theHarvester

theHarvester is a reconnaissance tool used in the early "information-gathering" stage of a penetration test or red-team assessment. Its job is to collect publicly available information about a given domain — names, email addresses, IP addresses, subdomains, and URLs — so a security team can see what an outside attacker would be able to find about their organisation. This is called OSINT, short for open-source intelligence, because everything is pulled from public resources.

The tool runs as a command-line program. You give it a domain to target, and it then queries a long list of "passive" data sources in turn — public search engines like Baidu, Brave, DuckDuckGo, Mojeek and Yahoo; certificate transparency logs through crt.sh and Cert Spotter; security-focused search engines like Shodan, Censys, Netlas, FOFA, ZoomEye and SecurityTrails; breach-checking services like haveibeenpwned and DeHashed; and email-finder services like Hunter and RocketReach, among many others. Some sources are free; others need an API key, and the README lists the free quotas and paid tiers. On top of that, "active" modules can brute-force subdomain names from a dictionary and take screenshots of discovered subdomains.

You would reach for theHarvester if you are a penetration tester scoping out a target's external attack surface, a blue-team defender wanting to see what is exposed about your own organisation, or a security researcher doing reconnaissance. An optional REST API allows the tool to be integrated with other systems, protected by an API key.

It is written in Python (3.12 or higher) and uses the uv package manager for installation. It can also be run from a prebuilt Docker image.