Investigator Use
theHarvester is one of the most established passive reconnaissance tools in the OSINT toolkit, designed to gather email addresses, subdomains, employee names, open ports, and banners from public sources. Developed by the team at Edge-Security and maintained as part of Kali Linux, it queries dozens of data sources simultaneously including search engines, certificate transparency logs, and specialized APIs.
What theHarvester is used for: performing initial footprinting on target organizations, discovering employee email addresses for phishing simulations and social engineering research, enumerating subdomains as part of attack surface analysis, and aggregating information from multiple public sources in a single workflow.
What data theHarvester exposes: email addresses associated with a domain, subdomain hostnames and IP mappings, employee names scraped from LinkedIn and other sources, virtual hosts on the same IP, and open port banners from passive sources like Shodan. Sources include Google, Bing, DuckDuckGo, Hunter.io, Censys, Shodan, SecurityTrails, and many others depending on API key configuration.
theHarvester is command-line based, making it suitable for scripting and automation. A typical investigation starts by running theHarvester against the target domain with multiple sources enabled, reviewing discovered email formats (which reveal naming conventions for the whole organization), and then pivoting those email addresses into breach databases or LinkedIn searches.
Email format discovery: even if theHarvester only returns a handful of email addresses, the format they follow — firstname.lastname@domain.com or f.lastname@domain.com — allows investigators to construct additional addresses for any known employee name. Combined with LinkedIn data, this technique can enumerate large portions of an organization's email directory.
API requirements: many of theHarvester's most valuable sources require API keys, including Shodan, Hunter.io, SecurityTrails, and FullHunt. Running without these keys still produces useful results from search engine scraping, but the full picture requires configured credentials.
In a workflow: run theHarvester at the start of a domain investigation before more targeted queries. Use discovered subdomains to feed into DNS enumeration tools like Amass or DNS History, and discovered email addresses to query Have I Been Pwned and Emailrep for breach context and reputation data.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
ARIN
Domain OSINT
ARIN is a nonprofit, member-based organization that administers IP addresses & ASNs in support of the operation and growth of the Internet.
Central Ops
Domain OSINT
Free online network tools, including traceroute, nslookup, dig, whois, ping, and our own Domain Dossier and Email Dossier. Works with IPv6.
Cert Graph Crawler
Domain OSINT
An open source intelligence tool to crawl the graph of certificate Alternate Names
DNS History
Domain OSINT
DNS History archives historical DNS records, letting investigators track IP changes, hosting migrations, and infrastructure pivots over time.
DNS twister
Domain OSINT
DNS Twister generates and monitors domain permutations for typosquatting detection, brand protection, and phishing infrastructure discovery.
Domain Tools
Domain OSINT
DomainTools provides WHOIS lookup, IP history, domain ownership records, and reverse WHOIS for domain and infrastructure investigation.