In cybersecurity, information is power. Before any ethical hacker performs a penetration test, they first gather as much information as possible about the target. This phase is called reconnaissance, and one of the most powerful tools used during this stage is theHarvester.
The theHarvester Cheat Sheet you are about to learn will help you master one of the most popular OSINT (Open Source Intelligence) tools used in cybersecurity.
theHarvester is a reconnaissance tool designed to collect Emails, Subdomains, Hostnames, Employee names, IP addresses, Open ports and Metadata.It gathers this information from multiple public sources such as Search engines, Public databases, DNS servers and Social platforms. Security professionals, bug bounty hunters, and penetration testers use theHarvester to map an organization’s digital footprint before launching security assessments.
Even beginners can learn it quickly because the tool works using simple command-line options.
In this theHarvester Cheat Sheet, you will learn:
- How to install theHarvester in Kali Linux
- 60+ practical commands
- Real-world ethical hacking examples
- Hands-on reconnaissance scenarios
- Beginner-friendly explanations
- Practical OSINT techniques used by professionals
If you are learning ethical hacking, penetration testing, bug bounty hunting, or cybersecurity, mastering theHarvester is one of the best skills you can build.
Let’s begin out theHarvester cheat sheet tutorial.
Table of Contents
How to Install theHarvester on Kali Linux
The theHarvester tool is already included in Kali Linux because it is widely used for reconnaissance and OSINT investigations.
Note: theHarvester is an open-source reconnaissance tool maintained by the cybersecurity community. You can explore the official repository here:
https://github.com/laramies/theHarvester
Step 1 – Update Kali Linux
Always start by updating your system.
sudo apt update && sudo apt upgrade -y
Step 2 – Verify theHarvester Installation
Check if theHarvester is already installed.
theHarvester -h
If the help menu appears, the tool is ready to use.
Step 3 – Install theHarvester (If Missing)
If theHarvester is not installed, install it using:
sudo apt install theharvester
Step 4 – Verify Installation Again
theHarvester -h
You should now see all command options.
BASIC COMMANDS OF theHarvester
The following theHarvester Cheat Sheet table contains beginner commands used in reconnaissance and OSINT investigations.
These theHarvester Cheat Sheet commands help collect emails, domains, hosts, and IP addresses from search engines and public sources.
| Command Syntax | Purpose of Command | Description |
|---|---|---|
theHarvester -h | Show help menu | Displays all available options and parameters supported by theHarvester tool. Beginners use this command to quickly understand the syntax, command structure, and available reconnaissance modules before performing information gathering operations. |
theHarvester -d example.com -b google | Google search reconnaissance | Performs reconnaissance using Google search results to gather emails, hostnames, and subdomains associated with the specified domain. This command is one of the most commonly used techniques in theHarvester penetration testing. |
theHarvester -d example.com -b bing | Bing search OSINT | Queries the Bing search engine to extract publicly available information related to the target domain, including employee emails and subdomains discovered through search engine indexing. |
theHarvester -d example.com -b yahoo | Yahoo search reconnaissance | Uses Yahoo search engine results to collect OSINT data such as email addresses and subdomains related to the target organization. This expands reconnaissance coverage beyond Google results. |
theHarvester -d example.com -b duckduckgo | DuckDuckGo search | Queries DuckDuckGo search results to collect intelligence data about a domain. Security professionals use this to discover assets not indexed in traditional search engines. |
theHarvester -d example.com -b baidu | Baidu search reconnaissance | Searches Chinese search engine Baidu for domain-related information. This helps discover infrastructure and assets exposed through international search engine indexing. |
theHarvester -d example.com -b dogpile | Dogpile search | Uses the Dogpile meta search engine to gather email addresses and hostnames associated with a domain, combining results from multiple search engines. |
theHarvester -d example.com -b crtsh | Certificate transparency search | Queries the certificate transparency logs using crt.sh to identify subdomains linked to SSL certificates issued for the target domain. |
theHarvester -d example.com -b netcraft | Netcraft data search | Collects domain intelligence from Netcraft databases including hostnames, server infrastructure details, and other publicly available domain data. |
theHarvester -d example.com -b virustotal | VirusTotal reconnaissance | Queries VirusTotal intelligence sources to find domains, subdomains, and hosts associated with the target organization. |
theHarvester -d example.com -l 100 | Limit search results | Limits the number of search results processed by theHarvester during reconnaissance scans. Useful when performing targeted intelligence gathering instead of large-scale enumeration. |
theHarvester -d example.com -f results.html | Save results to HTML | Saves reconnaissance results to an HTML report file. Security analysts often generate these reports when documenting penetration testing findings. |
theHarvester -d example.com -f results.xml | Export results to XML | Exports OSINT results into XML format for integration with other cybersecurity tools and automated analysis workflows. |
theHarvester -d example.com -s 50 | Start from result offset | Starts search from a specific result number. Useful when collecting large datasets and avoiding duplicate OSINT results. |
theHarvester -d example.com -b google -l 200 | Extended Google search | Collects a larger dataset from Google search results to identify more employees, domains, and digital assets belonging to the target organization. |
theHarvester -d example.com -b bing -l 200 | Extended Bing search | Performs deeper reconnaissance using Bing search engine results by retrieving more indexed information related to the target domain. |
theHarvester -d example.com -b yahoo -l 150 | Extended Yahoo search | Queries additional Yahoo search results to gather more OSINT intelligence related to the domain infrastructure. |
theHarvester -d example.com -b linkedin | LinkedIn employee discovery | Searches LinkedIn data sources to identify employees associated with the organization. This information is valuable during social engineering assessments. |
theHarvester -d example.com -b twitter | Twitter OSINT search | Collects publicly available Twitter data that references the target organization, including usernames and possible employee accounts. |
theHarvester -d example.com -b github | GitHub reconnaissance | Searches GitHub repositories for references to the target domain. Sometimes developers accidentally expose emails, credentials, or infrastructure details. |
theHarvester -d example.com -b threatcrowd | ThreatCrowd intelligence | Queries ThreatCrowd intelligence databases to discover related domains, subdomains, and malicious infrastructure linked to the target. |
theHarvester -d example.com -b securitytrails | SecurityTrails lookup | Uses SecurityTrails data sources to collect DNS and domain intelligence about the target organization. |
theHarvester -d example.com -b certspotter | SSL certificate enumeration | Searches SSL certificate transparency logs through Certspotter to identify additional subdomains used by the organization. |
theHarvester -d example.com -b dnsdumpster | DNS enumeration | Collects DNS information including hosts and subdomains associated with the target domain. |
theHarvester -d example.com -b otx | AlienVault OTX intelligence | Queries AlienVault Open Threat Exchange to discover infrastructure associated with the target organization. |
theHarvester -d example.com -b hunter | Email discovery | Uses Hunter.io intelligence sources to find professional email addresses associated with the domain. |
theHarvester -d example.com -b intelx | IntelligenceX search | Queries IntelligenceX OSINT platform for domain related information including emails and metadata. |
theHarvester -d example.com -b zoomeye | ZoomEye reconnaissance | Searches ZoomEye databases for hosts, services, and exposed infrastructure related to the domain. |
theHarvester -d example.com -b rapiddns | RapidDNS enumeration | Uses RapidDNS intelligence to identify additional subdomains belonging to the organization. |
theHarvester -d example.com -b hackerone | Bug bounty reconnaissance | Searches HackerOne disclosures and reports related to the target organization for reconnaissance insights. |
ADVANCED COMMANDS OF theHarvester
These advanced theHarvester cheat sheet commands are commonly used by penetration testers and bug bounty hunters for deeper reconnaissance.
| Command Syntax | Purpose of Command | Description |
|---|---|---|
theHarvester -d example.com -b all | Query all sources | Queries all supported intelligence sources simultaneously to gather the maximum amount of OSINT data related to the target domain. |
theHarvester -d example.com -b google -l 500 | Large-scale reconnaissance | Retrieves a large number of search results from Google to discover hidden subdomains and employee emails associated with the organization. |
theHarvester -d example.com -b bing -f results.html | Save Bing reconnaissance report | Runs Bing reconnaissance and saves the results into an HTML report file for later review and documentation. |
theHarvester -d example.com -b all -f report.xml | Full OSINT export | Collects intelligence from all available sources and exports the findings into an XML report format. |
theHarvester -d example.com -b crtsh -l 300 | Deep certificate reconnaissance | Searches certificate transparency logs extensively to uncover rarely documented subdomains associated with SSL certificates. |
theHarvester -d example.com -b netcraft -l 200 | Infrastructure intelligence | Queries Netcraft data to identify hosting providers, infrastructure components, and associated hosts related to the domain. |
theHarvester -d example.com -b threatcrowd -l 300 | Threat intelligence lookup | Collects threat intelligence data from ThreatCrowd including related malicious domains and historical associations. |
theHarvester -d example.com -b github -l 200 | Developer intelligence | Searches GitHub repositories to identify developers, exposed emails, and infrastructure references associated with the organization. |
theHarvester -d example.com -b twitter -l 200 | Social media reconnaissance | Performs deeper reconnaissance using Twitter data sources to identify employee accounts and digital presence. |
theHarvester -d example.com -b linkedin -l 200 | Large-scale employee discovery | Collects employee information from LinkedIn data sources which can be useful during social engineering security assessments. |
theHarvester -d example.com -b securitytrails -l 200 | DNS intelligence analysis | Queries SecurityTrails DNS databases to identify infrastructure and historical DNS records related to the domain. |
theHarvester -d example.com -b virustotal -l 200 | Malware intelligence search | Uses VirusTotal threat intelligence to identify domains and hosts associated with malware investigations or infrastructure analysis. |
theHarvester -d example.com -b zoomeye -l 200 | Internet-wide reconnaissance | Queries ZoomEye scanning databases to identify exposed services and infrastructure belonging to the domain. |
theHarvester -d example.com -b hunter -l 200 | Email intelligence discovery | Uses Hunter email discovery engine to collect a larger dataset of corporate email addresses associated with the target domain. |
theHarvester -d example.com -b intelx -l 200 | IntelligenceX OSINT scan | Queries IntelligenceX databases for leaked information, exposed assets, or domain-related intelligence. |
theHarvester -d example.com -b rapiddns -l 200 | Deep subdomain enumeration | Collects large sets of DNS data using RapidDNS intelligence databases. |
theHarvester -d example.com -b otx -l 200 | Threat intelligence reconnaissance | Uses AlienVault OTX threat intelligence feeds to gather infrastructure insights. |
theHarvester -d example.com -b certspotter -l 200 | SSL enumeration | Searches Certspotter certificate logs to discover hidden subdomains. |
theHarvester -d example.com -b hackerone -l 100 | Bug bounty intelligence | Searches public bug bounty reports related to the target organization. |
theHarvester -d example.com -b dnsdumpster -l 200 | DNS infrastructure mapping | Uses DNSDumpster intelligence sources to map the DNS infrastructure of the organization. |
SecurityElites Hands-On Lab – Real Reconnaissance Scenarios
Practical experience is the best way to learn ethical hacking.
Below are five real-world scenarios where theHarvester is used during penetration testing and OSINT investigations. Lets explore few of our theHarvester cheat sheet commands in real world scenarios.
Scenario 1 – Discovering Employee Emails
A penetration tester is hired to perform a security assessment on example.com.
The first step is identifying employee email addresses.
Command used:
theHarvester -d example.com -b google
Result:
- employee@example.com
- support@example.com
- hr@example.com
This information can help identify potential targets during phishing simulation testing.
Scenario 2 – Subdomain Discovery
Organizations often host services on subdomains.
Example:
- mail.example.com
- dev.example.com
- vpn.example.com
Command used:
theHarvester -d example.com -b crtsh
This queries SSL certificate transparency logs.
Often it reveals hidden development servers.
Scenario 3 – Discovering Developer Infrastructure
Developers frequently leak infrastructure details on GitHub.
Command used:
theHarvester -d example.com -b github
Possible findings:
- developer emails
- internal repository references
- API endpoints
- staging servers
This information helps penetration testers map the attack surface.
Scenario 4 – Identifying Public Servers
Some infrastructure may appear in search engines.
Command used:
theHarvester -d example.com -b bing -l 200
Possible findings:
- test servers
- login portals
- exposed admin panels
These are valuable entry points during penetration testing.
Scenario 5 – Full OSINT Reconnaissance
A bug bounty hunter wants maximum intelligence about a target.
Command used:
theHarvester -d example.com -b all -f reconnaissance.html
This performs reconnaissance across all available OSINT sources.
The generated report may contain:
- emails
- subdomains
- hosts
- employee names
- exposed infrastructure
This becomes the foundation of an ethical hacking engagement.
FAQ – People Also Ask
What is theHarvester used for?
theHarvester is an open-source reconnaissance tool used for gathering OSINT intelligence about organizations. It collects emails, subdomains, hosts, and employee names from public sources such as search engines, DNS records, certificate transparency logs, and social media platforms. Cybersecurity professionals, penetration testers, and bug bounty hunters use it during the reconnaissance phase to map a target’s digital footprint before performing deeper security assessments.
Is theHarvester legal?
Yes, theHarvester is completely legal when used for ethical purposes such as cybersecurity research, penetration testing, and OSINT investigations. The tool only gathers publicly available information from open sources. However, using the collected intelligence for unauthorized attacks or malicious activities would be illegal. Always use theHarvester responsibly within legal boundaries or authorized penetration testing engagements.
Does Kali Linux include theHarvester?
Yes, Kali Linux includes theHarvester by default because it is one of the most widely used reconnaissance tools in cybersecurity. Kali Linux integrates theHarvester within its OSINT and information gathering toolsets. Users can simply open a terminal and run the command theHarvester -h to verify installation and start performing reconnaissance tasks.
Is theHarvester used by hackers?
Both ethical hackers and malicious attackers may use theHarvester because it collects publicly available intelligence. Ethical hackers use it for reconnaissance during authorized penetration testing engagements, while security researchers use it to analyze attack surfaces. Cybersecurity professionals rely on tools like theHarvester to identify vulnerabilities before attackers exploit them.
Is theHarvester difficult to learn?
No. theHarvester is considered one of the easiest reconnaissance tools for beginners learning ethical hacking. Most operations require simple command-line syntax, and results are easy to interpret. With just a few commands, beginners can start discovering subdomains, emails, and infrastructure associated with a domain.
Conclusion
Reconnaissance is the first and most important phase of ethical hacking.
Without accurate intelligence, penetration testers cannot understand the full attack surface of a target organization.
That is why tools like theHarvester are essential in cybersecurity.
In this theHarvester Cheat Sheet, you learned:
- How to install theHarvester in Kali Linux
- 60+ practical commands
- Beginner-friendly reconnaissance techniques
- Real-world penetration testing scenarios
- OSINT strategies used by security professionals
If you want to master cybersecurity:
- Practice these commands in cybersecurity labs
- Experiment with different OSINT sources
- Build reconnaissance workflows
- Combine theHarvester with other tools like Nmap, Amass, and Subfinder
Bookmark this theHarvester Cheat Sheet so you always have quick access to essential commands. Share this guide with other cybersecurity learners.
You can also refer other important cheat sheets:
1. NMAP Cheat Sheet
2. Amass Cheat Sheet
Explore more ethical hacking tutorials on SecurityElites and continue building your cybersecurity skills.
