theHarvester
E-mail, subdomain, and host harvesting from search engines, PGP servers, and common OSINT APIs.
Why it is included
Long-maintained Python entry point taught in many OSINT curricula.
Best for
Early-phase recon with conservative rate limits and legal review.
Strengths
- Simple CLI
- Many data sources
- Scriptable
Limitations
- Source ToS and laws apply; easy to misuse
Good alternatives
OWASP Amass · Subfinder
Related tools
Security & Privacy
OWASP Amass
Attack surface mapping engine: DNS, certificates, APIs, scraping, and graphing for deep asset discovery.
Security & Privacy
SpiderFoot
OSINT automation aggregating hundreds of public data sources.
Security & Privacy
Nikto
Web server scanner that probes for dangerous files, outdated software, and misconfigurations via many checks.
Security & Privacy
Nuclei
Fast vulnerability scanner driven by YAML templates—used for recon, misconfigs, CVEs, and custom checks at scale.
Security & Privacy
httpx (ProjectDiscovery)
Fast HTTP probing CLI: status, title, tech fingerprinting, paths, and pipeline-friendly output for asset lists.
Security & Privacy
Subfinder
Passive subdomain enumeration aggregating many OSINT sources with resolver validation options.