peeko: Browser-based XSS C2 for stealthy internal network exploration via infected browser
peeko is a browser-based XSS-powered C2 (Command and Control) tool that leverages the victim’s browser as a stealthy proxy inside internal networks.
Through an injected XSS payload, peeko establishes a WebSocket connection to a central server, allowing an attacker to remotely control the victim’s browser to send requests to internal services, scan networks, exfiltrate data, or even execute arbitrary JavaScript — all without dropping a single binary.
Features
- WebSocket-based communication between attacker and victims
- Victim browser fetches internal URLs and scans IP ranges + ports
- Simple control panel with:
- Victim selector
- Manual URL fetch
- IP and port range scanner
- Custom JS execution (manual or automatic)
- File delivery (auto/manual)
- Browser info and token collection (cookies, storage, etc.)
- Log viewer with copy/save as
.txtor.json
- HTTPS support with self-signed certificates
- Lightweight: single Python file + static assets
Control Panel Features
- Select and manage connected victims
- Fetch any internal/external HTTPS URL via the victim
- Scan LAN ranges:
192.168.1.0/24,10.0.0.10-20, etc. - Scan specific ports or ranges (e.g.,
80,443,8000-8080)
- Send files to the victim (Base64 via WebSocket)
- Victim browser automatically downloads them
- Supports auto-upload on connect
- Collect User Agent, platform, referrer, cookies, local/sessionStorage
- View results in JSON
- Triggered manually or auto-collect on connect
- Run arbitrary JavaScript on the victim browser
- Use
exec:...format to send - Supports auto-run on connect
- Example:
exec:alert(document.cookie);
Logging
- Everything is logged (requests, responses, info dumps)
- Copy or export logs as
.txtor.json - Minimalist UI designed like a terminal log
Modern browser policies affect what peeko can access.
| Header | Can read content? | Notes |
|---|---|---|
Access-Control-Allow-Origin: * |
✅ | Full access to response |
| No header | ⚠️ | Response is opaque |
| Restricted origin | ❌ | Blocked or unreadable |
Victim connects via HTTPS. If a scanned target only uses HTTP:
- Browser will block mixed content requests
- peeko cannot read from
http://endpoints - Always prefer targets using HTTPS when scanning
During a penetration test, if you find an internal service that responds with Access-Control-Allow-Origin: * and is served over HTTPS, then peeko becomes a stealth proxy capable of exfiltrating internal data directly from the victim’s browser without dropping any files or opening outbound connections.
Install
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
