---
title: "Reconnaissance active — Enum sous-domaines & infra"
domain: security
subdomain: pentest
phase: 01-recon
type: snippet
tags: [recon, subfinder, amass, theHarvester, active, pentest]
difficulty: beginner
status: stable
updated: "2025-05-10"
---
## Enumération de sous-domaines

### Subfinder

```bash
# Enumération simple
subfinder -d {{TARGET_DOMAIN}} -o subdomains.txt

# Avec résolution DNS
subfinder -d {{TARGET_DOMAIN}} -r -o subdomains-resolved.txt

# Avec toutes les sources
subfinder -d {{TARGET_DOMAIN}} -all -o subdomains-all.txt
```

### Amass

```bash
# Mode passif (pas de bruteforce)
amass enum -passive -d {{TARGET_DOMAIN}} -o amass-passive.txt

# Mode actif
amass enum -active -d {{TARGET_DOMAIN}} -o amass-active.txt

# Intelligence (WHOIS, ASN, etc.)
amass intel -d {{TARGET_DOMAIN}} -whois
```

### Assetfinder

```bash
assetfinder --subs-only {{TARGET_DOMAIN}} | tee assetfinder.txt
```

### Combiné + déduplication

```bash
cat subdomains.txt amass-passive.txt assetfinder.txt | sort -u > all-subs.txt
wc -l all-subs.txt
```

### Résolution en masse

```bash
# massdns
massdns -r /opt/massdns/lists/resolvers.txt -t A -o S all-subs.txt > resolved.txt

# dnsx
cat all-subs.txt | dnsx -silent -o live-subs.txt
```

## Collecte d'emails et contacts

### theHarvester

```bash
# Recherche emails, sous-domaines, IPs
theHarvester -d {{TARGET_DOMAIN}} -b all -l 500 -f results.html

# Sources spécifiques
theHarvester -d {{TARGET_DOMAIN}} -b google,linkedin,dnsdumpster
```

### Hunter.io (manuel)

```bash
# Via API
curl "https://api.hunter.io/v2/domain-search?domain={{TARGET_DOMAIN}}&api_key={{HUNTER_API_KEY}}" | jq '.data.emails[].value'
```

## Cartographie d'infrastructure

### Shodan

```bash
# Via CLI
shodan search "org:{{TARGET_ORG}}" --fields ip_str,port,org

# Hostnames d'une IP
shodan host {{TARGET_IP}}

# Filtres utiles
shodan search "hostname:{{TARGET_DOMAIN}} port:22"
shodan search "ssl.cert.subject.CN:{{TARGET_DOMAIN}}"
```

### Censys

```bash
# Recherche d'hôtes par domaine
censys search "{{TARGET_DOMAIN}}" --index hosts

# ASN
censys search "autonomous_system.name: {{TARGET_ORG}}"
```

### Certificate Transparency (crt.sh)

```bash
curl -s "https://crt.sh/?q=%25.{{TARGET_DOMAIN}}&output=json" | \
  jq -r '.[].name_value' | sort -u | grep -v '*'
```

## Technologies et stack

### WhatWeb

```bash
whatweb http://{{TARGET}} -a 3 -v
```

### Wappalyzer CLI

```bash
wappalyzer http://{{TARGET}}
```

### Wafw00f (WAF detection)

```bash
wafw00f http://{{TARGET}}
```

### Headers HTTP

```bash
curl -sI http://{{TARGET}} | grep -i "server\|x-powered-by\|x-aspnet"
```

## ASN & plages IP

```bash
# BGP.he.net — chercher l'ASN
whois -h whois.radb.net -- '-i origin AS{{ASN}}' | grep "^route:" | awk '{print $2}'

# Via amass
amass intel -asn {{ASN}}

# Convertir ASN en CIDR
nmap --script targets-asn --script-args targets-asn.asn={{ASN}}
```

<Tip>
Commencer par la reconnaissance passive (aucune interaction avec la cible). Passer à l'active seulement après validation du scope et accord écrit.
</Tip>