TheHarvester – OSINT Suite To Track Digital Footprints


Today, we are demonstrating tutorial on Open-source intelligence Information Gathering suite TheHarvester.

Please check the POC Video at the end of the article.

It aims to collect emails, sub-domains, hosts, employee names, open ports and banners from various public sources, such as search engines, PGP key servers, and the Shodan Computer Database.

It is useful for penetration testers to understand the customer footprint on the Internet and useful for anyone who wants to know what an attacker can see about their organization.

This software is an effective, simple and easy to use.

The sources supported are:

  • Google – emails, subdomains
  • Google profiles – Employee names
  • Bing search – emails, subdomains/hostnames, virtual hosts
  • Pgp servers – emails, subdomains/hostnames
  • LinkedIn – Employee names

It is completed with new features like:

  • Time delays between request
  • Virtual host verifier
  • Active enumeration (DNS enumeration, Reverse lookups, TLD expansion)
  • Integration with SHODAN computer database, to get the open ports and banners
  • Save to XML and HTML
  • Basic graph with stats

So lets start…


  • Kali Linux OS > TheHarvester

It is pre-installed in Kali Linux but there is a case if not installed then use,

git clone
>cd theHarvester
>sudo python ./


Open the Terminal and type theharvester  and hit enter

Output result are as follow –

Usage: theharvester options

-d: Domain to search or company name
-b: data source: baidu, bing, bingapi, dogpile, google, googleCSE,
googleplus, google-profiles, linkedin, pgp, twitter, vhost,
virustotal, threatcrowd, crtsh, netcraft, yahoo, all

-s: start in result number X (default: 0)
-v: verify host name via dns resolution and search for virtual hosts
-f: save the results into an HTML and XML file (both)
-n: perform a DNS reverse query on all ranges discovered
-c: perform a DNS brute force for the domain name
-t: perform a DNS TLD expansion discovery
-e: use this DNS server
-p: port scan the detected hosts and check for Takeovers (80,443,22,21,8080)
-l: limit the number of results to work with(bing goes from 50 to 50 results,
google 100 to 100, and pgp doesn't use this option)
-h: use SHODAN database to query discovered hosts

theharvester -d -l 500 -b google -h myresults.html
theharvester -d -b pgp
theharvester -d microsoft -l 200 -b linkedin
theharvester -d -b googleCSE -l 500 -s 300


For searching email id’s using one search engine

You can simply use the following command

theHarvester -d [url] -l 500 -b [search engine name]

Example : theHarvester -d -l 500 -b google

Search from email addresses from a domain (-d, limiting the results to 500 (-l 500), using Google (-b google)

Result we get from the above command

Command for get all the information of the website 

theHarvester -d [url] -l 500 -b all

Example : theHarvester -d -l 500 -b all

Search from email addresses from a domain (-d, limiting the results to 500 (-l 500), using  all (-b all)

To save the result in  HTML file you can use -f filename command should be

theHarvester -d [url] -l 100 -b [all] -f [file name]

Example : theHarvester -d -l 100 -b all -f test.html

Search from email addresses from a domain (-d, limiting the results to 100 (-l 100), using  all (-b all)  for save the result in the form of HTML  (-f  test.html) test is a file name 

Watch the POC

Join Our Club

Enter your Email address to receive notifications | Join over Million Followers

Leave a Reply
Previous Article
Oracle VirtualBox

Oracle VirtualBox 6.1 Version Released - Bug Fixes

Next Article
BATEA To Find Large Network Devices

Batea- To Find Large Network Devices Using Machine Learning

Related Posts