Red Specter BANSHEE
Pure Python Browser Exploitation Framework — 8 modules. 986 tests. Hook. Steal. Pivot. Persist.
Overview
BANSHEE is a pure Python browser exploitation framework. Zero external dependencies. No Ruby runtime. No Java. No Node.js. Every hook engine, C2 server, payload encoder, persistence mechanism, and evasion technique built from scratch using Python stdlib. The last thing they hear before it's over.
Eight modules. 986 tests. 5 hook types. 3 obfuscation levels. From a single JavaScript hook delivered through a link, BANSHEE captures sessions, logs keystrokes, fingerprints browsers, injects DOM overlays, pivots into internal networks, persists through Service Workers, and evades forensic detection.
Installation
Also available as .deb and PKGBUILD (BlackArch).
Or from source:
Quick Start
HOOK Module
JavaScript hook injection with encrypted C2 communication. Multiple hook types for different delivery scenarios. Three obfuscation levels to evade WAFs and content filters.
- 5 hook types: inline, external, event-based, mutation observer, WebSocket
- 3 obfuscation levels: none, standard (variable renaming), full (encoding + splitting)
- Encrypted C2: TLS WebSocket with custom binary encoding
- Navigation persistence: Hooks survive page transitions via history API interception
- Auto-reconnect: Exponential backoff on connection loss
SESSION Module
Complete browser session extraction. Cookies, tokens, localStorage, sessionStorage, IndexedDB. Session cloning for account takeover without credentials.
- Cookie extraction: All accessible cookies including HttpOnly bypass attempts
- Token capture: JWT, OAuth, session tokens from cookies and headers
- localStorage/sessionStorage: Full key-value extraction
- IndexedDB: Database enumeration and record extraction
- Session cloning: Replay captured session in attacker's browser
KEYLOG Module
Targeted keystroke capture. Focuses on high-value input: passwords, credit cards, and form submissions. Encrypted exfiltration via C2 channel.
- Password targeting: Automatic detection of password input fields
- Credit card recognition: Luhn algorithm validation on captured sequences
- Form interception: Captures form submissions before they're sent
- Selective capture: Only logs from targeted fields to minimise noise
- Encrypted exfiltration: Keystrokes sent via encrypted C2 channel
RECON Module
Browser and network reconnaissance from inside the hooked browser. Fingerprinting, IP discovery, and internal network mapping.
- Browser fingerprinting: Canvas, WebGL, audio context, navigator properties
- WebRTC IP leak: Discover real IP behind VPN/proxy via STUN
- Internal network discovery: Enumerate internal services through the browser
- Plugin/extension detection: Identify installed browser extensions
- Screen capture: Canvas-based screenshot of visible page
INJECT Module
DOM manipulation for credential harvesting. Fake login overlays, form hijacking, and phishing injection within the legitimate site context.
- Fake login overlays: Pixel-perfect credential harvesting within the real site
- Form hijacking: Intercept form submissions and redirect data
- Phishing injection: Inject convincing messages into the legitimate page
- Session timeout overlay: "Your session has expired" credential re-capture
PIVOT Module
Turn the hooked browser into a proxy into the internal network. Scan internal services, bypass CORS restrictions, and access resources behind the firewall.
- Browser-as-proxy: Route requests through the hooked browser's network position
- Internal scanning: Discover services on the internal network via XMLHttpRequest
- CORS bypass: Cross-origin data extraction through the browser's same-origin context
- Port discovery: Timing-based port scanning of internal hosts
PERSIST Module
Survival mechanisms that keep the hook active across page reloads, browser restarts, and user navigation. No files on disk. No processes to kill.
- Service Worker: Register persistent worker that survives page reloads and browser restarts
- Cache poisoning: Replace cached resources with hooked versions for long-term persistence
- Bookmark injection: Modify bookmarks to re-engage the hook on next visit
- Tab persistence: Open hidden tabs that maintain the C2 connection
EVADE Module
Anti-detection and anti-forensics capabilities. Detect when the operator opens DevTools. Bypass Content Security Policies. Clean up when detection is imminent.
- DevTools detection: Detect when developer tools are opened and clean up
- Sandbox detection: Identify analysis environments and suspend operations
- CSP bypass: Techniques to inject scripts past Content Security Policies
- Anti-forensics: Remove traces of hook activity from browser state
- Timing evasion: Randomise C2 communication intervals to avoid pattern detection
BANSHEE UNLEASHED
Cryptographic override. Private key controlled. One operator. Founder's machine only.
Standard mode demonstrates capability and reports attack paths. UNLEASHED mode executes live hook injection, real credential capture, and active pivoting through the browser.
| Capability | Standard | UNLEASHED |
|---|---|---|
| Hook injection | Demonstrate delivery | Live JS injection with encrypted C2 |
| Session theft | Report accessible data | Extract and exfiltrate credentials |
| Keylogging | Detect fields | Live capture and exfiltration |
| DOM injection | Report contexts | Live overlay injection |
| Network pivoting | Report reach | Active internal scanning |
| Persistence | Report vectors | Register Service Workers |
| Key required | No | Ed25519 |
UNLEASHED mode is restricted to authorised operators with Ed25519 private key access. Live browser exploitation must only occur in authorised test environments with explicit written permission. UNLEASHED mode captures real credentials and session data. Unauthorised use will violate applicable law.
CLI Reference
Commands
| Command | Description |
|---|---|
| banshee listen | Start C2 listener |
| banshee hook | Generate hook payload |
| banshee inject | Inject DOM overlay |
| banshee session | Extract session data |
| banshee pivot | Pivot into internal network |
| banshee persist | Establish persistence |
| banshee engage | Full engagement (all modules) |
| banshee version | Show version information |
Options
| Flag | Description |
|---|---|
| --port | C2 listener port |
| --tls | Enable TLS on C2 channel |
| --type | Hook type: inline, external, event, mutation, websocket |
| --obfuscate | Obfuscation level: 1, 2, 3 |
| --session | Target hooked session ID |
| --overlay | Injection overlay type: login, timeout, mfa |
| --override | UNLEASHED dry-run |
| --confirm-destroy | UNLEASHED live execution |
| --output | Output directory |
The Triple
BANSHEE is the centre of "The Triple" — three tools that chain together for complete browser-based compromise. SPECTER SOCIAL delivers the link. BANSHEE hooks the browser. SCREAMER blinds the operator monitoring the attack.
Report Output
Every BANSHEE engagement produces comprehensive reports documenting all captured data, discovered attack paths, and exploitation evidence.
Disclaimer
Red Specter BANSHEE is designed for authorised security testing, research, and educational purposes only. Browser exploitation techniques demonstrated by BANSHEE can capture real credentials, session tokens, and sensitive data. You must have explicit written permission from the system owner before running BANSHEE against any target. Testing must only occur in authorised environments with appropriate controls in place. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse or damage resulting from improper use.