Blacksight Phantom: Five Attack Modes in One Drop Box

The Blacksight Phantom is a purpose-built offensive hardware platform designed for physical red team engagements. It ships with five distinct attack modes -- Tap, Venom, Siren, Fang, and Scope -- each targeting a different layer of the target environment. All five can run simultaneously on the same device, controlled remotely through a web panel or left to execute an automated playbook unattended.

What Hardware Is Actually Inside the Phantom?

The Phantom runs an Intel N150 quad-core processor with 8 GB of RAM and 256 GB of NVMe storage in a fanless, passively-cooled enclosure roughly the size of a paperback book. Networking is where it gets interesting: dual Intel i226-V 2.5 Gigabit Ethernet ports, an Intel BE200 WiFi 6E radio with Bluetooth 5.2, and an internal Sierra Wireless EM9191 4G LTE modem with a SIM slot accessible from the outside.

The dual 2.5GbE ports are not optional. Tap mode requires an inline transparent bridge operating at wire speed -- you cannot do this with USB-to-Ethernet dongles without introducing latency that trips timing-sensitive 802.1X supplicants. The ports connect directly to the SoC's PCIe bus, so bridge forwarding happens in hardware with sub-microsecond added latency.

The 4G modem provides the command-and-control channel. It is completely independent of the target network. Traffic between the Phantom and your operator console traverses the cellular network, hits the Blacksight relay, and arrives encrypted end-to-end. The target organization never sees your C2 traffic because it never touches their infrastructure.

What Are the Five Attack Modes?

Tap -- Network Inline Bridge

Tap mode creates a transparent Layer 2 bridge between the two Ethernet ports. You unplug an authenticated device -- a printer, IP phone, access point -- and insert the Phantom inline. The bridge inherits the existing 802.1X or MAB session, preserving the device's MAC address and VLAN assignment. From the switch's perspective, nothing changed. From yours, you now have a full-duplex tap on all traffic flowing through that port, plus the ability to inject your own frames into the authenticated session. This is how you bypass NAC without triggering a single alarm.

Venom -- Credential Harvesting

Venom mode runs a coordinated stack of credential-harvesting tools: Responder for LLMNR/NBT-NS/mDNS poisoning, mitm6 for IPv6 WPAD/DNS takeover, ARP cache poisoning for targeted man-in-the-middle positioning, and a rogue DHCP server for environments where the primary DHCP scope is exhausted or absent. Captured NTLMv2 hashes are cracked offline on the device using a preloaded wordlist, and relay attacks are attempted in parallel. Credentials exfiltrate automatically over 4G.

Siren -- Evil Twin and WiFi Attacks

Siren mode clones target SSIDs, stands up a captive portal, and captures WPA/WPA2 handshakes and PMKID hashes. It can run targeted deauthentication to push specific clients toward the evil twin. The WiFi 6E radio supports simultaneous AP and monitor modes, so Siren can host the rogue AP on one virtual interface while capturing handshakes on another. Captured credentials and handshakes are stored locally and synced over 4G.

Fang -- Bluetooth and BLE Attacks

Fang mode turns the Bluetooth 5.2 radio into an attack platform. It performs BLE advertisement scanning, GATT service enumeration and fuzzing, relay/MitM attacks against BLE peripherals, and legacy Bluetooth pairing exploitation. In physical engagements, this means you can clone badge readers, intercept wireless keyboard traffic, attack smart locks, and enumerate every BLE device in the building -- all from a device that looks like it belongs on the network shelf.

Scope -- Passive Reconnaissance

Scope mode operates in receive-only mode across all interfaces. It captures full PCAP on the Ethernet bridge, performs passive WiFi enumeration (SSIDs, clients, signal strength, channel utilization), and logs Bluetooth/BLE advertisements. It never transmits a single packet. The value is in pre-attack intelligence: you run Scope for the first few hours to map the network topology, identify high-value targets, and understand traffic patterns before enabling any active modes. Everything Scope collects feeds directly into the dashboard as a live network map.

Why Do All Five Modes Run Simultaneously?

Each mode operates on a different interface or in a different network namespace. Tap uses the two Ethernet ports. Venom injects into the bridged network segment. Siren uses the WiFi radio. Fang uses the Bluetooth radio. Scope listens passively on all of them. There is no resource contention because the workloads are I/O-bound, not CPU-bound -- the N150 spends most of its time waiting for packets, not processing them. The only shared resource is the 4G uplink for exfiltration, and that is managed by a priority queue that ensures Venom's captured credentials go out before Scope's bulk PCAP data.

In practice, a typical engagement starts with Scope and Tap running passively for the first hour. You review the dashboard, identify targets, and then enable Venom and Siren remotely. Fang activates if the recon reveals BLE targets worth pursuing. The transition from passive recon to active attack happens with a single toggle in the web panel.

The Web Panel and Dashboard

Every Phantom ships with access to the Blacksight dashboard -- a web application where you manage your fleet of devices, review captured data, and control attack modes in real time. The dashboard shows a live network map built from Scope data, a credential feed from Venom, handshake capture status from Siren, and BLE device inventory from Fang. You can start and stop modes, download PCAP files, trigger one-off attacks, and configure automated playbooks.

The connection between the Phantom and the dashboard goes through the Blacksight relay -- a zero-knowledge WebSocket relay that forwards AES-256-GCM encrypted blobs between the device and your browser. We cannot read, modify, or log any of the data that passes through the relay. The encryption keys are generated on the device during setup and never leave the device or your browser. If you do not trust the relay, the Phantom can operate in offline mode: it stores all captured data locally on its encrypted NVMe drive, and you retrieve it physically by connecting to its local web interface over Ethernet.

Why Not Just Build One Yourself?

Pentesters have been building drop boxes out of Raspberry Pis for a decade. A Pi with a couple of USB dongles, an LTE hat, and a bunch of shell scripts can technically do some of what the Phantom does. In practice, it falls apart.

SD cards corrupt. USB Ethernet dongles cannot bridge at wire speed without dropping frames, which kills transparent 802.1X session inheritance. USB WiFi adapters with monitor mode support are increasingly rare and unreliable with modern kernels. There is no hardware Bluetooth attack capability worth mentioning. The C2 channel is typically an autossh tunnel to a VPS, which means your exfiltration path is visible to anyone who looks at the Pi's outbound connections. There is no kill switch. There is no self-destruct. And when the client finds the device, it is trivially forensicable.

The Phantom exists because we got tired of losing engagements to hardware failures. Every component is purpose-selected, the firmware is hardened, the storage is encrypted at rest, and the C2 channel is designed from the ground up for OPSEC. It is the difference between a prototype and a tool you can stake an engagement on.