InfoSecLabs
  • Information Security Labs
  • Cryptography
    • Introduction to OpenSSL/LibreSSL
    • Symmetric cryptography
    • Asymmetric cryptography
    • Hashes and Message Authentication Codes
    • Elliptic Curve Cryptography
    • Diffie-Hellman (DH)
    • Digital Signatures
    • Digital Certificates
    • S/MIME
    • OCSP - Online Certificate Status Protocol
    • SSL/TLS
  • Passwords
    • Understanding and attacking password-based systems
    • THC-Hydra
    • John the Ripper
    • Hashcat
  • Vulnerability Testing
    • Introduction to vulnerability testing
    • Reconnaissance and Footprinting
      • OSINT
      • Maltego
      • Recon-ng
      • theHarvester
      • dmitry
    • Scanning and Enumeration
      • Nmap
      • Hping3
    • Vulnerability Identification and Analysis
      • OpenVAS
        • OpenVAS Architecture
        • Installing OpenVAS on Kali Linux
        • Starting and Stopping OpenVAS
        • Navigating through OpenVAS
        • Scanning a target
      • Nessus
  • Vulnerability Exploitation
    • About the Metasploit Framework
    • Basics of Metasploit Framework
    • Exploitation with Metasploit Framework
      • vsftp Backdoor Vulnerability [CVE-2011-2523]
      • UnrealIRCd backdoor [CVE-2010-2075]
      • distCC RCE [CVE-2004-2687]
      • Java RMI Server Insecure Default Configuration RCE Vulnerability
      • VNC Brute Force Login
      • MySQL / MariaDB Default Credentials (MySQL Protocol)
      • SAMBA (Samba “username map script” Command Execution)
      • Tomcat (Apache Tomcat Manager Application Deployer Authenticated Code Execution)
      • Apache (CGI Argument Injection)
      • Windows Eternalblue [CVE-2017-143,144,145,146,148]
    • Create payload to exploit users
  • Application Security
    • DVWA - Damn Vulnerable Web Application
      • Introduction
      • Setup
      • Web Apps Vulnerability Testing
        • Brute-Force
        • Command Injection
        • File inclusion
        • File upload
        • SQL Injection
        • SQL Injection (Blind)
        • XSS (Reflected)
        • XSS (Stored)
  • Social Engineering
Powered by GitBook
On this page
  1. Vulnerability Testing
  2. Reconnaissance and Footprinting

theHarvester

PreviousRecon-ngNextdmitry

Last updated 2 years ago

is a tool that cen be used to collect information about multiple sources about a target. The tool gathers names, emails, IPs, subdomains, and URLs by using multiple public resources.

You may look at the help of the tool to check those public resources.

theHarvester -h

You can look at several options.

*******************************************************************
*  _   _                                            _             *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __|  _ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* theHarvester 4.2.0                                              *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *
*                                                                 *
*******************************************************************
usage: theHarvester [-h] -d DOMAIN [-l LIMIT] [-S START] [-p] [-s] [--screenshot SCREENSHOT] [-v] [-e DNS_SERVER] [-r] [-n] [-c] [-f FILENAME] [-b SOURCE]

theHarvester is used to gather open source intelligence (OSINT) on a company or domain.

options:
-h, --help            show this help message and exit
-d DOMAIN, --domain DOMAIN
                        Company name or domain to search.
-l LIMIT, --limit LIMIT
                        Limit the number of search results, default=500.
-S START, --start START
                        Start with result number X, default=0.
-p, --proxies         Use proxies for requests, enter proxies in proxies.yaml.
-s, --shodan          Use Shodan to query discovered hosts.
--screenshot SCREENSHOT
                        Take screenshots of resolved domains specify output directory: --screenshot output_directory
-v, --virtual-host    Verify host name via DNS resolution and search for virtual hosts.
-e DNS_SERVER, --dns-server DNS_SERVER
                        DNS server to use for lookup.
-r, --take-over       Check for takeovers.
-n, --dns-lookup      Enable DNS server lookup, default False.
-c, --dns-brute       Perform a DNS brute force on the domain.
-f FILENAME, --filename FILENAME
                        Save the results to an XML and JSON file.
-b SOURCE, --source SOURCE
                        anubis, baidu, bevigil, binaryedge, bing, bingapi, bufferoverun, censys, certspotter, crtsh, dnsdumpster, duckduckgo, fullhunt, github-code,
                        hackertarget, hunter, intelx, omnisint, otx, pentesttools, projectdiscovery, qwant, rapiddns, rocketreach, securityTrails, sublist3r, threatcrowd,
                        threatminer, urlscan, virustotal, yahoo, zoomeye

As you can see, the list of sources of information include the following:

anubis, baidu, bevigil, binaryedge, bing, bingapi, bufferoverun, censys, certspotter, crtsh, dnsdumpster, duckduckgo, fullhunt, github-code, hackertarget, hunter, intelx, omnisint, otx, pentesttools, projectdiscovery, qwant, rapiddns, rocketreach, securityTrails, sublist3r, threatcrowd, threatminer, urlscan, virustotal, yahoo, zoomeye

So lets go and try to collect information from a target.

theHarvester -d your-target.com -l 500 -b all

And try to interpret the possible results obtained.

theHarvester