GitHub - laramies/theHarvester: E-mails, subdomains and names Harvester - OSINT (original) (raw)

About

theHarvester is a simple to use, yet powerful tool designed to be used during the reconnaissance stage of a red team assessment or penetration test. It performs open source intelligence (OSINT) gathering to help determine a domain's external threat landscape. The tool gathers names, emails, IPs, subdomains, and URLs by using multiple public resources that include:

Package versions

Install and dependencies

Python 3.12 or higher.
https://github.com/laramies/theHarvester/wiki/Installation

Install uv:

curl -LsSf https://astral.sh/uv/install.sh | sh

Clone the repository:

git clone https://github.com/laramies/theHarvester cd theHarvester

Install dependencies and create a virtual environment:

Run theHarvester:

Development

To install development dependencies:

To run tests:

To run linting and formatting:

To protect the optional /additional/* REST API routes, set THEHARVESTER_API_KEY and pass the same value in the X-API-Key header. Those routes return 503 when the key is not configured.

Passive modules

baidu: Baidu search engine (https://www.baidu.com)
bevigil: CloudSEK BeVigil scans mobile application for OSINT assets (https://bevigil.com/osint-api)
brave: Brave search engine - now uses official Brave Search API (https://api-dashboard.search.brave.com)
bufferoverun: Fast domain name lookups for TLS certificates in IPv4 space (https://tls.bufferover.run)
builtwith: Find out what websites are built with (https://builtwith.com)
censys: Uses certificates searches to enumerate subdomains and gather emails (https://censys.io)
certspotter: Cert Spotter monitors Certificate Transparency logs (https://sslmate.com/certspotter)
criminalip: Specialized Cyber Threat Intelligence (CTI) search engine (https://www.criminalip.io)
crtsh: Comodo Certificate search (https://crt.sh)
dehashed: Take your data security to the next level is (https://dehashed.com)
dnsdumpster: Domain research tool that can discover hosts related to a domain (https://dnsdumpster.com)
duckduckgo: DuckDuckGo search engine (https://duckduckgo.com)
dymo: Dymo API data verifier - confirms domains, surfaces typo suggestions and MX/fraud signals (https://dymo.tpeoficial.com)
fofa: FOFA search eingine (https://en.fofa.info)
fullhunt: Next-generation attack surface security platform (https://fullhunt.io)
github-code: GitHub code search engine (https://www.github.com)
hackertarget: Online vulnerability scanners and network intelligence to help organizations (https://hackertarget.com)
haveibeenpwned: Check if your email address is in a data breach (https://haveibeenpwned.com)
hunter: Hunter search engine (https://hunter.io)
hunterhow: Internet search engines for security researchers (https://hunter.how)
intelx: Intelx search engine (https://intelx.io)
leakix: LeakIX search engine (https://leakix.net)
leaklookup: Data breach search engine (https://leak-lookup.com)
mojeek: Mojeek search engine (https://www.mojeek.com)
netlas: A Shodan or Censys competitor (https://app.netlas.io)
onyphe: Cyber defense search engine (https://www.onyphe.io)
otx: AlienVault open threat exchange (https://otx.alienvault.com)
pentesttools: Cloud-based toolkit for offensive security testing, focused on web applications and network penetration testing (https://pentest-tools.com)
projecdiscovery: Actively collects and maintains internet-wide assets data, to enhance research and analyse changes around DNS for better insights (https://chaos.projectdiscovery.io)
rapiddns: DNS query tool which make querying subdomains or sites of a same IP easy (https://rapiddns.io)
rocketreach: Access real-time verified personal/professional emails, phone numbers, and social media links (https://rocketreach.co)
securityscorecard: helps TPRM and SOC teams detect, prioritize, and remediate vendor risk across their entire supplier ecosystem at scale (https://securityscorecard.com)
securityTrails: Security Trails search engine, the world's largest repository of historical DNS data (https://securitytrails.com)
sherlockeye: Reverse Lookup & AI-Powered OSINT (https://sherlockeye.io)
-s, --shodan: Shodan search engine will search for ports and banners from discovered hosts (https://shodan.io)
subdomaincenter: A subdomain finder tool used to find subdomains of a given domain (https://www.subdomain.center)
subdomainfinderc99: A subdomain finder is a tool used to find the subdomains of a given domain (https://subdomainfinder.c99.nl)
thc: Free subdomain enumeration service with no API key required (https://ip.thc.org)
threatminer: Data mining for threat intelligence (https://www.threatminer.org)
tomba: Tomba search engine (https://tomba.io)
urlscan: A sandbox for the web that is a URL and website scanner (https://urlscan.io)
venacus: Venacus search engine (https://venacus.com)
virustotal: Domain search (https://www.virustotal.com)
whoisxml: Subdomain search (https://subdomains.whoisxmlapi.com/api/pricing)
yahoo: Yahoo search engine (https://www.yahoo.com)
windvane: Windvane search engine (https://windvane.lichoin.com)
zoomeye: China's version of Shodan (https://www.zoomeye.org)

Active modules

DNS brute force: dictionary brute force enumeration
Screenshots: Take screenshots of subdomains that were found

Modules that require an API key

Documentation to setup API keys can be found at - https://github.com/laramies/theHarvester/wiki/Installation#api-keys

bevigil - 50 free queries/month. 1k queries/month $50
brave - free plan available. Pro plans for higher limits
bufferoverun - 100 free queries/month. 10k/month $25
builtwith - 50 free queries ever. $2950/yr
censys - 500 credits $100
criminalip - 100 free queries/month. 700k/month $59
dehashed - 500 credts 15,5kcredits15, 5k credits 15,5kcredits150
dnsdumpster - 50 free querries/day, $49
dymo - free tier available, paid plans for higher limits
fofa - query credits 10,000/month. 100k results/month $25
fullhunt - 50 free queries. 200 queries 29/month,500queries29/month, 500 queries 29/month,500queries59
github-code
haveibeenpwned - 10 email searches/min 4.50,50emailsearches/min4.50, 50 email searches/min 4.50,50emailsearches/min22
hunter - 50 free credits/month. 12k credits/yr $34
hunterhow - 10k free API results per 30 days. 50k API results per 30 days $10
intelx - free account is very limited. Business acount $2900
leakix - free 25 results pages, 3000 API requests/month. Bounty Hunter $29
leaklookup - 20 credits 10,50credits10, 50 credits 10,50credits20, 140 credits 50,300credits50, 300 credits 50,300credits100
mojeek - 5000 free credits 6.50,6.50, 6.50,1.30 CPM (Personal), 2.60CPM(Startup),2.60 CPM (Startup), 2.60CPM(Startup),3.90 CPM (Business)
netlas - 50 free requests/day. 1k requests 49,10krequests49, 10k requests 49,10krequests249
onyphe - 10M results/month $587
pentesttools - 5 assets netsec 95/month,5assetswebnetsec95/month, 5 assets webnetsec 95/month,5assetswebnetsec140/month
projecdiscovery - requires work email. Free monthly discovery and vulnerability scans on sign-up email domain, enterprise $
rocketreach - 100 email lookups/month 48,250emaillookups/month48, 250 email lookups/month 48,250emaillookups/month108
securityscorecard - requires a work email
securityTrails - 50 free queries/month. 20k queries/month $500
sherlockeye - Intermediate 46month,Advanced46 month, Advanced 46month,Advanced120 month. Enterprise available.
shodan - Freelancer 69month,SmallBusiness69 month, Small Business 69month,SmallBusiness359 month
tomba - 25 free searches/month. 1k searches/month 39,5ksearches/month39, 5k searches/month 39,5ksearches/month89
venacus - 1 free search/day. 10 searches/day 12,30searches/day12, 30 searches/day 12,30searches/day36
virustotal - 500 free lookups/day, 15.5k lookups/month. Busines accounts requires a work email
whoisxml - 2k queries 50,5kqueries50, 5k queries 50,5kqueries105
windvane - 100 free queries
zoomeye - 5 free results/day. 30/results/day $190/yr