The Physical Pentester's Deployment Checklist

Physical red team engagements are high-stakes, limited-window operations. You get one shot at physical access, and the device you leave behind has to work unattended for the entire engagement window. There is no "I'll SSH in and fix it" when the device is behind a locked door in a building you cannot re-enter without blowing your cover.

This checklist covers the full lifecycle of a physical engagement using Scout for pre- engagement recon and Phantom for the active attack phase. Each section is a distinct phase with specific objectives and decision points.

Phase 1: How Do You Prepare with Pre-Engagement Recon?

The goal of pre-engagement recon is to map the target's wireless landscape before you commit to a deployment plan. Deploy Scouts at or near target locations to passively collect intelligence that will drive your Phantom configuration.

• Deploy Scouts at target locations. Ideal placements: shared spaces in multi-tenant buildings, lobby areas, coffee shops adjacent to the target facility, parking structures with line-of-sight to the building. The Scout only needs USB power and cellular coverage. Plug it into a wall charger and leave it.
• Map corporate SSIDs. Identify the target's wireless networks: corporate WPA2-Enterprise, guest networks, IoT-specific SSIDs. Note which SSIDs are broadcast from which areas of the facility. Multiple Scouts at different locations give you signal strength data that indicates AP placement.
• Capture probe requests. Employee devices constantly probe for known networks. Probe requests reveal the SSIDs employees' devices have previously connected to -- home networks, hotel WiFi, airline WiFi, other corporate locations. This intelligence is directly useful for Siren mode evil twin targeting.
• Assess client device density. How many wireless clients are active during business hours versus after hours? What is the mix of corporate-managed devices versus personal phones and tablets? High personal device density during lunch hours suggests Siren mode captive portal attacks will be productive during that window.
• Enumerate BLE devices. Badge readers, smart locks, conference room booking panels, IoT sensors, wireless keyboards and mice. BLE device enumeration tells you what Fang mode targets are available and where they are located.
• Identify security monitoring indicators. Does the target appear to run wireless IDS (WIDS)? Are there dedicated monitoring SSIDs? Do you see deauthentication containment frames? This determines how aggressive your Siren mode configuration can be and whether you need to avoid certain attack patterns.

Phase 2: How Should You Configure the Playbook?

With Scout intelligence in hand, configure the Phantom's playbook based on what you know about the target environment. Every configuration decision should trace back to a specific piece of recon data.

• Choose attack modes based on Scout intel. If Scout captured high volumes of LLMNR/mDNS traffic, Venom mode will be productive. If you identified a WPA2-PSK guest network with heavy use, Siren mode handshake capture is a priority. If BLE badge readers are present, configure Fang mode for relay attacks. Let the data drive the plan, not assumptions.
• Configure the playbook sequence. Define the mode execution order. A typical sequence: Scope for initial passive recon (15-30 minutes) to confirm network topology, then Venom during business hours for credential harvesting, Siren during high- traffic wireless windows, and Fang if BLE targets are in range. Set each mode's schedule based on when Scout data showed the highest target activity for that protocol.
• Set time windows. Venom is most effective (and least detectable) during business hours when name resolution traffic is heavy. Siren captures are best during lunch and end-of-day. Define these windows explicitly. Resist the temptation to run everything 24/7 -- traffic anomalies outside business hours are easier for SOC analysts to spot.
• Configure exfiltration schedule. Hourly exfiltration is a reasonable default. For high-security targets where you want to minimize 4G transmissions, every 4 hours may be appropriate. For short engagement windows, every 15-30 minutes ensures you capture maximum data even if the device is found early.
• Set OPSEC parameters. Configure the self-destruct button sequence for this engagement. Decide in advance whether the device should auto-self-destruct if it loses 4G connectivity for a defined period (indicating it may have been moved to a shielded room for analysis). Set stealth mode as the default boot state so the device does not generate any traffic before the playbook is activated.
• Prepare retrieval plan. Determine whether you will physically retrieve the device or trigger remote self-destruct. If retrieval is planned, identify the extraction window and route. If the building requires escort access, coordinate cover for retrieval. Have self-destruct as the backup plan if physical retrieval becomes impossible.

Phase 3: What Should You Do on Deployment Day?

Physical access is the most constrained resource in the engagement. Every second inside the facility counts. The device needs to be planted, connected, and confirmed operational before you leave.

• Placement priorities. The ideal location has three properties: network access (Ethernet port or proximity to target wireless networks), physical concealment (not immediately visible to employees or cleaning staff), and power (PoE from the switch port, or a power outlet within cable reach).
• High-value placement locations. Behind network printers -- printers are on the network, rarely moved, and the area behind them is never inspected. Under desks in conference rooms -- particularly rooms with permanent Ethernet drops and PoE. Inside server room or network closet if accessible -- this provides direct access to trunk ports and management VLANs. Near VoIP phones -- VoIP phones are often on dedicated VLANs with less monitoring, and the phone's Ethernet pass-through port provides network access with PoE.
• Connect and verify. Plug in the Ethernet cable (and power if not using PoE). The Phantom boots and connects to the 4G relay automatically. Do not wait at the device for it to boot -- leave the area and verify connectivity from the dashboard remotely. Standing next to a newly planted device while it boots is unnecessary exposure time.
• Multiple device deployment. For large facilities, consider deploying multiple Phantoms on different network segments. Each runs its own playbook independently. The dashboard shows all devices and their status. If you have physical access to multiple floors or buildings, one device per segment significantly increases coverage and credential diversity.

Phase 4: How Do You Activate and Verify?

Activation happens from the dashboard after you have left the facility. Never activate attack modes while physically present.

• Verify 4G connectivity. Confirm the device appears in the dashboard with a healthy 4G link. Check signal strength. If the device is in a basement or interior room with weak cellular coverage, you need to know now before the engagement window closes.
• Verify network link. Confirm the Ethernet link is up and the device can see target network traffic. If the port is disabled or the device is on an isolated VLAN, Scope mode's initial passive capture will show this immediately.
• Start the playbook. Activate the pre-configured playbook from the dashboard. The Phantom begins with the first phase (typically Scope mode for initial recon).
• Confirm first exfiltration. Wait for the first scheduled exfiltration to arrive in the dashboard. This confirms the full pipeline: the device is capturing data, the encryption is working, the 4G relay is functioning, and results are reaching you. If the first exfiltration does not arrive on schedule, investigate via the device's status panel before assuming the worst.

Phase 5: What Should You Monitor During the Engagement?

The playbook runs autonomously, but periodic monitoring lets you optimize the engagement and respond to developments.

• Review captured credentials and hashes. As exfiltrations arrive, review the captured data. Are NTLMv2 hashes being captured? Are cleartext credentials appearing from Siren mode captive portals? Is the volume consistent with your expectations from the Scout recon phase?
• Adjust modes if needed. If Venom is not capturing as expected -- maybe the target has disabled LLMNR -- you can remotely reconfigure the playbook to shift resources to Siren or Fang. If Siren is capturing handshakes for a network you did not know existed, you might extend its time window.
• Monitor device health. Check 4G signal strength, storage utilization, CPU temperature, and uptime. The dashboard shows all of these. Degraded 4G signal might indicate the device was moved. Sudden high CPU could indicate the device is being scanned by the target's vulnerability scanner (a good sign -- it means you are on a monitored segment and should assess whether to continue or go stealth).
• Watch for SOC indicators. If the client's engagement lead reports that the SOC flagged something, you can correlate the timing with the Phantom's activity log. Switch to stealth mode if needed to let things cool down, then resume with adjusted parameters.

Phase 6: How Do You Extract Safely?

• Trigger kill switch. Before any extraction activity, send the kill switch command to stop all active attacks. The device goes silent on the network. This ensures that the final minutes of the engagement do not generate alerts that coincide with your physical presence in the building.
• Self-destruct if retrieval is not possible. If you cannot physically retrieve the device -- access was revoked, the engagement lead says the area is now monitored, or the risk-reward does not justify re-entry -- trigger self-destruct remotely. The device performs cryptographic erasure and resets to a clean factory image. Write off the hardware cost against the engagement.
• Physical retrieval. If retrieval is safe, physically recover the device. Disconnect Ethernet, pocket the device, leave. Do not attempt to access the device's data on-site. All loot has already been exfiltrated to the dashboard.

Phase 7: Post-Engagement

• Download all loot from the dashboard. Export the complete engagement dataset: credentials, hashes, PCAPs, wireless captures, BLE enumeration results, and the device's activity log with timestamps.
• Generate the engagement report. The dashboard structures captured data by mode, time window, and data type. Use this structured output as the foundation for your engagement report. Every finding has a timestamp, source mode, and capture context.
• Wipe devices for next engagement. Factory reset both Phantom and Scout devices. Clear all engagement-specific configuration, playbooks, and any locally cached data. Each engagement starts with clean devices -- no data carryover between clients.
• Secure loot handling. Transfer the exported engagement data to your secure reporting environment. Delete the engagement from the dashboard once the report is delivered and the client has accepted findings. Client data retention policies apply -- the dashboard is a working tool, not an archive.