theHarvester Cheat Sheet
OSINT gathering for emails, subdomains, hosts, and employee names from public sources.
Overview
theHarvester collects emails, subdomains, IPs, and URLs from search engines, PGP servers, Shodan, Hunter, and other sources. Useful for phishing assessments, password spraying prep (when authorized), and external footprinting.
Authorized testing only. Harvesting employee emails may implicate privacy laws and program rules—document purpose and obtain approval.
Install
sudo apt install -y theharvesterpip install theHarvestertheHarvester -hEssential commands
All sources for domain
theHarvester -d target.example.com -b allSpecific source
theHarvester -d target.example.com -b googleLimit results
theHarvester -d target.example.com -b bing -l 500Common workflows
DNS brute + virtual host discovery —
theHarvester -d target.example.com -b crtsh,dnsdumpstertheHarvester -d target.com -cSave to file —
theHarvester -d target.example.com -b all -f harvester_resultsShodan / API key sources —
theHarvester -d target.example.com -b shodan -k SHODAN_API_KEYActive DNS search —
theHarvester -d target.example.com -b urlscan,otxFlags reference
-d | Domain |
|---|---|
-b | Data source (google, bing, linkedin, all, etc.) |
-l | Limit results |
-f | Save HTML/JSON/XML to basename |
-k | API key (or config file) |
-c | DNS brute force / TLD expansion |
-v | Verbose |
-s | Start IP for SHODAN search |
-p | Port scan IPs found (use cautiously) |
Tips
- Configure /etc/theHarvester/api-keys.yaml for paid sources.
- Validate emails before use in social engineering or spray campaigns.
- Cross-reference with linkedin2username-style workflows only if RoE allows.
- Newer versions use theHarvester vs legacy theharvester—check your install.