TheHarvester is always a great choice and personal tool I regularly use during my recon phase of penetration tests. Let's take a look on how to use theHarvester, and setting it up for usage.
theHarvester is a tool for gathering subdomain names, e-mail addresses, virtual
hosts, open ports/ banners, and employee names from utilizing many public sources
such as search engines, pgp key servers, and more.
Soruces are passive scanning, active scanning, and modules .
Once theHarvester has been downloaded it's good to use right away. To properly utilize the tool a few additions are needed.
- Ensure python requests library is installed. You can install this using python pip install tool
pip install requests.
- Add your googleCSE, and Shodan API keys to the configuration files located in
Let's take a quick look at the --help output before diving into the mechanics.
Usage: theharvester options -d: Domain to search or company name -b: data source: baidu, bing, bingapi, dogpile, google, googleCSE, googleplus, google-profiles, linkedin, pgp, twitter, vhost, virustotal, threatcrowd, crtsh, netcraft, yahoo, all -s: Start in result number X (default: 0) -v: Verify host name via dns resolution and search for virtual hosts -f: Save the results into an HTML and XML file (both) -n: Perform a DNS reverse query on all ranges discovered -c: Perform a DNS brute force for the domain name -t: Perform a DNS TLD expansion discovery -e: Use this DNS server -l: Limit the number of results to work with(bing goes from 50 to 50 results, google 100 to 100, and pgp doesn't use this option) -h: use SHODAN database to query discovered hosts Examples: theharvester -d microsoft.com -l 500 -b google -h myresults.html theharvester -d microsoft.com -b pgp theharvester -d microsoft -l 200 -b linkedin theharvester -d apple.com -b googleCSE -l 500 -s 300
Using theharvester is a very simple tool to use and requires very minimal arguments to even get results. Let's take a look at some examples.
To search the domain name google.com using all availble data sources you would issue the following command
theharvester -d google.com -b all. Knowing how huge the google domain space is and the emails you'd harvest from there you can limit the resutls using
-l option. If you'd only like to get 100 results in return you could issue the following command
theharvester -d google.com -b all -l 100
The tool is open source and freely available on GitHub!