Ethical Hacking and Countermeasures

Certified Ethical Hacker

theHarvester Cheat Sheet

theHarvester theHarvester is a simple, powerful, and effec�ve tool used in the early stages of a penetra�on test or red team engagement. It is also used for open-source intelligence (OSINT) gathering to help determine a company's external threat landscape.
Source: http://www.edge-securi- It can gather emails, names, subdomains, IPs, and URLs using mul�ple public data sources.
ty.com

4. theHarvester Commands
Data Source Description Command Description
GitHub code search engine (Requires a GitHub theharvester -d Perform passive scanning on the target domain
1.theHarvester Op�ons 3. theHarvester Ac�ve Data Source github-code Personal Access Token, see below.) - microsoft.com -l 500 -b (Microso�.com) by limi�ng the results to 500 (-l 500)
2. theHarvester Passive Data Source 4. theHarvester Commands www.github.com google using Google (-b)
Google search engine - www.google.com theharvester -d kali.org
The server requests the client do support these
google Example: theharvester -d microso�.com -l -l 500 -b google -f
op�ons
500 -b google -h myresults.html output.txt
1. theHarvester Optionseral Filters Google search engine, specific search for Perform ac�ve scanning and brute-forcing
google-profiles theHarvester.py -d
Google profiles subdomains of the target domain (google.com) using
Syntax google.com -c -b google
Hunter search engine (Requires an API key, see op�on -c using Google (-b)
googleCSE
below.) - www.hunter.io
theharvester options
Intelx search engine (Requires an API key, see
intelx below.) - www.intelx.io
Options
Google search engine, specific search for
-d Domain to search or company name linkedin LinkedIn users - www.linkedin.com
Example: theharvester -d microso� -l 200 -b
Baidu, bing, bingapi, dogpile, google, googleCSE, linkedin
-b: data source googleplus, google-profiles, LinkedIn, pgp,
twi�er, vhost, yahoo, all netcraft Internet Security and Data Mining -
www.netcra�.com
-s Start in result number X (default: 0) AlienVault Open Threat Exchange -
otx
otx.alienvault.com
Verify hostname via DNS resolu�on and
-v Security Trails search engine, the world's
search for virtual hosts
securityTrails largest repository of historical DNS data
-f Save the results into an HTML and XML file - www.securitytrails.com
Shodan search engine will search for ports and
Perform a DNS reverse query on all ranges shodan banners from discovered hosts -
-n www.shodanhq.com
discovered

Perform a DNS brute force for the domain Web research tools for professionals -
-c Spyse
name spyse.com

Web research tools that can take over 10

-t Perform a DNS TLD expansion discovery Suip
minutes to run, but worth the wait - suip.biz

-e Open source threat intelligence -

Use this DNS server threatcrowd
www.threatcrowd.org

-l Limit the number of results to work with (bing trello Search trello boards
goes from 50 to 50 results, google 100 to 100)
Use SHODAN database to query discovered twitter Twi�er accounts related to a specific domain
-h
hosts
vhost Bing virtual hosts search

virustotal virustotal.com domain search

2. theHarvester Passive Data Source
yahoo Yahoo search engine
Data Source Description PGP key server - pgp.rediris.es
pgp Example: theharvester -d microso�.com -b pgp
baidu Baidu search engine - www.baidu.com

bing Microso� search engine - www.bing.com

3. theHarvester Active Data Source
bingapi Microso� search engine, through the API
Data Source Description
dnsdumpster DNSdumpster search engine - DNS brute force Runs dic�onary brute force enumera�on
h�ps://dnsdumpster.com/
Reverse lookup of IP´s discovered to find
DNS reverse lookup
dogpile Dogpile search engine - www.dogpile.com hostnames

DuckDuckGo search engine - DNS TDL expansion TLD dic�onary brute force enumera�on
duckduckgo
www.duckduckgo.com
Meta search engine -
Exalead
www.exalead.com/search

www.eccouncil.org/ceh Over 50% Of Professionals Received Promo�ons a�er C|EH 01