Another tool for reconnaissance discussed in The Basics of Hacking and Penetration Testing is “The Harvester,” which is a rather nefarious sounding name for a Python script written by Christian Martorella that finds and catalogs email addresses and subdomains directly related to a given target.
As described by its page on Kali tools, the Harvester is:
A tool for gathering e-mail accounts and subdomain names from public sources
Why do I want to use it?
If you’re a penetration tester in the early (reconnaissance) stages of an assignment, you can use the Harvester to find emails relevant to your target. This might give you emails to search for elsewhere on the web (social media, public forms, etc.).
Additionally, organizations might use email addresses (or the first portion of the email address before the “@” symbol, like firstname.lastname) as a username for other network services.
How do I get it?
If you have Kali Linux, then you already have the Harvester. Otherwise, you can find a copy of it here, or download it from its repository, here.
Make sure you’ve got the latest version of it, so that you’re up to date with the latest search engine behaviors.
How do I use it?
Once you’ve downloaded it, open up a terminal and type:
theharvester
(or go to usr/bin/theharvester
and invoke the tool by typing ./theharvester)
Once you do that, the tool will then display the list of options:
Usage: theharvester options
-d: Domain to search or company name
-b: Data source (google,bing,bingapi,pgp,linkedin,google-profiles,people123,jigsaw,all)
-s: Start in result number X (default 0)
-v: Verify host name via dns resolution and search for virtual hosts
-f: Save the results into an HTML and XML file
-n: Perform a DNS reverse query on all ranges discovered
-c: Perform a DNS brute force for the domain name
-t: Perform a DNS TLD expansion discovery
-e: Use this DNS server
-l: Limit the number of results to work with(bing goes from 50 to 50 results, google 100 to 100, and pgp doesn't use this option)
-h: use SHODAN database to query discovered hosts
For example, you could type:
theharvester -d syngress.com -l 10 -b google
This query will search the syngress.com domain for up to 10 results, using Google (as opposed to Bing, LinkedIn, PGP, etc).
In our case, it prints out 5 email addresses and 5 hostnames, all for syngress.com. You could then take those results and use them to expand your target list, and so on.
If you wanted to save your results to a file, you could alter the query to:
theharvester -d syngress.com -l 10 -b google -h searchresults.html