peeko: Browser-based XSS C2 for stealthy internal network exploration via infected browser

by · Published · Updated

peeko is a browser-based XSS-powered C2 (Command and Control) tool that leverages the victim’s browser as a stealthy proxy inside internal networks.

Through an injected XSS payload, peeko establishes a WebSocket connection to a central server, allowing an attacker to remotely control the victim’s browser to send requests to internal services, scan networks, exfiltrate data, or even execute arbitrary JavaScript — all without dropping a single binary.

Features

  • WebSocket-based communication between attacker and victims
  • Victim browser fetches internal URLs and scans IP ranges + ports
  • Simple control panel with:
    • Victim selector
    • Manual URL fetch
    • IP and port range scanner
    • Custom JS execution (manual or automatic)
    • File delivery (auto/manual)
    • Browser info and token collection (cookies, storage, etc.)
    • Log viewer with copy/save as .txt or .json
  • HTTPS support with self-signed certificates
  • Lightweight: single Python file + static assets

Control Panel Features

Core Functions

  • Select and manage connected victims
  • Fetch any internal/external HTTPS URL via the victim
  • Scan LAN ranges: 192.168.1.0/2410.0.0.10-20, etc.
  • Scan specific ports or ranges (e.g., 80443,8000-8080)

File Delivery

  • Send files to the victim (Base64 via WebSocket)
  • Victim browser automatically downloads them
  • Supports auto-upload on connect

Info Gathering

  • Collect User Agent, platform, referrer, cookies, local/sessionStorage
  • View results in JSON
  • Triggered manually or auto-collect on connect

Custom JS Execution

  • Run arbitrary JavaScript on the victim browser
  • Use exec:... format to send
  • Supports auto-run on connect
  • Example: exec:alert(document.cookie);

Logging

  • Everything is logged (requests, responses, info dumps)
  • Copy or export logs as .txt or .json
  • Minimalist UI designed like a terminal log

CORS & Mixed Content Explained

Modern browser policies affect what peeko can access.

CORS Responses

Header Can read content? Notes
Access-Control-Allow-Origin: * Full access to response
No header ⚠️ Response is opaque
Restricted origin Blocked or unreadable

Mixed Content

Victim connects via HTTPS. If a scanned target only uses HTTP:

  • Browser will block mixed content requests
  • peeko cannot read from http:// endpoints
  • Always prefer targets using HTTPS when scanning

In Practice

During a penetration test, if you find an internal service that responds with Access-Control-Allow-Origin: * and is served over HTTPS, then peeko becomes a stealth proxy capable of exfiltrating internal data directly from the victim’s browser without dropping any files or opening outbound connections.

Install

Tags: