Browser Browser

Сканирование

Новый скан Мониторы

Инструменты

My IP DNS Lookup WHOIS SSL Certificate Ping HTTP Headers Domain Check IP Calculator IDN Converter Reverse DNS Schema Generator TAS-IX Трассировка

Сервисы

Массовый скан Хостинг Отчёт CSEC Дефейс

Разведка

Армия AI-агентов Конкуренты Граф CVE Страхование Репутация

SEO

AI Blog GitHub SEO Site Audit Site Compare Traffic Analytics

Ещё

Все функции Документация Цены
Начать бесплатно
PASSIVE · 40+ SOURCES · PHISHING-PROOF

See what attackers see
about your domain.

Before the first scan, an attacker spends 30 minutes mining public indexes for your employees' email addresses, forgotten subdomains, exposed admin panels, code-search hits. We do that 30 minutes for you — across 40+ free public sources in one click. The list you get is the spear-phishing dataset already in their hands.

Map my exposure Read docs
Free · Passive (no probes hit your servers) · 40+ public sources · GPL-2.0
browser.uz / email-recon
# Domain: example.com · Sources: 8 free · ~90 seconds Querying crt.sh ……… 142 subdomains Querying Bing ……… 7 emails Querying DuckDuckGo ……… 3 emails, 12 subdomains Querying dnsdumpster ……… 38 hosts Querying OTX ……… 24 indicators Querying urlscan ……… 16 URLs Querying RapidDNS ……… +9 unique subdomains Querying certspotter ……… +4 cert SANs ═══ Result ═══ 📭 23 employee emails exposed in public sources admin@example.com, sales@example.com, eng-team@example.com, ceo@example.com, support@…, billing@…, … 🌐 187 subdomains mapped dev.example.com, staging.example.com, admin.example.com, … 🔍 16 indexed URLs
×
What attackers do today
Open theHarvester, Hunter.io, Phonebook.cz. Mine 40+ sources by hand. Build a list of name@yourcompany.com addresses + 200 subdomains. Send a phishing email to finance@ from finance.yourcompany.support@gmail.com. Now they own one valid Microsoft 365 session.
What you do with Browser
One click. Get the same list — 90 seconds. Audit which addresses should be redacted from public commits. Roll out DMARC. Run phishing-simulation training on the surfaced list. Cut the attack before it starts.
Sources we query (no API key required)
crt.shBingDuckDuckGoBrave YahoodnsdumpsterotxRapidDNS certspotterHackerTargeturlscanVirusTotal ThreatMinerSubdomainCenterSublist3r github-codeBufferOverunAnubis BevigilFullHuntIntelX RocketReachTombaCensys

+ optional API-key sources: Shodan, SecurityTrails, Hunter, Fofa, BinaryEdge, PentestTools — bring your own keys.

How it works

01.
Pick sources
8 sources by default (the proven ones), or check all 24 free sources. Bring your own API keys for Shodan / SecurityTrails / Hunter.
02.
Enter your domain
Bare domain: example.com. We validate — no IPs, no loopback, no URLs. Subprocess uses shell=False, all flags fixed.
03.
Wait ~90 seconds
theHarvester runs sources in parallel. We never query your domain directly — only third-party indexes that already mapped it.
04.
Get findings
Severity-tagged: 30+ emails = HIGH (rich phishing dataset), 10+ = MEDIUM, >30 forgotten subdomains = LOW. Each with remediation.
Sample finding
23 employee email(s) exposed in public sources
domain: example.com · severity: high · CWE-200 · sources: bing/duckduckgo/github-code/otx
admin@example.com
ceo@example.com
finance@example.com
hr@example.com
billing@example.com
+ 18 more
How to fix 1. Audit which addresses are deliberately public (support@, sales@) versus accidentally exposed (engineering aliases in code commits, pastebin paste). 2. Roll out DMARC + SPF + DKIM with reject policy. 3. Mandatory MFA on all email accounts. 4. Run regular phishing-simulation training on the surfaced list — these are exactly the addresses attackers will target.

Responsible use

Know your phishing exposure before HR has to write the apology email.

Free passive recon. 40+ public sources. 90 seconds. One click.

Map my domain →

Powered by laramies/theHarvester — released under GPL-2.0. Browser uses theHarvester as an external CLI tool only; no source modification.