theHarvester is a classic Open Source Intelligence (OSINT) tool used during the reconnaissance phase of a penetration test. As an IT Specialist, you’ll appreciate its simplicity: it’s essentially an automated “gatherer” that scrapes public sources (search engines, PGP key servers, and social media) to find email addresses, subdomains, hosts, employee names, and open ports related to a target domain.
Core Capabilities
-
Passive Reconnaissance: It gathers data without ever touching the target’s infrastructure, making it virtually undetectable to the target.
-
Domain Footprinting: By pulling subdomains from sources like Google, Bing, and Shodan, it helps you map out the target’s external attack surface.
-
Credential Prep: The email addresses it harvests are often used as the “username” list for the attack types we discussed earlier, like AS-REP Roasting or Password Spraying.
💻 Common Commands
Since you are tracking CLItool usage, here is how you build a search in theHarvester:
| Command | Description |
|---|---|
theHarvester -d [domain] -l 500 -b google | Basic Search: Searches the first 500 results on Google for the target domain. |
theHarvester -d [domain] -b all | The “Everything” Search: Queries all available data sources (LinkedIn, Bing, DuckDuckGo, etc.). |
theHarvester -d [domain] -b shodan | Infrastructure Search: Uses Shodan to find open ports and banners for the domain’s hosts. |
theHarvester -d [domain] -b google -f results.html | Reporting: Saves the output to an HTML file for your engagement report. |
theHarvester
📝 Overview
What it is: A Python-based OSINT tool used to gather emails, subdomains, hosts, employee names, open ports, and banners from different public sources. Target Phase: Reconnaissance / OSINT Operating System: Linux (Native to Kali/Parrot)
⚙️ Core Capabilities
- Information Gathering: Automates the collection of public data from search engines and social media.
- Passive Discovery: Identifies external-facing assets without direct interaction with the target.
- Integration: Can use API keys for services like Shodan and Hunter.io to get more detailed results.
⚠️ Notes & Limitations
- API Keys: While many sources are free, the most powerful ones (like Shodan or FullContact) require you to add your own API keys to the
api-keys.yamlfile. - Rate Limiting: If you search too aggressively, search engines like Google may temporarily block your IP address (shadowbanning).
🏷️ Tags
theHarvester CLItool OSINT Reconnaissance Enumeration PenTestPlus #passive Linux