peeko: Browser-based XSS C2 for stealthy internal network exploration via infected browser

peeko is a browser-based XSS-powered C2 (Command and Control) tool that leverages the victim’s browser as a stealthy proxy inside internal networks.

Through an injected XSS payload, peeko establishes a WebSocket connection to a central server, allowing an attacker to remotely control the victim’s browser to send requests to internal services, scan networks, exfiltrate data, or even execute arbitrary JavaScript — all without dropping a single binary.

Features

  • WebSocket-based communication between attacker and victims
  • Victim browser fetches internal URLs and scans IP ranges + ports
  • Simple control panel with:
    • Victim selector
    • Manual URL fetch
    • IP and port range scanner
    • Custom JS execution (manual or automatic)
    • File delivery (auto/manual)
    • Browser info and token collection (cookies, storage, etc.)
    • Log viewer with copy/save as .txt or .json
  • HTTPS support with self-signed certificates
  • Lightweight: single Python file + static assets

Control Panel Features

Core Functions

  • Select and manage connected victims
  • Fetch any internal/external HTTPS URL via the victim
  • Scan LAN ranges: 192.168.1.0/2410.0.0.10-20, etc.
  • Scan specific ports or ranges (e.g., 80443,8000-8080)

File Delivery

  • Send files to the victim (Base64 via WebSocket)
  • Victim browser automatically downloads them
  • Supports auto-upload on connect

Info Gathering

  • Collect User Agent, platform, referrer, cookies, local/sessionStorage
  • View results in JSON
  • Triggered manually or auto-collect on connect

Custom JS Execution

  • Run arbitrary JavaScript on the victim browser
  • Use exec:... format to send
  • Supports auto-run on connect
  • Example: exec:alert(document.cookie);

Logging

  • Everything is logged (requests, responses, info dumps)
  • Copy or export logs as .txt or .json
  • Minimalist UI designed like a terminal log

CORS & Mixed Content Explained

Modern browser policies affect what peeko can access.

CORS Responses

Header Can read content? Notes
Access-Control-Allow-Origin: * Full access to response
No header ⚠️ Response is opaque
Restricted origin Blocked or unreadable

Mixed Content

Victim connects via HTTPS. If a scanned target only uses HTTP:

  • Browser will block mixed content requests
  • peeko cannot read from http:// endpoints
  • Always prefer targets using HTTPS when scanning

In Practice

During a penetration test, if you find an internal service that responds with Access-Control-Allow-Origin: * and is served over HTTPS, then peeko becomes a stealth proxy capable of exfiltrating internal data directly from the victim’s browser without dropping any files or opening outbound connections.

Install

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce