Ultimate theHarvester Cheat Sheet
A simple yet effective tool for gathering emails, subdomains, hosts, and URLs.
1. Basic Usage
The standard syntax: theHarvester -d [domain] -b [source].
Simple Passive Scan
Scrape Google for emails and hosts related to a domain.
Limit Results
By default, it fetches 500 results. Use -l to increase this.
2. Data Sources (-b)
The -b (backend) flag determines where theHarvester looks for data.
Search Engines
Good for finding public-facing subdomains and files.
Social Media & People
Excellent for gathering employee names (for social engineering).
The “All” Option
Query every available source (Can be slow).
3. Active Recon (DNS)
Unlike basic scraping, these commands will interact with the target’s DNS servers.
DNS Brute Force (-c)
Attempt to brute force subdomains using a wordlist.
Verify Hosts (-v)
Check if the discovered hosts are actually alive (resolve DNS).
DNS Server Lookup
Check for DNS TLD expansion.
4. Reporting & Output (-f)
Save your results for use in other tools (like Metasploit or Dradis).
Save to XML/JSON
Note: You do not need to add the file extension; the tool adds .xml and .json automatically.
Screenshotting
Take screenshots of discovered domains (requires webscreenshot).
5. API Integration
To get the best results (especially from Shodan, Hunter.io, or GitHub), you need API keys.
Setting Keys
Edit the configuration file named api-keys.yaml usually located in /etc/theHarvester/ or inside the installation folder.
Shodan
Finds open ports and banners without scanning.
Hunter.io
The best source for verifiable email addresses.
Intelx
Intelligence X API for deep web searches.