The idea is straightforward — drop a Pi on a network, walk away, and still have access. It picks up a DHCP lease, phones home over Tailscale, and you’re in. No port forwarding, no exposed IP, nothing that looks out of place on the network. It’s the kind of technique that shows up in real red team engagements and I wanted to understand exactly how it works by building it myself.
Raspberry Pi 4B with 4GB RAM running Kali Linux. Small enough to hide, powerful enough to run a full attack suite.
Plugs directly into a network switch or open port. Grabs a DHCP lease and is immediately on the internal network with no user interaction.
Tailscale running on boot gives persistent remote access from anywhere. Registered to a dedicated account isolated from personal identity, consistent with red team operational practices. No port forwarding, no exposed IP — just an outbound tunnel.
Once you’re on the network, the full Kali toolset is available remotely. Being inside the network changes everything — attacks that aren’t possible from the outside become trivial from the inside.
ARP poisoning with tools like Bettercap or Ettercap to position the Pi between devices and the gateway — full MITM on unencrypted traffic.
Capture cleartext credentials from unencrypted protocols like HTTP, FTP, and Telnet. Responder for capturing NTLM hashes from Windows machines on the same network.
Nmap scans of the entire internal subnet, service discovery, OS fingerprinting — build a full map of every device on the network from the inside.
Use the internal foothold to pivot to other devices — exploit unpatched services, spray credentials, and move deeper into the network.