--- title: "Reconnaissance passive — OSINT" domain: security subdomain: pentest phase: 01-recon type: snippet tags: [osint, reconnaissance, passive, pentest, google-dorks, shodan, whois] difficulty: beginner status: stable updated: "Sat May 10 2025 00:00:00 GMT+0000 (Coordinated Universal Time)" --- ## Objectifs Collecter le maximum d'informations publiques sur la cible **sans générer de trafic vers ses systèmes**. Phase légale et sans risque. Plus tu collectes ici, moins tu tâtonnes en phases actives. ## DNS & WHOIS ```bash vars=TARGET_DOMAIN,OUTPUT_DIR # WHOIS whois {{TARGET_DOMAIN}} | tee {{OUTPUT_DIR}}/whois.txt # DNS records dig {{TARGET_DOMAIN}} ANY dig {{TARGET_DOMAIN}} A dig {{TARGET_DOMAIN}} MX dig {{TARGET_DOMAIN}} NS dig {{TARGET_DOMAIN}} TXT dig {{TARGET_DOMAIN}} AXFR @ns1.{{TARGET_DOMAIN}} # Zone transfer (si vulnérable) # Historique DNS host {{TARGET_DOMAIN}} nslookup -type=any {{TARGET_DOMAIN}} ``` ## Sous-domaines ```bash vars=TARGET_DOMAIN,OUTPUT_DIR # Subfinder (passif) subfinder -d {{TARGET_DOMAIN}} -o {{OUTPUT_DIR}}/subdomains.txt -silent # Amass (passif) amass enum -passive -d {{TARGET_DOMAIN}} -o {{OUTPUT_DIR}}/amass-subs.txt # theHarvester theHarvester -d {{TARGET_DOMAIN}} -b google,bing,crtsh,shodan -f {{OUTPUT_DIR}}/harvester # Certificate Transparency (crt.sh) curl -s "https://crt.sh/?q=%25.{{TARGET_DOMAIN}}&output=json" | jq -r '.[].name_value' | sort -u > {{OUTPUT_DIR}}/crt-subs.txt ``` ## Google Dorks ```bash # Index complet du domaine site:{{TARGET_DOMAIN}} # Sous-domaines site:*.{{TARGET_DOMAIN}} # Fichiers sensibles exposés site:{{TARGET_DOMAIN}} ext:pdf OR ext:xlsx OR ext:docx OR ext:sql site:{{TARGET_DOMAIN}} ext:env OR ext:bak OR ext:config OR ext:ini # Pages de login site:{{TARGET_DOMAIN}} intitle:"login" OR intitle:"admin" OR inurl:"/admin" # Erreurs et info disclosure site:{{TARGET_DOMAIN}} intext:"error" OR intext:"warning" OR intext:"stack trace" # Credentials leakés site:{{TARGET_DOMAIN}} intext:"password" OR intext:"passwd" OR intext:"credential" # Caméras / IoT intitle:"webcam" site:{{TARGET_DOMAIN}} ``` ## Shodan ```bash vars=TARGET_DOMAIN,TARGET # Recherche par domaine shodan search "hostname:{{TARGET_DOMAIN}}" # Recherche par IP/org shodan host {{TARGET}} shodan search "org:{{TARGET_DOMAIN}}" # Services spécifiques shodan search "hostname:{{TARGET_DOMAIN}} port:22" shodan search "hostname:{{TARGET_DOMAIN}} http.title:admin" # Avec shodan CLI shodan init YOUR_API_KEY shodan domain {{TARGET_DOMAIN}} ``` ## Emails & People ```bash vars=TARGET_DOMAIN,OUTPUT_DIR # theHarvester pour emails theHarvester -d {{TARGET_DOMAIN}} -b google,linkedin,hunter -f {{OUTPUT_DIR}}/emails # Hunter.io (API) curl "https://api.hunter.io/v2/domain-search?domain={{TARGET_DOMAIN}}&api_key=YOUR_KEY" # Recherche LinkedIn manuelle site:linkedin.com "{{TARGET_DOMAIN}}" site:linkedin.com/in "{{TARGET_DOMAIN}}" "IT" OR "security" OR "admin" OR "network" ``` ## Technologies ```bash vars=TARGET_DOMAIN # WhatWeb whatweb {{TARGET_DOMAIN}} -v # Wappalyzer CLI wappalyzer {{TARGET_DOMAIN}} # BuiltWith (web) # https://builtwith.com/{{TARGET_DOMAIN}} # Netcraft (web) # https://sitereport.netcraft.com/?url={{TARGET_DOMAIN}} ``` ## GitHub / Code leaks ```bash # GitHub search (manuel) # site:github.com "{{TARGET_DOMAIN}}" # site:github.com "{{TARGET_DOMAIN}}" password # site:github.com "{{TARGET_DOMAIN}}" secret # GitLeaks sur repo cloné gitleaks detect --source ./repo --report-path {{OUTPUT_DIR}}/gitleaks.json # TruffleHog trufflehog github --org={{TARGET_DOMAIN}} --token=YOUR_TOKEN ``` ## Ressources OSINT | Outil | Usage | URL | |-------|-------|-----| | Shodan | Services exposés | shodan.io | | crt.sh | Certificats SSL | crt.sh | | VirusTotal | Relations IP/domaine | virustotal.com | | SecurityTrails | Historique DNS | securitytrails.com | | Censys | ASN, certificats | censys.io | | HIBP | Breach data | haveibeenpwned.com | | Wayback | Pages archivées | web.archive.org |