The process of discovering “what service is hosted where” can prevent most common causes of security-related incidents. Things like outdated installs, abandoned installations and in-development software running on publicly accessible domains are a major source of such attacks.
Domain and specially subdomain discovery is a critical skill for hackers, security researchers and pentesters. Therefore, using different recon strategies and software is essential, no matter if you are a beginner or an infosec veteran. Today we will introduce you to a handy tool we discovered recently, called AssetFinder.
What is AssetFinder?
AssetFinder is an open source project aimed at simplifying information gathering for subdomains and domains of an organization.
AssetFinder leverages many publicly available data sources to help you during your asset discovery process. It does so by building a list of subdomains related to a domain, sourced from popular data sources such as crt.sh, certspotter, HackerTarget, ThreatCrowd, Wayback Machine and more, all of which give AssetFinder multiple data sources to fetch data from.
Installing AssetFinder is pretty straightforward. This solid tool provides pre-compiled binaries for multiple operating system platforms including Darwin (OSX), Windows, FreeBSD and Linux, along with the ability to also compile a build of AssetFinder straight from source.
To grab the latest build binaries available, head over to https://github.com/tomnomnom/assetfinder/releases
At the time of this article, AssetFinder v0.1.1 is the latest available version, which is the version we’ll use in our guide below.
To begin with, download AssetFinder with the following command:
Next, extract the file:
tar -xf assetfinder-linux-amd64-0.1.1.tgz
To verify if AssetFinder runs fine on your system, run the command:
This should then give you the following output:
Usage of ./assetfinder: -subs-only Only include subdomains of search domain
Testing and Results
Using AssetFinder is quite easy. It utilizes the following command syntax:
./assetfinder [--subs-only] <domain>
For example, to find both subdomains and domains associated with GE.com, use:
root@Ubuntu ~ # ./assetfinder ge.com blizzard000.ge.com blizzard00.ge.com ns0.ge.com milan1-1.ge.com milan2-1.ge.com na2001.ge.com crpeomusanyca01.ge.com corpuwb01.ge.com consind01.ge.com blizzard01.ge.com .... ... ..
If you wish to find only the subdomains associated with GE.com, use:
root@Ubuntu ~ # ./assetfinder --subs-only ge.com blizzard00.ge.com ns0.ge.com na2001.ge.com corpuwb01.ge.com blizzard01.ge.com lmindobedge1.ge.com lmcnqhdedge1.ge.com lmbrspiedge1.ge.com namedge1.ge.com lmdkjupedge1.ge.com .... ... ..
Popular AssetFinder alternatives
AssetFinder can certainly help during your reconnaissance process, but if you ever feel this tool comes up short for your domain and subdomain gathering needs, you can always rely on other DNS discovery apps and tools as well. Let’s now explore the leading AssetFinder alternatives.
DNSMap is a popular tool that’s frequently included in the Kali Linux operating system toolkit, relying on built-in wordlists to map and list subdomains belonging to a domain.
To install DNSMap execute the following commands:
apt install git gcc make git clone https://gitlab.com/kalilinux/packages/dnsmap cd dnsmap/ make
Replace domain.com with the domain for which you’re seeking subdomains.
root@home ~/dnsmap # ./dnsmap ge.com dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org) [+] searching (sub)domains for ge.com using built-in wordlist [+] using maximum random delay of 10 millisecond(s) between requests helpdesk.ge.com IP address #1: 188.8.131.52 ns.ge.com IP address #1: 184.108.40.206 ns0.ge.com IP address #1: 220.127.116.11 ns1.ge.com IP address #1: 18.104.22.168 ns2.ge.com IP address #1: 22.214.171.124 research.ge.com IP address #1: 126.96.36.199 sc.ge.com IP address #1: 188.8.131.52 IP address #2: 184.108.40.206 .... ...
Subfinder is another popular AssetFinder alternative, which allows you to find and list subdomains associated with a domain.
Installing Subfinder is easy, you just need to download the latest release of Subfinder from GitHub (https://github.com/projectdiscovery/subfinder/releases/)
At the time of this writing, the latest version is 2.4.8:
Extract the downloaded archive:
tar -xzvf subfinder_2.4.8_linux_amd64.tar.gz
The syntax to run Subfinder is as follows:
subfinder-linux-amd64 -d domain.com
root@home ~ # ./subfinder-linux-amd64 -d ge.com [WRN] Use with caution. You are responsible for your actions [WRN] Developers assume no liability and are not responsible for any misuse or damage. [WRN] By using subfinder, you also agree to the terms of the APIs used. [INF] Configuration file saved to /root/.config/subfinder/config.yaml [INF] Enumerating subdomains for ge.com blizzard00.ge.com ns0.ge.com na2001.ge.com corpuwb01.ge.com blizzard01.ge.com lmindobedge1.ge.com lmcnqhdedge1.ge.com lmbrspiedge1.ge.com namedge1.ge.com lmdkjupedge1.ge.com euredge1.ge.com webfarm1.ge.com milan1.ge.com ns1.ge.com supersearch.ge.com .... ...
The SecurityTrails™ API allows you to perform information gathering and asset discovery tasks with ease.
As seen with the tools detailed above, most rely on 3rd-party datasets and inbuilt wordlists. And while these tools may cover most of your attack surface, a single undetected asset can lead to serious security implications. One single undetected and vulnerable domain or subdomain in your organization can lead to further intrusions.
Another notable advantage of the SecurityTrails™ API is its ability to filter out inactive subdomains, as larger organizations frequently create multiple subdomains when working on/deploying web applications being tested. Filtering out inactive subdomains during the initial subdomain information gathering process can help reduce the time spent and the number of subdomains to check for.
Let’s take a look at the SecurityTrails™ API to list the subdomains of the domain “ge.com”:
curl --request GET \ --url 'https://api.securitytrails.com/v1/domain/ge.com/subdomains?children_only=true&include_inactive=false' \ --header 'APIKEY: YOUR-API-KEY-HERE' \ --header 'Accept: application/json'
(Replace, YOUR-API-KEY-HERE with your actual SecurityTrails™ API key)
The above API query calls the SecurityTrails™ API to fetch subdomains of the domain “ge.com” and only lists the active subdomains.
Listing only the active subdomains saves a lot of time when filtering for live subdomains. This is especially true when dealing with larger organizations where hundreds, if not thousands, of subdomains are seen.
If you wish to view inactive subdomains as well, include_inactive can be set to true as shown here:
curl --request GET \ --url 'https://api.securitytrails.com/v1/domain/ge.com/subdomains?children_only=true&include_inactive=true' \ --header 'APIKEY: YOUR-API-KEY-HERE' \ --header 'Accept: application/json'
Discovering and mapping domains and subdomains that belong to your organization is an essential part of your organization’s information gathering and security recon process.
In modern organizations, subdomains are frequently used during development and testing processes to emulate live/public environments. Combined with CI/CD software, this can leave teams with hundreds if not thousands of subdomains during a product’s testing lifecycle. And products being tested can have vulnerabilities that, if left publicly accessible via subdomains, can lead to security issues within your organization—allowing attackers to inject malicious code into your application.
While AssetFinder is a good start, if you need to enhance your recon process, using the SecurityTrails™ API will allow you to take your subdomain and domain discovery to the next level, as it allows you to filter and find your organization’s live subdomains. It’s an effective way to reduce your organization’s attack surface, by locating and shutting off unwanted subdomains left open to the public.
Using this powerful API also allows further integration with existing security processes and scripts, making detection and action on your organization’s unwanted subdomains a nearly automatic process.