RedExt is a browser extension-based Command and Control (C2) framework designed for authorised red team operations. Built with a Manifest V3 Chrome extension and a Flask-based C2 server, it enables deep browser-level data collection through a dark-themed dashboard. It shifts the implant surface to the browser, a trusted yet under-monitored environment, making interception harder and reconnaissance more discreet.
Key Features
- Cookie extraction with domain filtering supports secure and HttpOnly cookies.
- Browsing history capture with metadata such as timestamps, titles, and how URLs were accessed.
- Full-page screenshots, viewport and element-level captures.
- Real-time clipboard monitoring with source URLs.
- DOM snapshot with dynamic content and resource mapping.
- LocalStorage export with domain context.
- Browser environment profiling, extension enumeration, hardware and network reconnaissance.
- Bookmark harvesting with folder structure retention.
Installation & Usage
RedExt requires Python and Chrome.
git clone https://github.com/Darkrain2009/RedExt.git cd RedExt/server python -m venv venv source venv/bin/activate pip install -r requirements.txt python db_setup.py python c2_server.py runserver Load the extension via Chrome’s Developer mode, or command line: |
Load the extension via Chrome’s Developer mode, or command line:
# Windows (PowerShell) $ExtPath = "C:\path\to\RedExt\ext" Start-Process "chrome.exe" -ArgumentList "--load-extension=$ExtPath --no-first-run --no-default-browser-check" |
Once loaded, the extension registers as an agent on the C2 dashboard. Operators assign tasks like capturing cookies or DOM snapshots, which are stored in a SQLite database for dashboard analysis
Attack Scenario
A red team operator gains browser access, possibly through phishing or lateral movement. They quietly install RedExt as an unpacked extension on the target’s Chrome session. From the Flask dashboard, they harvest browsing history to map employee workflows, capture authentication cookies, screenshot sensitive web apps, and exfiltrate system and clipboard data—all via a tool masquerading as benign browser behaviour.
Red Team Relevance
RedExt turns the browser, a trusted and persistent asset, into a high-fidelity reconnaissance surface. It outpaces traditional remote implants by living inside a core application. Tools like Franco’s Havoc or Cobalt Strike rely on external beacons; RedExt operates where defenders rarely inspect. As such, it offers a fresh offensive angle and urges defenders to monitor suspicious browser extension behavior.
Conclusion
RedExt exemplifies innovation in browser-based implants. By leveraging the browser itself as the implant host, red teams gain stealth and flexibility. For defenders, it highlights a critical blind spot: browser extension monitoring is now essential. RedExt is more than a research toy; it is a practical C2 model that redefines where implants can live and how they can thrive.
You can read more or download RedExt here: https://github.com/Darkrain2009/RedExt