
These tools allow red teamers to identify vulnerabilities in wireless networks and physical security. Read on to learn how these gadgets can strengthen your infrastructure’s defenses.
The USIM programmable SIM card set contains 10 blank SIM cards designed for testing in 4G LTE, WCDMA and GSM networks. These cards can be cut into standard, micro or nano SIM cards and support programming of data such as ICCID, IMSI, KI and OPC, making them an important tool in the telecommunications industry.
Red teams can use these programmable SIM cards to simulate attacks on mobile networks, such as logging in with fake credentials, conducting man-in-the-middle attacks, or intercepting sensitive data transmitted over cellular networks.
Impersonation attacks: Use programmed SIM cards to impersonate legitimate subscribers and gain unauthorized access to mobile networks.
IMSI interception: Program SIM cards with spoofed IMSI numbers to collect IMSI numbers from nearby mobile devices for tracking or targeting.
Registration Spoofing: Spoofing the registration process by providing a fake IMSI to a mobile network, bypassing authentication checks.
SIM Clone: Clone legitimate SIM cards by extracting and copying their ICCID and IMSI data to programmable SIM cards.
Network Penetration Testing: Test the robustness of the mobile network infrastructure by attempting to enroll programmable SIM cards with altered or unauthorized credentials.
Over-the-air attacks: Exploit vulnerabilities in OTA (over-the-air) updates by intercepting and altering communications between SIM cards and network operators.
Mobile Network Tracking: Track and intercept mobile communications by inserting programmed SIM cards into devices configured to relay communications.
Traffic Redirection: Redirect mobile network traffic through a compromised SIM card to intercept or manipulate data exchanged between devices and the network.
Subscriber Tracking: Use IMSI numbers programmed into SIM cards to track and identify specific mobile devices as they connect to different cell towers.
The MSR605/MSR606 is a versatile magnetic stripe card reader and writer that supports USB and Bluetooth connectivity. It is capable of handling both high and low coercivity cards, making it a flexible solution for a variety of applications including card encoding and authentication. Thanks to USB or Bluetooth connectivity, the device is suitable for both stationary and mobile use.
Red teams can use the MSR605/MSR606 to clone magnetic cards, allowing unauthorized access or fraudulent transactions. By intercepting card data, sensitive information can also be stolen, facilitating identity theft or financial fraud. Thanks to Bluetooth, the device can be used for stealthy data capture in mobile situations.
Credit Card Cloning: Clone credit cards by reading and writing data to blank cards with a magnetic stripe.
Access Control Bypass: Clone access cards to gain unauthorized physical access to protected buildings or areas.
Card Skimming: Use the MSR605/606 to skim card data from unsuspecting victims at compromised terminals or ATMs.
Fraudulent Transactions: Create fake credit cards to conduct fraudulent transactions in retail stores or online.
Identity Theft: Collect sensitive cardholder information, including names and card numbers, for identity theft purposes.
PIN code interception: Pair the device with additional hardware to intercept PIN codes entered on compromised terminals.
Social Engineering Aid: Use cloned cards to aid in social engineering attacks by providing fraudulent credentials.
Payment Fraud: Initiate unauthorized payments or transfers using cloned credit card information.
Cardholder data theft: Stealing stored cardholder data from POS (point of sale) systems or compromised card readers.
SIM extender kits are tools that allow you to expand the functionality of SIM cards by converting a Nano SIM into a Micro SIM, Standard SIM or Smart Card format. They include FPC cables and adapters that make it easy to insert and remove SIM cards, especially in difficult access conditions. These kits are useful for updating SIM cards in 3G/4G modems and mobile devices.
Red teams can use these kits to surreptitiously access SIM card data, allowing them to manipulate calls, SMS or obtain sensitive information such as IMSI or ICCID.
SIM Cloning: Use extender kits to clone Nano SIM cards by accessing and copying SIM data.
SIM skimming: Intercept communications by manipulating SIM signals with advanced adapters.
SIM Tampering: Modify or inject malicious data into a SIM card using advanced access.
SMS interception: Intercepting SMS messages destined for a SIM card to gather information or initiate social engineering attacks.
Call interception: Manipulate SIM signals to intercept or redirect calls made to the device.
Identity Theft: Collect IMSI and ICCID data from the SIM card to facilitate identity theft or fraud.
Network Tampering: Exploit vulnerabilities in SIM card authentication to gain unauthorized access to mobile networks.
SIM Verification: Check your security features by verifying that SIM cards are resistant to unauthorized access or tampering.
Exploitation of mobile devices: Use advanced access to SIM cards to exploit vulnerabilities in mobile device operating systems or applications.
The Cactus WHID Injector is a hardware device that combines the capabilities of an Atmega 32u4 microcontroller and an ESP-12S (ESP8266) module, allowing it to work as a USB HID and connect via Wi-Fi. It can emulate a USB keyboard or serial port over Wi-Fi, allowing you to remotely input keystrokes and commands to the target device. The device supports access point and client modes, has a TCP/IP stack, DNS and 4 MB of flash memory.
Red teams can use the Cactus WHID Injector for remote attacks, such as injecting commands into target machines to download malware, create backshells, or extract data. In WiFi client mode, it can connect to local and remote networks, making it a versatile security testing tool.
Keystroke injection: Send keystrokes to a target machine to automate commands or execute predefined scripts.
Payload Delivery: Download and execute malicious payloads from remote servers over a WiFi connection.
Installing a backshell: Install a backshell on the target machine for permanent remote access.
Credential theft: Capture credentials by implementing scripts that prompt users to enter sensitive information.
Data extortion: Extract sensitive files or data from a target machine and transfer it over Wi-Fi.
Network Intelligence: Use your WiFi connection to scan and number devices on local networks for later use.
Exploit Delivery: Deliver exploit payloads over a USB emulation or Wi-Fi connection to expose vulnerabilities on the host system.
Social Engineering: Perform social engineering attacks by forcing users to interact with the device, such as connecting it to their system.
Establish Command and Control (C2): Use the device to establish a command and control channel to remotely control compromised systems.
Firmware modification: Modify device firmware to enhance capabilities or bypass security controls during operations.
O.MG FIELD KIT is a comprehensive toolkit for penetration testers and security professionals, developed by “mg” researcher. The kit includes hardware components such as the O.MG cable, which looks like a regular Lightning or USB-C cable, but contains a hidden implant to remotely access and perform malicious actions on target devices. The kit includes accessories for wireless attacks and data collection, known for its stealth, making it difficult to detect during security checks.
Penetration testers can use the O.MG FIELD KIT to perform covert attacks on target devices. By connecting the O.MG cable, attackers can gain wireless access to the system, execute commands, log keystrokes, take screenshots, extract sensitive data, and inject malware. Its design is suitable for situations where covert access is critical.
Stealth Access: Use the O.MG cable to gain stealth access to target devices without arousing suspicion.
Keystroke Log: Capture keystrokes entered on the target device to steal passwords or sensitive information.
Screen Capture: Take screenshots of the target device to collect sensitive information or monitor user activity.
Data theft: Transfer of stolen data from a target device to a remote server controlled by an attacker.
Payload Execution: Executing custom payloads on a target device to achieve specific goals, such as installing backdoors or accessing privileged information.
Network Intelligence: Use the suite to scan and map the target network to discover additional vulnerable devices or services.
Credential harvesting: Extract credentials stored on the target device, including usernames, passwords, and authentication tokens.
Man-in-the-Middle (MitM) attacks: Intercept and alter network traffic between a target device and external servers to steal sensitive data or inject malicious content.
Vulnerability Exploitation: Exploit known vulnerabilities in the target device’s operating system or applications to gain unauthorized access.
Physical access.Use the set’s capabilities to extend attacks beyond the network by using physical access to stealthily implant an O.MG cable.
Hak5’s Screen Crab is a hidden man-in-the-middle video implant that intercepts HDMI signals between a source and display device, capturing screenshots from devices such as computers, monitors, consoles, and TVs. Priced at $199.99, it allows system administrators, pentesters, and security professionals to secretly monitor screen activity, which can be useful for security audits, investigations, or monitoring.
The Screen Crab is inserted between the HDMI source and the display, intercepting the signal to create screenshots, allowing you to collect evidence, monitor users or assess vulnerabilities without detection.
Stealth Monitoring: Capture screenshots from target devices without notifying users or triggering security measures.
Forensics: Use captured screenshots as evidence for forensic analysis of security incidents or unauthorized access.
Behavioral Monitoring: Track user actions and behaviors on the devices being evaluated or during penetration testing.
Security Audits: Assess the security posture by taking screenshots of critical systems, applications or sensitive data.
Conformance Testing: Verify compliance with security policies by documenting screen content and user interaction.
Incident Response: Assist in incident response by providing visual evidence of security breaches or suspicious activity.
Remote Monitoring: Enable remote monitoring of devices and environments by taking and sending screenshots to a central monitoring station.
Device Vulnerability Assessment: Identify vulnerabilities in HDMI-connected devices by analyzing captured screenshots for sensitive information.
SHARK JACK is a compact pentesting device designed to quickly assess network security. It runs on Linux and supports DuckyScript™ via Bash, allowing for a variety of attacks and rapid payload deployment. The device features a fast network scanner for intelligence, an RGB LED for feedback, and a USB-C port for connectivity. SHARK JACK provides convenience and efficiency for penetration testers and security professionals by enabling remote access and data theft.
SHARK JACK can be used in various attack scenarios to assess network security:
Hotplug attack: Plug SHARK JACK into a target network via Ethernet or USB, using its small size and inconspicuous appearance to avoid detection.
Network Intelligence: Activate a network scanner to quickly gather information about connected devices, open ports, and potential vulnerabilities.
Payload Deployment: Use preconfigured DuckyScript™ payloads to execute commands on target machines, such as remote access tools or data extraction commands.
Man-in-the-Middle (MITM) Attacks: Configure SHARK JACK between a target device and the network to intercept and modify traffic, allowing packets to be intercepted or malicious payloads to be injected.
Phishing and social engineering: Create payloads that mimic legitimate activities or websites to trick users into revealing sensitive information.
Data theft: Use SHARK JACK to transfer stolen data from compromised devices to an external location, bypassing traditional security measures.
Wireless Network Attacks: Exploit vulnerabilities in Wi-Fi networks by using SHARK JACK’s capabilities to capture handshakes, perform deauthentication attacks, or spoof access points.
Network Assessment: Perform a quick network scan to identify vulnerabilities and weaknesses.
Credential Harvesting: Deploy payloads to extract login credentials and authentication tokens from compromised devices.
Command execution: Execute commands on target machines to perform actions such as installing backdoors, escalating privileges, or manipulating files.
Covert Operations: Operate stealthily in environments with SHARK JACK’s small form factor and unobtrusive appearance.
Penetration testing: Perform comprehensive security assessments by combining network intelligence with targeted attacks.
Incident Response Simulation: Simulate real-world attacks to test and improve incident response procedures.
Security Training: Use SHARK JACK to demonstrate potential security risks and educate users on best practices.
Exploitation of physical access: Exploit physical access capabilities to deploy SHARK JACK in hidden locations to continuously monitor or execute attacks.
WiFi Pineapple® Mark VII — is a powerful Wi-Fi pentesting platform designed for red teams and security professionals. It is equipped with several radio modules and enterprise-class network processors, which allows you to effectively automate Wi-Fi audits and perform complex man-in-the-middle attacks. The device supports capture of WPA handshakes, imitation of desired networks and collection of operational information. With a user-friendly web interface and Cloud C2 compatibility, the WiFi Pineapple Mark VII provides remote control and access, making it the perfect pentesting tool.
WiFi Pineapple Mark VII is used in various attack scenarios to assess WiFi network security and exploit vulnerabilities:
Attacks on rogue access points: Use PineAP Suite to create rogue access points that mimic legitimate networks, allowing the interception of client communications and credentials.
WPA/WPA Enterprise Attacks: Capture WPA handshakes and impersonate enterprise access points to collect credentials from authenticated devices.
Man-in-the-Middle (MITM) attacks: Intercept traffic between devices and the Internet, enabling eavesdropping, data manipulation, or malicious payload injection.
Automated Pentest Campaigns: Deploy managed campaign wizards to automate WiFi audits, collect information about connected devices, and generate custom reports.
Targeted filtering: Use MAC and SSID filters to stay in range and minimize collateral damage during attacks.
Passive Surveillance: Monitor and collect data from all nearby devices for constant surveillance and forensic analysis.
Advanced Intelligence: Visualize the WiFi landscape, identify vulnerable hotspots, and map device-to-device communications for strategic targeting.
Gather operational intelligence: Collect and analyze data to identify security weaknesses, device vulnerabilities, and potential exploits.
WiFi Penetration Testing: Perform a comprehensive assessment to identify and exploit WiFi vulnerabilities, demonstrating potential security risks.
Credential harvesting: Collect login credentials and sensitive information transmitted over unsecured WiFi networks.
Data interception: Intercept and manipulate traffic to inject malicious data or collect sensitive data from connected devices.
Phishing and social engineering: Impersonate legitimate networks to trick users into connecting to fraudulent access points and revealing credentials.
Wireless network mapping: Display Wi-Fi network topologies, device connections, and access point configurations for strategic attack planning.
Remote access and control: Remotely manage and monitor Pineapple WiFi operations with Cloud C2, providing constant surveillance and attack execution.
A USB to TTL (Transistor-Transistor Logic) adapter is a compact electronic device used to communicate between a computer’s USB port and devices that use serial communication protocols, such as UART (Universal Asynchronous Receiver/Transmitter). These adapters are commonly used in electronic projects, debugging, and configuring embedded systems where direct serial communication with a computer is required. They typically have a USB Type-A connector on one end and TTL-level serial pins or wires on the other, allowing easy interface with microcontrollers, development boards, routers, and other hardware.
The USB-TTL adapter can be used in various attack scenarios where direct access and manipulation of the serial communication is advantageous:
Firmware Jailbreak: Access the serial console of devices (e.g. routers, IoT devices) to download malicious firmware or extract sensitive information.
Debug Exploitation: Use debug interfaces available over serial communication to change device behavior or extract debug logs containing sensitive information.
Bootloader manipulation: Access and manipulate the bootloader of embedded systems or IoT devices to bypass security mechanisms, install backdoors, or change firmware.
Modify device configuration: Change device configuration settings by interacting with the serial interface, potentially disrupting operation or allowing unauthorized access.
Credential extraction: Intercepting serial connections to obtain credentials, configuration data, or encryption keys transmitted in plaintext or during device initialization.
Serial console access: Use the USB-TTL adapter to establish a serial connection to devices with open UART ports, accessing administrative consoles or debugging interfaces.
Malware injection: Exploit vulnerabilities in firmware update processes by injecting malware binaries through the serial interface, compromising device integrity.
IoT device capture: Take control of IoT devices using unsecured serial interfaces, allowing unauthorized access or execution of arbitrary commands.
Data interception: Intercept and analyze serial communication traffic to obtain sensitive information such as passwords, configuration details, or private protocols.
Reverse Engineering: Assist in reverse engineering by mining firmware, examining debug logs, and analyzing serial communication protocols.
Using debugging features.Use the debugging features available through the serial interface to discover vulnerabilities, bypass security controls, or elevate privileges on embedded systems.
USBNinja is an advanced USB exploit that masquerades as a regular USB data and charging cable, but hides the ability to remotely execute malicious commands. Compatible with Micro-USB, USB Type-C and Lightning, it can be activated remotely via smartphone or antenna. Once activated, it emulates keyboard and mouse actions by executing programmed commands on the target device. USBNinja is able to bypass firewalls and antivirus programs, making it a valuable tool for pentesters and intelligence agencies.
Red teams can use USBNinja to perform stealth attacks on target systems. For example, by connecting it to a target computer, attackers can remotely execute malicious commands, such as downloading and running malicious software, establishing unauthorized network connections, or extracting sensitive data. With the ability to emulate keyboard and mouse input, USBNinja allows you to bypass traditional security measures and implement sophisticated social engineering attacks, providing deep system penetration.
Remote payload execution: Remotely launch payloads to execute malicious commands or scripts on a target system.
Deploying malware: Download and run malware on a host machine to create a backdoor or steal data.
Network tampering: Change network settings or establish unauthorized connections using keyboard and mouse emulation.
Data theft: Extract sensitive files or data from a target system and transmit it wirelessly to a remote location.
Password theft: Capturing credentials by entering commands that prompt users to enter sensitive information.
System tampering: Change system configurations, delete or modify critical files, or disrupt normal operations.
Persistence: Install persistent backdoors or trojans to maintain access to a compromised system.
Mitigating Physical Access: Use USBNinja in scenarios where physical access to the target system is limited, but USB connectivity is possible.
Security Bypass: Avoid detection by security software, firewalls, and visual inspection due to the device’s stealthy nature.
The GL.iNet AR150 is a compact OpenWRT (LEDE) based router ideal for low power environments. It is powered by a Qualcomm SoC and supports features such as wireless scanning, deauthentication attacks, and man-in-the-middle (MiTM). The AR150 is an attractive choice due to its similar hardware to the Hak5 Pineapple Nano, but at a much lower price point, making it a useful tool for hackers and security professionals alike.
Red teams can use the GL.iNet AR150 for Wi-Fi traffic monitoring, deauthentication attacks, man-in-the-middle attacks, or creating fake access points. Due to its compact design and low power consumption, it is suitable for covert operations and network manipulation.
Wi-Fi Monitoring: Use monitoring mode to passively capture and analyze Wi-Fi traffic for intelligence purposes.
Deauthentication attacks: Send deauthentication frames to disconnect devices from legitimate Wi-Fi networks, forcing them to reconnect to malicious networks.
Man-in-the-Middle (MiTM) attacks: Intercept and manipulate network traffic between connected devices and the Internet, allowing eavesdropping or injection of malicious content.
Rogue Hotspot: Set up a rogue Wi-Fi network to trick devices into connecting, allowing for later use or data capture.
Packet Inspection: Intercept and analyze packets sent over Wi-Fi networks to retrieve sensitive information such as passwords or credentials.
DNS Spoofing: Manipulate DNS responses to redirect users to malicious websites or phishing pages.
Traffic Interception: Intercepting unencrypted traffic passing through a network to capture sensitive data in transit.
Network mapping.Use scanning tools to identify active devices and plan your network topology for targeted attacks.
Exploitation of Internet of Things devices: Exploit vulnerabilities in Internet of Things devices connected to the network to gain access or move into more secure areas.
Firmware Modification: Customize and download alternative firmware, such as Pineapple firmware, to extend the device’s capabilities or support specific attack vectors.
USB Logic Analyzer — it is an important tool for debugging embedded systems, especially in microcontroller development environments. Compatible with Saleae Logic 2.0 software, it supports up to 8 input channels for recording and analyzing analog and digital signals, allowing for detailed protocol exploration.
Red teams can use USB Logic Analyzer to intercept and analyze communication protocols in IoT devices, allowing them to discover sensitive data, reverse engineer custom protocols, and develop exploits to gain unauthorized access to critical infrastructure.
Reverse protocol engineering: Use a logic analyzer to capture and decode the proprietary communication protocols used by IoT devices or industrial systems.
Firmware analysis: Analysis of firmware updates or device communications to detect vulnerabilities or backdoor access points.
Signal manipulation: Change signals to inject malicious commands or bypass authentication mechanisms in embedded systems.
IoT Device Exploitation: Exploit IoT device vulnerabilities by intercepting and manipulating communication signals.
Data theft: Capturing sensitive data transmitted between embedded devices and external servers, such as user credentials or sensitive information.
Debugging and Optimization: Helping to debug and optimize embedded systems by pinpointing logical errors or performance bottlenecks.
Side-Channel Attacks: Perform side-channel attacks by analyzing power consumption or electromagnetic radiation to obtain cryptographic keys or sensitive information.
Hardware Trojans: Detect and analyze hardware Trojans by monitoring signals for unexpected behavior or unauthorized access to data.
Bus Sniffing: Inspection of bus communication (eg I2C, SPI, UART) to eavesdrop on data exchange between peripherals and controllers.
Real-time monitoring: Monitor data flows in embedded systems in real-time to detect and respond to anomalous activity or potential security breaches.
ZigBee Auditor is a specialized tool for auditing, engineering and cybersecurity of ZigBee networks. It operates at 2.4 GHz, has a built-in antenna and connects via USB 2.0, making it portable and convenient for field work. The device allows you to scan ZigBee networks, analyze and replay packets, integrating with the EXPLIoT framework for comprehensive network security assessment.
Red teamers can use ZigBee Auditor to identify vulnerable devices, intercept and analyze communication packets, and inject manipulated packets to exploit weaknesses in the ZigBee protocol.
ZigBee Network Discovery: Use ZigBee Auditor to find active ZigBee networks and detect vulnerable devices.
Packet Interception: Intercept and analyze ZigBee communication packets to obtain sensitive information or identify security vulnerabilities.
Protocol Analysis: Reverse-engineering ZigBee communication protocols to discover vulnerabilities or develop exploits.
Packet Injection: Inject malicious packets into a ZigBee network using packet replay to exploit vulnerabilities or disrupt operations.
Device Identification: Identify specific ZigBee devices on the network and collect information about their features and security status.
Security Assessment: Perform a comprehensive security assessment of ZigBee networks to identify vulnerabilities and recommend countermeasures.
IoT Exploitation: Exploit discovered vulnerabilities in ZigBee-enabled IoT devices to gain unauthorized access or manipulate device operations.
Firmware Analysis: Analysis of firmware updates or communication protocols used by ZigBee devices for potential vulnerability or backdoor access.
Traffic Analysis: Analyze network traffic patterns to detect anomalies or tampering in ZigBee networks.
Denial of Service (DoS) attacks: Use insights gained from ZigBee network analysis to launch targeted DoS attacks against critical devices or services.