Today we will be showing you an information gathering tutorial with the harvester tool. We will see how to run a harvester and what are the ways a hacker can use the harvester tool for pentesting and information gathering purposes. If you have not yet read about harvesters then be sure to read the intro about harvesters.
Table of contents
What is the harvester tool?
Harvestor is an information-gathering tool that is built by the guys at edge security and is included by default in Kali Linux. The goal of this tool is to find and gather all emails addresses, subdomains, hosts, ports, employee names, and banners that can provide sensitive information about the target.
But the unique part is that Harvester doesn’t use any advanced algorithms to crack passwords, test firewalls, or sniff data on networks. Instead, it gathers public information available on the internet automatically.
Why collect this public information, you might ask?
Well, in any pen-testing task, the first thing you need to do is know your target. The more information you have about the target, the easier it is to hack the target victim. You can really useful information like the email address to target for phishing or which domains are vulnerable on the company network. You can also use this information for social engineering attacks which are at the top of every hacker’s arsenal
By using this tool critical information that companies knowing or unknowingly disclose can be obtained legally and used to understand the target. So without further ado, let’s use a harvester.
Using the harvester tool in kali Linux
This tool is preinstalled in Kali Linux and can be started with by using the following command:
You can use the following parameters as an example:
theharvester -d cvcc.edu -l 500 -b google -f myresults.html
In the above exampled gave the domain and -l shows the results limit and -b is for the data source. The -f parameter exports the results in a file.
You can use the following options in the tool. I have used some of them. Feel free to use the rest.
-d: Domain to search or company name
-b: data source: Baidu, Bing, bing API, censys, crtsh, dogpile,
Google, google-certificates, google CSE, google plus, google-profiles,
hunter, LinkedIn, Netcraft, PGP, threat crowd,
Twitter, vhost, virustotal, yahoo, all
-g: use Google Dorking instead of a normal Google search
-s: start in result number X (default: 0)
-v: verify hostname via DNS resolution and search for virtual hosts
-f: save the results into an HTML and XML file (both)
-n: perform a DNS reverse query on all ranges discovered
-c: perform a DNS brute force for the domain name
-t: perform a DNS TLD expansion discovery
-e: use this DNS server
-p: port scan the detected hosts and check for Takeovers (80,443,22,21,8080)
-l: limit the number of results to work with(Bing goes from 50 to 50 results,
Google 100 to 100, and PGP doesn’t use this option)
-h: use SHODAN database to query discovered hosts
Normally with my hacking world tutorials, I give a big disclaimer asking you not to try this on anyone. And how you shouldn’t use this tool. This time it’s different you can use this tool as much as you want to gather information – so long as you don’t abuse the data for hacking and targetting the companies by using other illegal hacking tools.