Network Implants

Quick-start checklist

1. Authorization & scope: Only deploy implants in your lab or during an approved engagement.
2. Cabling plan: Verify where the device sits (host ↔ implant ↔ switch). Label ports.
3. Power & persistence: Ensure stable power (PoE or USB) and decide if the device should persist settings between boots.
4. Isolation: Prefer a dedicated test VLAN or an isolated switch when doing disruptive experiments.
5. Evidence collection: Save PCAPs, timestamps, and configs to back up findings and training outcomes.

Primer: tap vs bridge vs in-line NIC

Network implants usually operate in one of three modes:

• Passive tap: Observes traffic without forwarding (requires specialized hardware splitters or SPAN ports).
• Bridge (inline): Sits between host and switch, forwarding frames while optionally capturing or filtering.
• Emulated NIC: Poses as a USB/Ethernet adapter to the host for quick recon or scripted actions.

Common lab workflows

1) One-click packet capture (PCAP)

• Place the implant between a test workstation and a lab switch; start capture to storage.
• Filter for protocols of interest (DHCP, mDNS/SSDP, SMB, HTTP, TLS handshakes) for asset discovery and UX testing.

2) Quick recon & inventory

• Leverage built-in discovery scripts to enumerate hosts, open ports, and broadcast services in a test VLAN.
• Export summaries or CSVs for documentation and blue-team runbooks.

3) Controlled MITM lab

• In an isolated environment, demonstrate how bad TLS/cert validation or legacy protocols can be abused.
• Use this to train teams to spot warnings and enforce policy (HSTS, certificate pinning, SMB signing).

4) Out-of-band management / payload staging

• Use a separate management interface or Wi-Fi control (where supported) to manage the implant.
• Keep payloads benign and reversible; aim for awareness training, not disruption.

5) Time-boxed monitoring

• Capture during a defined window to baseline normal traffic in a lab, then compare after policy changes.

Blue-team defenses & hygiene

• Port security: Enable sticky MAC / 802.1X / DHCP snooping / DAI as appropriate.
• Network segmentation: Separate guest/IoT; restrict lateral movement; use private VLANs where useful.
• Egress controls: Limit outbound management traffic; block unexpected tunnels.
• Asset controls: Maintain tamper-evident cabling and switchport inventories for critical paths.
• Detection: Alert on new MACs behind the same port, ARP anomalies, or unusual DNS patterns.

Troubleshooting

• No link: Check cables, port speeds/duplex, PoE power, and whether the implant is in the correct mode (tap vs bridge).
• Packet loss: Reduce capture filters or write speeds; use faster storage; ensure hardware offload isn’t interfering.
• Can’t reach management UI: Confirm management IP/VLAN; avoid overlapping DHCP; consider a dedicated OOB link.
• Blocked by NAC: In enterprise, NAC/802.1X may prevent bridging—use a dedicated lab switch and accounts.

FAQ

Is a packet capture legal on my network?

Only with explicit authorization and in line with policy. In shared environments, assume traffic is sensitive—use lab VLANs and synthetic data.

Do these devices bypass TLS?

Not by default. In a controlled lab you can demonstrate failures in certificate validation or legacy protocols, but production traffic must remain protected.

Are these the same as SDRs?

No—these operate at the Ethernet layer (wired), not RF. They complement your wireless tooling.

Useful references

• Switch hardening guides (port security, DHCP snooping, 802.1X)
• PCAP analysis primers (Wireshark display filters, Zeek quickstart)
• Secure web policy: TLS, HSTS, certificate pinning, SMB signing