command module
Version: v0.0.0-...-2ef0b57 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: May 14, 2019 License: BSD-3-Clause Imports: 5 Imported by: 0


Necrobrowser Logo
help us with a logo

Necrobrowser is browser instrumentation for necromantic session control.


“Whoever fights monsters should see to it that in the process he does not become a monster. And if you gaze long enough into an abyss, the abyss will gaze back into you.” ― Friedrich Nietzsche


NecroBrowser is a microservice that exposes a RESTful API allowing you to specify which target portal to instrument via a dockerized Chrome headless instance.

The target portal is instrumented hijacking an existing authenticated session. The idea is to feed NecroBrowser with sessions harvested during phishing campaigns (see Muraena) to quickly perform actions on the victim behalf.

Post-phishing automation is an often underestimated activity that helps:

  • performing actions after successful session harvesting on campaigns with hundreds/thousands targets
  • backdooring accounts with new keys or credentials
  • performing automated password resets
  • extruding information
  • impersonating users to further exploit trust relationships

Each authenticated session is instrumented in a Docker container and can be kept alive to be reused after an initial set of automated tasks completed.

Since NecroBrowser is just a browser instrumentation tool, you can also write automation for other phishing phases, for example initial Reconnaisance and OSINT. Ideas are plenty, for instance:

  • keep N fake personas on LinkedIn/Twitter/YourSocialNetwork active on Chrome to monitor/scrape info from your targets
  • automatically build Social Network connections
  • automate interaction with target contact forms/chats to get target info


  • Docker (base image


NecroBrowser is still experimental.

Make sure you run NecroBrowser on a machine with enough RAM if you have tens of sessions to instrument in parallel. The cap is just how many docker containers you can spawn.

If you are brave enough to try NecroBrowser in production, remember that if you run NecroBrowser on a different IP than the one where you perform the phishing phase, you need to SOCKS/IPSEC/VPN your way back to the phishing IP. This is actually advised, unless you have a big enough machine where you run both your phishing tool (see Muraena) and NecroBrowser.

API Calls

Zombies Examples


Request (keywords is ignored for this profile):

	"provider": "github",
	"keywords": ["supercazzola"],
	"debugPort": 9223,
	"sessionCookies": [
	  {"name": "has_recent_activity", "value":"1", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
      {"name": "has_logged_in", "value":"yes", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
      {"name": "dotcom_user", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
      {"name": "_octo", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
      {"name": "tz", "value":"1", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
      {"name": "_gat", "value":"1", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
	  {"name": "user_session", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
	  {"name": "__Host-user_session_same_site", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
	  {"name": "_gh_sess", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true}



	"provider": "vultr",
	"keywords": ["supercazzola"],
	"debugPort": 9226,
	"sessionCookies": [
		{"name": "PHPSESSID", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
		{"name": "PHPSESSID_login_expire", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
		{"name": "__cfduid", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
		{"name": "auth_browser", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
		{"name": "cookieconsent_status", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
		{"name": "discuss_token", "value":"h%[...]%2A", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
	    {"name": "last_login_username", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true}




	"provider": "slack",
	"keywords": ["supercazzola"],
	"debugPort": 9226,
	"sessionCookies": [
		{"name": "b", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
		{"name": "d", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
		{"name": "d-s", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
		{"name": "lc", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true},
		{"name": "x", "value":"[...]", "domain":"","expires":"Session","path":"/","httpOnly":true,"secure":true}


Existing Zombie

	"jobId": "d2c7dec6-1d88-4184-a491-c90d5493b7ea",
	"url": ""


Example response with one browser runnning:

    "jobs": [
            "id": "d2c7dec6-1d88-4184-a491-c90d5493b7ea",
            "provider": "slack",
            "Context": {
                "Context": 0
            "ChromeDP": {}


necrobrowser is made with ❤️ by the dev team and it's released under the 3-Clause BSD License.


The Go Gopher

There is no documentation for this package.

Source Files


Path Synopsis
Package core contains basic utility functions.
Package core contains basic utility functions.
Package log contains an interface to logging system
Package log contains an interface to logging system

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL