Overview
theHarvester is an OSINT gathering tool to help determine a domain’s external threat landscape. It gathers names, emails, IPs, subdomains, and URLs by using multiple search engines.
In this article, we will show you how to use theHarvester, mainly as an email harvesting tool. emails can be extracted based on a given domain by using different search engines such as Bing, Virustotal, Shodan and etc. These email addresses can be used for brute-forcing login accounts or social engineering.
You can download theHarvester from here.
How to use theHarvester
The command format to use theHarvester is:
theHarvester -d <domain> -b <search engine source>
To elaborate:
-d (is used to specify the target domain)
-b (is used to specify the search engines to use for the scan)
In the example below, the command used is:
theHarvester -d crucialbits.com -b all
The domain being scanned in the example is crucialbits.com and using all available search engines. The results produced are LinkedIn links, IPs, Emails and Hosts found on the target.
Do note that the more search engines you use, the longer the scan will take.
API Keys
When running theHarvester for the first time, you may come across this message.
This is because some of the search engines require an API key to access them. You can fix this by adding the API keys in the API-keys.yaml file. On Kali Linux, this can be found at /etc/theHarvester/API-keys.yaml.
Here is a guide on how to obtain/create the API keys.
Help menu overview:
Reliability of theHarvester
Although the theHarvester is an amazing tool, it is not entirely reliable.
For example, if you were to target “example.com” using the same command, you would get 2 different results.
The first scan of “example.com”:
The second scan of “example.com” using the same command:
As seen above, only the second scan managed to pick up some information about “example.com”. Thus, you may need to run multiple scans on the same target to ensure you obtain reliable data from theHarvester.
Conclusion
theHarvester is an OSINT tool that can gather names, emails, IPs, subdomains, and URLs by using multiple search engines. But with its unique function of email harvesting and LinkedIn harvesting, it can be used for social engineering, which can expand your penetration test from more than just technical exploits and vulnerabilities.
Related Articles
5 Popular Open Source Tools for Reconnaissance
Wappalyzer – Website Technology Identifier for Pentesting
DNSrecon – DNS reconnaissance for Penetration Testing