Objective: you want to perform OSINT recon on a target and aggregate information from different sources. TheHarvester is an e-mail, subdomain and people names harvester written in Python.
theHarvester is a tool for gathering e-mail accounts, subdomain names, virtual
hosts, open ports/ banners, and employee names from different public sources
(search engines, pgp key servers).
Is a really simple tool, but very effective for the early stages of a penetration
test or just to know the visibility of your company in the Internet.
The sources are:
Passive:
-google: google search engine – www.google.com
-googleCSE: google custom search engine
-google-profiles: google search engine, specific search for Google profiles
-bing: microsoft search engine – www.bing.com
-bingapi: microsoft search engine, through the API (you need to add your Key in the discovery/bingsearch.py file)
-dogpile: Dogpile search engine – www.dogpile.com
-pgp: pgp key server – mit.edu
-linkedin: google search engine, specific search for Linkedin users
-vhost: Bing virtual hosts search
-twitter: twitter accounts related to an specific domain (uses google search)
-googleplus: users that works in target company (uses google search)
-yahoo: Yahoo search engine
-baidu: Baidu search engine
-shodan: Shodan Computer search engine, will search for ports and banner of the
discovered hosts (http://www.shodanhq.com/)
Active:
-DNS brute force: this plugin will run a dictionary brute force enumeration
-DNS reverse lookup: reverse lookup of ip´s discovered in order to find hostnames
-DNS TDL expansion: TLD dictionary brute force enumeration
Modules that need API keys to work:
-googleCSE: You need to create a Google Custom Search engine(CSE), and add your
Google API key and CSE ID in the plugin (discovery/googleCSE.py)
-shodan: You need to provide your API key in discovery/shodansearch.py
*******************************************************************
* *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* TheHarvester Ver. 2.7 *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
*******************************************************************
Usage: theharvester options
-d: Domain to search or company name
-b: data source: google, googleCSE, bing, bingapi, pgp, linkedin,
google-profiles, jigsaw, twitter, googleplus, all
-s: Start in result number X (default: 0)
-v: Verify host name via dns resolution and search for virtual hosts
-f: Save the results into an HTML and XML file (both)
-n: Perform a DNS reverse query on all ranges discovered
-c: Perform a DNS brute force for the domain name
-t: Perform a DNS TLD expansion discovery
-e: Use this DNS server
-l: Limit the number of results to work with(bing goes from 50 to 50 results,
google 100 to 100, and pgp doesn't use this option)
-h: use SHODAN database to query discovered hosts
Examples:
theharvester -d microsoft.com -l 500 -b google -h myresults.html
theharvester -d microsoft.com -b pgp
theharvester -d microsoft -l 200 -b linkedin
theharvester -d apple.com -b googleCSE -l 500 -s 300
Also note that doing a reverse query on the discovered ranges takes long and the output might be overwhelming.
123456789101112131415
_________________________________________
/ In India, "cold weather" is merely a \
| conventional phrase and has come into |
| use through the necessity of having |
| some way to distinguish between weather |
| which will melt a brass door-knob and |
| weather which will only make it mushy. |
| |
\ -- Mark Twain /
-----------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
