Subdomain Enumeration – Recon part 2

Enumeración de subdominios – Recon parte 2

Inspired by part two of


  • Set up your VPS server.
  • Subdomain enumeration

Set up your VPS server

To list subdomains of a goal, the easiest way is programmatic automation.

First of all we need to have a Linux-based operating system, such as the KaliLinux distribution that can be used as a virtual machine from Vmware in Windows.

But my recommendation is to buy a cheap VPS, it doesn't matter what provider it is, in my case I have chosen a VPS based on Ubuntu 20.04.

After having access to the VPS by SSH we must install Go. We must go to the page and locate the download of the "tar.gz" file for Linux. In my case, I have downloaded version 1.18.3 and this can change to a newer one when you read this entry.

The commands to download and install Go are as follows:

wget tar -xvf go1.18.3.linux-amd64.tar.gz sudo mv go /usr/local export GOROOT=/usr/local /go export GOPATH=$HOME/go export PATH=$PATH:$GOROOT/bin:$GOPATH/bin source ~/.profile

To check if Go is installed correctly run the command "go version" in the terminal, you will get something like the following:

go version go1.18.3 linux/amd64

Passive subdomain enumeration

The tools to be used would be the following:


To install the version for Go run the following command.

go install -v

If you have problems with the installation due to the version of Go, I recommend using version 1.18.3 as it is compatible with Amass.

You can also install Amass via Docker or by downloading the binary from releases. More information see its official GitHub repository.

To passively enumerate subdomains with Amass use the following command.

amass enum --passive -d


Since this tool no longer has updates since 2020, it is likely that it will have installation problems.

You need to download the Go files and install directly from these files.

wget unzip -d assetfinder cd assetfinder/ cd assetfinder-0.1.1/ go env -w GO111MODULE=auto

Now run the tool with the following command to perform subdomain enumeration.

assetfinder --subs-only



go install -v


subfinder -d

The next two tools are optional, but they're pretty cool too.


This tool is very interesting because it uses different services for enumeration of subdomains, and it is compatible with Windows and Linux.

As the name implies, it allows you to get subdomains of projects hosted in public GitHub repositories. You just need to set the token.

Leave a Reply

Your email address will not be published. Required fields are marked *