Section 05
🔥 Advanced
Rogue Devices & Post-Exploitation
Entry is not the end state. Once you are inside, you need a disciplined answer to a simple question: what proof of access will satisfy the client objective with the least exposure and the least unnecessary blast radius? This chapter keeps the offensive tradecraft, but forces it into objective-driven choices.
Do The Minimum Needed To Prove Risk
Planting rogue devices, touching live workstations, or modifying boot paths can exceed what the client actually needs. If a photo of a network drop in a restricted room proves the point, do not escalate into a persistent implant just because the opportunity exists.
Post-Entry Objective Matrix
| Objective | Example Action | Evidence | Control Lesson |
|---|---|---|---|
| Prove sensitive-area access | Photo evidence inside server or telecom room | Timestamped room photo, route notes | Segmentation and challenge controls failed before technology mattered |
| Validate network exposure | Temporary implant or laptop on accessible drop | Minimal network proof, switch port details, room context | Physical entry turned directly into internal access |
| Demonstrate workstation risk | Unlocked screen, unattended privileged session, or safe keystroke injection test | Photos, session context, limited proof command | Screen lock discipline and local monitoring did not interrupt abuse |
Tooling and Tactics
bash
# USB and inline hardware tradecraft
# - O.MG Cable: covert keystroke / payload delivery
# - Hardware keylogger: inline keyboard logging where scope allows
# - Bash Bunny / Rubber Ducky: scripted workstation validation
# Network implant options
# - LAN Turtle: quiet foothold on network drop
# - Shark Jack: fast port / VLAN / segmentation checks
# - Raspberry Pi Zero / P4wnP1: multi-role gadget for USB + network tasks
# Physical concealment ideas
# - Behind monitors and docking stations
# - Under desks and conference tables
# - Inside cable trays, ceiling voids, or AV cabinets
# - Near underused jacks in meeting rooms and collaboration spaces
# High-risk advanced actions
# - Evil Maid style boot-path modification
# - DMA attack paths against live encrypted devices
# - Inline tampering with badge printers or access-control workstations
# Only perform the advanced actions above when the engagement language explicitly allows them.# USB and inline hardware tradecraft
# - O.MG Cable: covert keystroke / payload delivery
# - Hardware keylogger: inline keyboard logging where scope allows
# - Bash Bunny / Rubber Ducky: scripted workstation validation
# Network implant options
# - LAN Turtle: quiet foothold on network drop
# - Shark Jack: fast port / VLAN / segmentation checks
# - Raspberry Pi Zero / P4wnP1: multi-role gadget for USB + network tasks
# Physical concealment ideas
# - Behind monitors and docking stations
# - Under desks and conference tables
# - Inside cable trays, ceiling voids, or AV cabinets
# - Near underused jacks in meeting rooms and collaboration spaces
# High-risk advanced actions
# - Evil Maid style boot-path modification
# - DMA attack paths against live encrypted devices
# - Inline tampering with badge printers or access-control workstations
# Only perform the advanced actions above when the engagement language explicitly allows them.Placement and Exposure Considerations
Good Implant Conditions
- • Unused network drops near legitimate equipment
- • Conference rooms with cluttered cable management
- • Shared desks or hot-desking areas with many similar adapters
- • Spaces cleaners or contractors access routinely without scrutiny
Poor Implant Conditions
- • Cameras clearly watching the device handling area
- • Asset labeling and daily room checks by local staff
- • 802.1X or NAC likely to quarantine anything unknown
- • High-value zones where a photo proves the same point with less risk
Defender Questions To Answer
- • Could an unauthorized person reach a live network port without crossing a staffed control point?
- • Would NAC, switch controls, or endpoint policy block or isolate a rogue device quickly enough to matter?
- • Are conference rooms and shared spaces treated as part of the internal trust boundary or as public interiors?
- • Do local teams notice and challenge unfamiliar cables, adapters, and “temporary” maintenance devices?