What it’s for

Finding employee email addresses that are publicly indexed (good for building contact maps and spotting patterns like first.last@company.com).

Discovering subdomains and related hosts (useful for recon + expanding your attack surface map in authorized tests).

Getting a quick “OSINT snapshot” before you do deeper enumeration.

How to use it (practical)
Install

Kali/Parrot (usually easiest):

sudo apt update
sudo apt install theharvester


If your distro doesn’t have it or it’s outdated, you can use pip (varies by distro), but apt is the cleanest when available.

Basic run (domain recon)
theHarvester -d example.com -b all


-d = target domain

-b = data source (“backend”). all tries multiple sources.

Use specific sources (more control)
theHarvester -d example.com -b google,bing,duckduckgo


This is often more stable than all if one source rate-limits you.

Limit results (faster, less noisy)
theHarvester -d example.com -b bing -l 200


-l 200 caps how many results it pulls (good for quick runs).

Save output (so you can report it)
theHarvester -d example.com -b all -f example_osint


This saves results to files (HTML/XML/JSON depending on version). Check the created files in your directory.

What you should look for in the output

Emails: patterns, departments, third-party services (e.g., marketing tools) that might indicate other exposed systems.

Hosts/Subdomains: anything interesting like:

dev. / staging. / test. (often softer targets)

old portals: vpn., owa., mail., jira., git., sso.

Repetition across sources: if multiple sources show the same host, it’s more likely real.

Common “why is it not working?” fixes

Rate limiting / captchas: try fewer sources, or run from a clean IP, or use a different backend.

Garbage results: narrow sources and lower -l.

Nothing found: that can be normal—some orgs are just clean, or block indexing.

Ethical line (important)

Only run it against domains you own or have permission to assess. OSINT still counts as recon in most engagement rules.