Information gathering is the first and the most important step of a penetration test. More informations you will grab, easier the exploit will be.

Developed by Christian Martorella theHarvester is very usefull for this task. It’s a python script that will help you to find user emails and subdomains of a given domain by merely parsing search engines results. The following data sources are supported :

theHarvester is by default installed on Kali Linux. Basic usage is: theharvester -d <domain> -b <source>

Some options are available to tweak your request:

-d: the domain you are looking for
-b: source or all
-f: output file (html and xml)
-l: limit the number of results used for each source
-s: start result number
-h: query Shodan with each discovered hosts
-n: perform a reverse dns lookup for each range of ip address discovered
-c: perform a brute force search (can’t make it work anyway…)

Example:

theHarvester