osintreconnaissancepassive
MDstable
NoteSnippetChecklistPlaybook
Reconnaissance passive — OSINT
Collecte d'informations sans interaction directe avec la cible
snippetbeginner 2025-05-10 3 min read
osintreconnaissancepassivepentestgoogle-dorksshodanwhois
Objectifs
Collecter le maximum d'informations publiques sur la cible sans générer de trafic vers ses systèmes.
💡 Tip — Phase légale et sans risque. Plus tu collectes ici, moins tu tâtonnes en phases actives.
DNS & WHOIS
bash
Variables
{{TARGET_DOMAIN}}
{{OUTPUT_DIR}}
# WHOISwhois {{TARGET_DOMAIN}} | tee {{OUTPUT_DIR}}/whois.txt# DNS recordsdig {{TARGET_DOMAIN}} ANYdig {{TARGET_DOMAIN}} Adig {{TARGET_DOMAIN}} MXdig {{TARGET_DOMAIN}} NSdig {{TARGET_DOMAIN}} TXTdig {{TARGET_DOMAIN}} AXFR ns1{{TARGET_DOMAIN}} # Zone transfer (si vulnérable)# Historique DNShost {{TARGET_DOMAIN}}nslookup -type=any {{TARGET_DOMAIN}}
Sous-domaines
bash
Variables
{{TARGET_DOMAIN}}
{{OUTPUT_DIR}}
# Subfinder (passif)subfinder -d {{TARGET_DOMAIN}} -o {{OUTPUT_DIR}}/subdomains.txt -silent# Amass (passif)amass enum -passive -d {{TARGET_DOMAIN}} -o {{OUTPUT_DIR}}/amass-subs.txt# theHarvestertheHarvester -d {{TARGET_DOMAIN}} -b googlebingcrtshshodan -f {{OUTPUT_DIR}}/harvester# Certificate Transparency (crt.sh)curl -s "https://crt.sh/?q=%25.{{TARGET_DOMAIN}}&output=json" | jq -r '.[].name_value' | sort -u > {{OUTPUT_DIR}}/crt-subs.txt
Google Dorks
bash
Variables
{{TARGET_DOMAIN}}
# Index complet du domainesite{{TARGET_DOMAIN}}# Sous-domainessite{{TARGET_DOMAIN}}# Fichiers sensibles exposéssite{{TARGET_DOMAIN}} extpdf OR extxlsx OR extdocx OR extsqlsite{{TARGET_DOMAIN}} extenv OR extbak OR extconfig OR extini# Pages de loginsite{{TARGET_DOMAIN}} intitle"login" OR intitle"admin" OR inurl"/admin"# Erreurs et info disclosuresite{{TARGET_DOMAIN}} intext"error" OR intext"warning" OR intext"stack trace"# Credentials leakéssite{{TARGET_DOMAIN}} intext"password" OR intext"passwd" OR intext"credential"# Caméras / IoTintitle"webcam" site{{TARGET_DOMAIN}}
Shodan
bash
Variables
{{TARGET_DOMAIN}}
{{TARGET}}
# Recherche par domaineshodan search "hostname:{{TARGET_DOMAIN}}"# Recherche par IP/orgshodan host {{TARGET}}shodan search "org:{{TARGET_DOMAIN}}"# Services spécifiquesshodan search "hostname:{{TARGET_DOMAIN}} port:22"shodan search "hostname:{{TARGET_DOMAIN}} http.title:admin"# Avec shodan CLIshodan init YOUR_API_KEYshodan domain {{TARGET_DOMAIN}}
Emails & People
bash
Variables
{{TARGET_DOMAIN}}
{{OUTPUT_DIR}}
# theHarvester pour emailstheHarvester -d {{TARGET_DOMAIN}} -b googlelinkedinhunter -f {{OUTPUT_DIR}}/emails# Hunter.io (API)curl "https://api.hunter.io/v2/domain-search?domain={{TARGET_DOMAIN}}&api_key=YOUR_KEY"# Recherche LinkedIn manuellesitelinkedincom "{{TARGET_DOMAIN}}"sitelinkedincom/in "{{TARGET_DOMAIN}}" "IT" OR "security" OR "admin" OR "network"
Technologies
bash
Variables
{{TARGET_DOMAIN}}
# WhatWebwhatweb {{TARGET_DOMAIN}} -v# Wappalyzer CLIwappalyzer {{TARGET_DOMAIN}}# BuiltWith (web)# https://builtwith.com/{{TARGET_DOMAIN}}# Netcraft (web)# https://sitereport.netcraft.com/?url={{TARGET_DOMAIN}}
GitHub / Code leaks
bash
Variables
{{TARGET_DOMAIN}}
{{OUTPUT_DIR}}
# GitHub search (manuel)# site:github.com "{{TARGET_DOMAIN}}"# site:github.com "{{TARGET_DOMAIN}}" password# site:github.com "{{TARGET_DOMAIN}}" secret# GitLeaks sur repo clonégitleaks detect --source /repo --report-path {{OUTPUT_DIR}}/gitleaks.json# TruffleHogtrufflehog github --org={{TARGET_DOMAIN}} --token=YOUR_TOKEN
Checklist recon passive0/11
Ressources OSINT
| Outil | Usage | URL | |-------|-------|-----| | Shodan | Services exposés | shodan.io | | crt.sh | Certificats SSL | crt.sh | | VirusTotal | Relations IP/domaine | virustotal.com | | SecurityTrails | Historique DNS | securitytrails.com | | Censys | ASN, certificats | censys.io | | HIBP | Breach data | haveibeenpwned.com | | Wayback | Pages archivées | web.archive.org |
OPS·BRAIN v1.075 notes · Securitylocal