theHarvester

theHarvester -d domain -b source [options]

theHarvester is an open-source intelligence (OSINT) tool used during reconnaissance in penetration testing and red team assessments. It gathers publicly available information about a target domain including email addresses, subdomains, hostnames, employee names, and open ports.The tool queries multiple data sources including search engines, certificate databases, DNS databases, and security-focused services. Results can be saved for further analysis. Many advanced sources require API keys configured in the api-keys.yaml file within the theHarvester installation directory.

-d domain

Target domain to search (required).

Data source to use: google, bing, yahoo, duckduckgo, github-code, linkedin, shodan, virustotal, certspotter, crtsh, dnsdumpster, hunter, securityTrails, all, and others.

Limit the number of search results.

Output filename to save results (HTML/XML format).

Start result number for search pagination.

Use a specific DNS server for lookups.

Route requests through a proxy server.

Use Shodan to query discovered hosts.

Verify discovered hosts via HTTP/HTTPS.

Enable DNS server lookup.

Perform reverse DNS lookups on discovered ranges.

DNS brute force using a wordlist for subdomain discovery.

Check for possible subdomain takeover vulnerabilities.

Take screenshots of discovered web pages.

Show version information.

Many data sources require valid API keys (Shodan, Hunter.io, Censys, SecurityTrails, etc.) for full functionality. Without proper API keys, searches will return limited or no results. Rate limiting may apply when querying certain sources extensively.

theHarvester was created by Christian Martorella (laramies) and first released around 2007. It has become a standard reconnaissance tool included in penetration testing distributions like Kali Linux. The tool is actively maintained and has been updated to support Python 3.12+ and numerous new data sources over the years.

nmap(1), subfinder(1), amass(1), recon-ng(1)