Reconnaissance using theHarvester

. 2 min read

TheHarvester is always a great choice and personal tool I regularly use during my recon phase of penetration tests. Let's take a look on how to use theHarvester, and setting it up for usage.


theHarvester is a tool for gathering subdomain names, e-mail addresses, virtual
hosts, open ports/ banners, and employee names from utilizing many public sources
such as search engines, pgp key servers, and more.

Soruces are passive scanning, active scanning, and modules .


Once theHarvester has been downloaded it's good to use right away. To properly utilize the tool a few additions are needed.

  1. Ensure python requests library is installed. You can install this using python pip install tool pip install requests.
  2. Add your googleCSE, and Shodan API keys to the configuration files located in /discovery/ & /discovery/


Let's take a quick look at the --help output before diving into the mechanics.

Usage: theharvester options 

       -d: Domain to search or company name
       -b: data source: baidu, bing, bingapi, dogpile, google, googleCSE,
                        googleplus, google-profiles, linkedin, pgp, twitter, vhost, 
                        virustotal, threatcrowd, crtsh, netcraft, yahoo, all

       -s: Start in result number X (default: 0)
       -v: Verify host name via dns resolution and search for virtual hosts
       -f: Save the results into an HTML and XML file (both)
       -n: Perform a DNS reverse query on all ranges discovered
       -c: Perform a DNS brute force for the domain name
       -t: Perform a DNS TLD expansion discovery
       -e: Use this DNS server
       -l: Limit the number of results to work with(bing goes from 50 to 50 results,
            google 100 to 100, and pgp doesn't use this option)
       -h: use SHODAN database to query discovered hosts

        theharvester -d -l 500 -b google -h myresults.html
        theharvester -d -b pgp
        theharvester -d microsoft -l 200 -b linkedin
        theharvester -d -b googleCSE -l 500 -s 300


Using theharvester is a very simple tool to use and requires very minimal arguments to even get results. Let's take a look at some examples.

To search the domain name using all availble data sources you would issue the following command theharvester -d -b all. Knowing how huge the google domain space is and the emails you'd harvest from there you can limit the resutls using -l option. If you'd only like to get 100 results in return you could issue the following command theharvester -d -b all -l 100


The tool is open source and freely available on GitHub!