This Bash script uses assetfinder to gather subdomains for a given domain and then filters the results to only include subdomains belonging to the target domain. It is a useful tool for initial reconnaissance during penetration testing or OSINT activities.
- Automatically creates necessary directories to organize results
- Gathers subdomains related to a given domain using
assetfinder - Filters out-of-scope results to keep only the subdomains that belong to the target domain
- Provides a final count of found subdomains
Make sure you have Go installed and have assetfinder installed via Go. You can install it using the following command:
go install github.com/tomnomnom/assetfinder@latest- Clone the repository or download the script
git clone https://github.com/CloudyKhan/subdomain-finder.git- Navigate to the folder with the script
cd subdomain-finder- Make it executable
chmod +x subdomain-finder.shRun the script by providing the domain you want to enumerate subdomains for:
./subdomain-finder.sh <domain>The script will do the following:
Create a directory for the domain.
Use assetfinder to gather subdomains related to the domain.
Filter the results to ensure only in-scope subdomains (those directly under the target domain) are included.
Output the total number of subdomains found and save the results in a file called final.txt.
The filtered list of subdomains will be saved in:
<domain>/recon/final.txt