Assetfinder Cheat Sheet

Find domains and subdomains related to a given domain using passive sources (Tom Hudson).

Reconnaissance & OSINTosintpassivesubdomainUpdated 2026-06-02

Overview

Assetfinder returns hostnames related to a target domain by querying passive sources (crt.sh, various APIs when configured). Lightweight and ideal for chaining in shell one-liners with other enum tools.

Authorized testing only. Queries passive intelligence sources; ensure target domain is in scope for the engagement or bug bounty program.

Install

go install github.com/tomnomnom/assetfinder@latest

assetfinder --help

Essential commands

Subdomains for domain

assetfinder target.example.com

Include parent domain in output

assetfinder --subs-only target.example.com

Multiple domains

cat domains.txt | assetfinder --subs-only

Common workflows

Merge with subfinder / amass —

subfinder -d target.example.com -silent

assetfinder --subs-only target.example.com

amass enum -passive -d target.example.com

} | sort -u | httpx -silent -o live.txt

Scope filter (manual) —

assetfinder target.example.com | grep '\.target\.example\.com$' | tee subs.txt

Flags reference

`--subs-only`	Subdomains only (exclude parent)
`(stdin)`	Pass domains one per line

Tips

Set API-related env vars if using extended sources (see project README).
Very fast—use as first pass before heavier amass enum.
Always dedupe and verify ownership before scanning (httpx, nuclei).
Does not replace active DNS brute force for hidden names.