Tool Documentation:
theharvester Usage Example
Search from email addresses from a domain (-d kali.org), limiting the results to 500 (-l 500), using DuckDuckGo (-b duckduckgo):
root@kali:~# theHarvester -d kali.org -l 500 -b duckduckgo
*******************************************************************
* _ _ _ *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| _ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* theHarvester 4.4.3 *
* Coded by Christian Martorella *
* Edge-Security Research *
* [email protected] *
* *
*******************************************************************
[*] Target: kali.org
[*] Searching Duckduckgo.
[*] No IPs found.
[*] No emails found.
[*] Hosts found: 14
---------------------
[...]
```console
Packages and Binaries:
theharvester
Tool for gathering e-mail accounts and subdomain names from public sources
The package contains a tool for gathering subdomain names, e-mail addresses,
virtual hosts, open ports/ banners, and employee names from different public
sources (search engines, pgp key servers).
Installed size: 2.24 MB
How to install: sudo apt install theharvester
Dependencies:
- kali-defaults
- python3
- python3-aiodns
- python3-aiofiles
- python3-aiohttp
- python3-aiohttp-socks
- python3-aiomultiprocess
- python3-aiosqlite
- python3-bs4
- python3-censys
- python3-certifi
- python3-dateutil
- python3-dnspython
- python3-fastapi
- python3-httpx
- python3-lxml
- python3-netaddr
- python3-playwright
- python3-retrying
- python3-shodan
- python3-slowapi
- python3-starlette
- python3-ujson
- python3-uvicorn
- python3-uvloop
- python3-yaml
restfulHarvest
root@kali:~# restfulHarvest -h
usage: restfulHarvest [-h] [-H HOST] [-p PORT] [-l LOG_LEVEL] [-r]
[--rate-limit RATE_LIMIT]
options:
-h, --help show this help message and exit
-H, --host HOST IP address to listen on default is 127.0.0.1
-p, --port PORT Port to bind the web server to, default is 5000
-l, --log-level LOG_LEVEL
Set logging level, default is info but
[critical|error|warning|info|debug|trace] can be set
-r, --reload Enable automatic reload used during development of the
api
--rate-limit RATE_LIMIT
Set API rate limit (e.g., "10/minute", "100/hour"),
default is 5/minute
theHarvester
root@kali:~# theHarvester -h
Read proxies.yaml from /etc/theHarvester/proxies.yaml
*******************************************************************
* _ _ _ *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| _ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* theHarvester 4.10.1 *
* Coded by Christian Martorella *
* Edge-Security Research *
* [email protected] *
* *
*******************************************************************
usage: theHarvester [-h] -d DOMAIN [-l LIMIT] [-S START] [-p] [-s]
[--screenshot SCREENSHOT] [-e DNS_SERVER] [-t]
[-r [DNS_RESOLVE]] [-n] [-c] [-f FILENAME] [-w WORDLIST]
[-a] [-q] [-b SOURCE]
theHarvester is used to gather open source intelligence (OSINT) on a company
or domain.
options:
-h, --help show this help message and exit
-d, --domain DOMAIN Company name or domain to search.
-l, --limit LIMIT Limit the number of search results, default=500.
-S, --start START Start with result number X, default=0.
-p, --proxies Use proxies for requests, enter proxies in
proxies.yaml.
-s, --shodan Use Shodan to query discovered hosts.
--screenshot SCREENSHOT
Take screenshots of resolved domains specify output
directory: --screenshot output_directory
-e, --dns-server DNS_SERVER
DNS server to use for lookup.
-t, --take-over Check for takeovers.
-r, --dns-resolve [DNS_RESOLVE]
Perform DNS resolution on subdomains with a resolver
list or passed in resolvers, default False.
-n, --dns-lookup Enable DNS server lookup, default False.
-c, --dns-brute Perform a DNS brute force on the domain.
-f, --filename FILENAME
Save the results to an XML and JSON file.
-w, --wordlist WORDLIST
Specify a wordlist for API endpoint scanning.
-a, --api-scan Scan for API endpoints.
-q, --quiet Suppress missing API key warnings and reading the api-
keys file.
-b, --source SOURCE baidu, bevigil, bitbucket, brave, bufferoverun,
builtwith, censys, certspotter, chaos, commoncrawl,
criminalip, crtsh, dehashed, dnsdumpster, duckduckgo,
fofa, fullhunt, github-code, gitlab, hackertarget,
haveibeenpwned, hudsonrock, hunter, hunterhow, intelx,
leakix, leaklookup, netlas, onyphe, otx, pentesttools,
projectdiscovery, rapiddns, robtex, rocketreach,
securityscorecard, securityTrails, shodan,
subdomaincenter, subdomainfinderc99, thc, threatcrowd,
tomba, urlscan, venacus, virustotal, waybackarchive,
whoisxml, windvane, yahoo, zoomeye
theharvester
root@kali:~# theharvester -h
┏━(Message from Kali developers)
┃
┃ The command theharvester is deprecated. Please use theHarvester instead.
┃
┗━
Learn more with OffSec
Want to learn more about theharvester? get access to in-depth training and hands-on labs:
Updated on: 2026-Mar-02