pip install red-specter-banshee
Every organisation defends the network. Nobody defends the browser. BANSHEE turns the browser into an attack platform. Hook injection, session theft, keystroke capture, internal network pivoting — all from a single JavaScript payload delivered through a link.
Firewalls protect the network. EDR protects the endpoint. Nothing protects the browser session. Cookies, tokens, localStorage, IndexedDB — all accessible to a single line of JavaScript. The richest target in the enterprise is completely unguarded.
The browser runs JavaScript from every origin it visits. Injected code executes with the user's full session context. Same cookies. Same tokens. Same permissions. The browser doesn't distinguish between legitimate and malicious JavaScript.
The browser sits inside the corporate network. It can reach internal services that external scanners can't. Browser-as-proxy turns a hooked browser into a SOCKS proxy into the internal network. One click. Full internal access.
Service Workers survive page reloads. Cache poisoning persists across sessions. The hook outlives the visit. Close the tab, close the browser, come back tomorrow — the hook is still running. No files on disk. No process to kill.
Eight modules. Each one built from scratch in pure Python. Every hook engine, every C2 channel, every evasion technique written natively. 986 tests. 5 hook types. 3 obfuscation levels. The browser becomes your attack platform.
JavaScript hook injection with encrypted C2 communication. 5 hook types: inline, external, event-based, mutation observer, and WebSocket. 3 obfuscation levels for evasion. Hooks persist through navigation.
Cookie theft, session token extraction, session cloning for account takeover. localStorage and IndexedDB extraction. Captures every stored credential and session state in the browser.
Keystroke capture with intelligent targeting. Password field detection, credit card number recognition, form interception. Only captures what matters. Exfiltrates via encrypted C2 channel.
Browser fingerprinting with canvas, WebGL, and audio context. WebRTC IP leak for real IP discovery behind VPN. Internal network discovery through the browser's network position.
DOM manipulation for fake login overlays, form hijacking, and phishing injection. Creates pixel-perfect credential harvesting pages that appear within the legitimate site. The user never leaves the domain.
Turns the hooked browser into a proxy into the internal network. Internal network scanning through the browser. CORS bypass for cross-origin data extraction. One hook becomes full internal access.
Service Worker registration for persistent hooks that survive page reloads and browser restarts. Cache poisoning for long-term persistence. Bookmark injection for re-engagement. The hook outlives the visit.
Anti-forensics, DevTools detection, sandbox detection, CSP bypass techniques. Detects when the operator opens developer tools and cleans up. Bypasses Content Security Policies to enable injection.
Start the listener, deliver the hook, own the browser:
All hook-to-server communication is encrypted over TLS. WebSocket channels with custom encoding. Traffic blends with normal HTTPS. No plaintext exfiltration.
SPECTER SOCIAL delivers the link. BANSHEE hooks the browser. SCREAMER corrupts the operator's display. The operator is blind while the browser is owned.
The browser sits inside the network. BANSHEE uses it to scan internal services, extract internal IPs via WebRTC, and bypass CORS restrictions. One hook becomes internal access.
Browser-extracted credentials and internal network maps feed directly into NEMESIS. The Supreme Commander chains browser exploitation into full infrastructure compromise.
Standard mode demonstrates capability and reports attack paths. UNLEASHED mode executes live hook injection, captures real credentials, and actively pivots through the browser. Ed25519 key gate required. Two flags must be passed. This is not accidental.
| Capability | Standard | Unleashed |
|---|---|---|
| Hook injection | Demonstrate payload delivery | Live JS injection, encrypted C2 |
| Session theft | Report accessible cookies/tokens | Extract and exfiltrate credentials |
| Keylogging | Detect capturable fields | Live keystroke capture and exfil |
| DOM injection | Report injectable contexts | Live overlay injection, form hijack |
| Network pivoting | Report internal reach | Active internal scanning via browser |
| Persistence | Report persistence vectors | Register Service Workers, poison cache |
| Evasion | Report CSP gaps | Active CSP bypass, anti-forensics |
UNLEASHED mode requires an Ed25519 private key at ~/.redspecter/override_private.pem and the --override --confirm-destroy flags. Without both, BANSHEE operates in demonstration mode — showing what's possible without executing live attacks. The gate is cryptographic. There is no bypass. One key. One operator. Founder's machine only.
BANSHEE doesn't work alone. SPECTER SOCIAL crafts and delivers the link. BANSHEE hooks the browser the moment they click. SCREAMER corrupts the operator's monitoring display. Three tools. One kill chain. The operator is blind while the browser is owned.
SPECTER SOCIAL crafts the perfect phishing message and delivers the hook URL. Targeted to the individual. Timed to the moment. The click is inevitable.
One click. The hook fires. Session tokens extracted. Keylogger active. Internal network discovered. The browser is now an attack platform inside the corporate network.
SCREAMER corrupts the monitoring dashboard. Alerts suppressed. Logs manipulated. The security team sees green while BANSHEE extracts everything through the hooked browser.
NEMESIS chains browser-extracted credentials into infrastructure compromise. Internal services discovered by BANSHEE become WRAITH scan targets. One click to full compromise.
Most browser exploitation frameworks require Ruby, Java, or Node.js runtimes. BANSHEE is pure Python. The C2 server, the hook generator, the payload encoder, the persistence engine — all Python. One language. One runtime. Zero dependencies that can break, conflict, or expose you.
BANSHEE is Tool 18 in the Red Specter offensive pipeline. It owns the browser — the one attack surface that sits inside every corporate network, behind every firewall, with access to every internal service the user can reach.
BANSHEE turns every browser into an attack platform. Hook injection, session theft, internal pivoting, persistent access. Pure Python. The last thing they hear before it's over.