peeko: Browser-based XSS C2 for stealthy internal network exploration via infected browser
peeko is a browser-based XSS-powered C2 (Command and Control) tool that leverages the victim’s browser as a stealthy proxy inside internal networks.
Through an injected XSS payload, peeko establishes a WebSocket connection to a central server, allowing an attacker to remotely control the victim’s browser to send requests to internal services, scan networks, exfiltrate data, or even execute arbitrary JavaScript — all without dropping a single binary.
Features
- WebSocket-based communication between attacker and victims
- Victim browser fetches internal URLs and scans IP ranges + ports
- Simple control panel with:
- Victim selector
- Manual URL fetch
- IP and port range scanner
- Custom JS execution (manual or automatic)
- File delivery (auto/manual)
- Browser info and token collection (cookies, storage, etc.)
- Log viewer with copy/save as
.txtor.json
- HTTPS support with self-signed certificates
- Lightweight: single Python file + static assets
Control Panel Features
- Select and manage connected victims
- Fetch any internal/external HTTPS URL via the victim
- Scan LAN ranges:
192.168.1.0/24,10.0.0.10-20, etc. - Scan specific ports or ranges (e.g.,
80,443,8000-8080)
- Send files to the victim (Base64 via WebSocket)
- Victim browser automatically downloads them
- Supports auto-upload on connect
- Collect User Agent, platform, referrer, cookies, local/sessionStorage
- View results in JSON
- Triggered manually or auto-collect on connect
- Run arbitrary JavaScript on the victim browser
- Use
exec:...format to send - Supports auto-run on connect
- Example:
exec:alert(document.cookie);
Logging
- Everything is logged (requests, responses, info dumps)
- Copy or export logs as
.txtor.json - Minimalist UI designed like a terminal log
Modern browser policies affect what peeko can access.
| Header | Can read content? | Notes |
|---|---|---|
Access-Control-Allow-Origin: * |
✅ | Full access to response |
| No header | ⚠️ | Response is opaque |
| Restricted origin | ❌ | Blocked or unreadable |
Victim connects via HTTPS. If a scanned target only uses HTTP:
- Browser will block mixed content requests
- peeko cannot read from
http://endpoints - Always prefer targets using HTTPS when scanning
During a penetration test, if you find an internal service that responds with Access-Control-Allow-Origin: * and is served over HTTPS, then peeko becomes a stealth proxy capable of exfiltrating internal data directly from the victim’s browser without dropping any files or opening outbound connections.
