theHarvester
theHarvester is a passive OSINT and reconnaissance tool designed to gather emails, subdomains, IP addresses, and URLs from publicly available sources. It is commonly used in the early stages of penetration testing and security assessments to map an organization's external footprint.
Recon & OSINT12 commands
#osint#recon#email#subdomain#python
Installation
1Install via APT (Kali/Debian): sudo apt update && sudo apt install theharvester
2Install via Homebrew (macOS): brew install theharvester
3Install via pip (any platform): pip install theHarvester
4Clone from GitHub: git clone https://github.com/laramies/theHarvester.git && cd theHarvester && pip install -r requirements.txt
sudo apt install theharvesterBasic Usage
theHarvester queries public search engines and APIs to collect information about a target domain. Common searches include email addresses, subdomains, and IP ranges.
theHarvester -d example.com -b googleCommand Reference
12 commands
1Run a basic search against a specific domain using a single data source
theHarvester -d <domain> -b <source>2Search all available data sources for the target domain
theHarvester -d <domain> -b all3Limit the number of search results returned (default: 500)
theHarvester -d <domain> -b google -l 5004Search LinkedIn to find employee names and email addresses
theHarvester -d <domain> -b linkedin5Output results to an HTML file
theHarvester -d <domain> -b baidu -f results.html6Enable strict mode to only return verified results
theHarvester -d <domain> -b yahoo -s7Run in verbose mode for detailed output
theHarvester -d <domain> -b bing -v8Display the help menu with all available options
theHarvester -h9Use DNS brute force to discover subdomains and save results to XML
theHarvester -d <domain> -b dns -l 200 -f output.xml10Use a custom DNS server for resolution during the search
theHarvester -d <domain> -b yandex -e 8.8.8.811Show only discovered subdomains in the output
theHarvester -d <domain> -b google -n12Set a custom request timeout in seconds
theHarvester -d <domain> -b certspotter -t 60When to Use
1
During the reconnaissance phase of a penetration test to gather target emails and subdomains2
When performing OSINT investigations to map an organization's internet-facing infrastructure3
To discover employees and email formats for social engineering campaigns4
To identify expired or unmonitored subdomains that could be vulnerable to takeover5
As a quick passive check before running more aggressive scanning toolsNotes & Tips
1
theHarvester only performs passive reconnaissance and does not directly interact with the target systems.2
Some search engines (like Google) may rate-limit or block requests if too many queries are sent in a short period.3
Results quality depends heavily on the data source chosen — use multiple sources for a complete picture.4
Always ensure you have proper authorization before using theHarvester against any domain you do not own.Common Errors & Solutions
No results found for the specified source
The search engine or API may not have indexed data for the target domain. Try switching to a different source (-b bing, -b yahoo, -b dns) or use -b all.
API key required for source
Some sources (e.g., Shodan, Hunter, SecurityTrails) require an API key. Set the corresponding environment variable or add the key in the config file at ~/theHarvester/api-keys.yaml.
theHarvester: command not found
theHarvester is not in your PATH. Install it via your package manager or run it directly from the cloned directory with python theHarvester.py.