted subdomains a nearly automatic process.

Esteban Borges Blog Author

ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.

Source of Article