If IT Opened My Backpack, I'd Be Walked Out by Security
I don't have a badge anymore. That's not unemployment, that's survival. If I walked into a corporate office with what I carry every day, I wouldn't make it past the lobby turnstile. The nice lady at reception would smile, security would ask to see inside my bag, and by the time they got to the second zipper pocket I'd be escorted out with my hands visible and my laptop in an evidence bag.
It's not because I'm dangerous. It's because I don't believe in asking permission to understand the systems around me. My backpack isn't a bag. It's a mobile red team lab that smells like canvas, ozone, and the burnt coffee I spilled on it three months ago at [inline_places_entity-{"name":"Not Just Coffee","address":"Charlotte, NC"}]. It weighs eleven pounds and would trigger every EDR alert in the building.
1. Flipper Zero + Proxmark3 RDV4
The first thing they'd pull out is the Flipper. Matte black, dolphin on the screen judging me. To IT, it's a toy. To me, it's a skeleton key for the physical world.
I keep it in the front pocket next to a pack of gum. It reads the HID badge I cloned from a delivery driver last year just to see if I could. click-click — it emulates the 125kHz signal and the door at my co-working space pops open like it's happy to see me. The Proxmark3 underneath it is bigger, uglier, wrapped in electrical tape. That's for the hard stuff. Mifare Classic, the kind they still use on parking garages in uptown Charlotte because upgrading costs money.
I used it at a hotel last month. Not to steal anything. Just to prove the $300-a-night place was using default keys. The concierge watched me tap my phone to the elevator reader and said "wow, technology." I smiled with my jaw tight. He thinks it's magic, I thought. It's just a key that never got changed.
IT would call this "unauthorized RFID cloning." I'd call it noticing.
2. The O.MG Cable, a Rubber Ducky, and a Bash Bunny That Looks Like a Thumb Drive
Three USB devices, all in a little Pelican micro-case. They look identical to the freebies you get at conferences. That's the point.
The O.MG cable is my favorite. It's a Lightning cable that is also a WiFi implant. Plug it into someone's Mac to "charge your phone real quick" and I've got a keystroke injector sitting on their USB bus broadcasting its own access point named "HP_Printer_4." I've never used it maliciously. I've used it on my own machines at 2am to test how long it takes me to notice. Answer: 14 minutes, because I saw a weird SYN packet in Wireshark.
The Rubber Ducky is older, scuffed. It types at 900 words per minute. My payload opens PowerShell, disables Defender real-time monitoring via registry, curls a script from my Tailscale IP, and closes the window in 6.3 seconds. It's not malware. It's a demonstration of trust.
The Bash Bunny does the same thing but smarter. It can be a keyboard, a network card, a serial device, all at once. IT sees "USB storage device inserted." Windows sees a new Ethernet adapter with a DHCP server handing it a malicious DNS.
If security opened this case they'd see three flash drives. I'd see three different ways to own a domain controller without compiling a single binary. Living off the land starts with bringing your own land.
3. WiFi Pineapple Mark VII + Alfa AWUS036ACH + LAN Turtle
The Pineapple lives in the main compartment wrapped in a Faraday sleeve that smells faintly of metal and cheap cologne from the guy who sat next to me on the light rail. It's a router that lies for a living.
I turn it on in coffee shops and watch phones auto-connect to "attwifi" and "xfinitywifi" because those SSIDs are burned into everyone's saved networks. Bettercap runs on it now, not the stock firmware. It does ARP poisoning, DNS spoofing, captures handshakes. I don't steal passwords. I collect the metadata of who is desperate enough to connect to anything.
The Alfa is the big antenna, 2.4 and 5GHz, with a magnetic base I stick to filing cabinets. With Kismet running on my laptop, it maps every access point in a three-block radius. I found a fake cell tower outside a WeWork last year because the signal strength didn't decay right. Nobody else noticed. They were too busy on Slack.
The LAN Turtle is smaller than a Bic lighter. You plug it into an ethernet port in a conference room, it phones home over 4G, and gives you a remote shell through someone else's network. I keep it for "emergencies." The emergency being I want to see if the cleaning crew unplugs things at night.
IT would call this a rogue AP and a hardware implant. I'd call it situational awareness.
4. Raspberry Pi Zero in an Altoids Tin
The tin is beat up, the mints long gone, replaced by a Pi Zero W, a 128GB SD card, and a tiny LiPo battery. It runs Kali headless. I call it "guest_wifi."
I drop it behind TVs in lobbies, plug it into USB ports on smart displays, leave it in drop ceilings with a magnet. It boots in 22 seconds, joins the nearest open network, and opens a reverse shell over Tor to my box two states away. Total cost: $28.
It has one job: be patient. It sits there for weeks, running tcpdump, logging mDNS broadcasts, watching for printers that still have default admin panels. Last time I retrieved one, it had captured a facilities manager logging into a building automation system over HTTP. Username: admin. Password: admin1234.
The smell when I open the tin is solder and peppermint oil that never quite left the metal. IT would call it a persistent threat. I call it a reminder that physical security is a myth.
5. SouthOrd Lockpicks, Shims, and a Bogota Set
Not digital, but more damning in an office. The leather case is worn soft at the edges from riding in my bag.
I learned to pick locks because I got tired of waiting for someone with a badge. Most office doors in Charlotte are Schlage or Kwikset, both trivial. The server closet at my old gym used a Master Lock No. 3. I opened it in eight seconds while holding a protein shake.
The shims are for filing cabinets. The bypass tools are for those cheap latch guards they put on "secure" rooms. I don't break in to steal. I break in to prove the lock was theater. Once inside, I usually just take a photo of the unpatched Windows 7 box running the HVAC and leave.
Security would see burglary tools. I see the physical layer of the OSI model that everyone pretends doesn't exist.
6. Faraday Bag, Burner Phones, and a Deauther
The Faraday bag is Mission Darkness, matte black, big enough for a laptop. When my phone goes in, it stops existing. No cell, no WiFi, no Bluetooth, no GPS. I use it on the train when I don't want my location history to have opinions about where I go.
Inside are two Nokia 105 burners, $19 each, paid cash at a gas station on Wilkinson. One has a SIM from Mint, the other from T-Mobile prepaid. I rotate them monthly. They are for 2FA codes, for calling back numbers that show up in OSINT, for being a person who isn't me.
The deauther is a DSTIKE watch. Looks like a cheap smartwatch, actually sends 802.11 deauthentication frames. I use it to kick my own devices off networks to test reconnection behavior. Also useful when the guy next to you at the airport is watching TikTok at full volume. bzzt — his phone drops WiFi. He looks confused. I keep reading.
IT would call this evasion and denial of service. I'd call it choosing when I'm visible.
7. The Laptop That Ru(i)ns Everything
It's a ThinkPad X1, running Qubes with Windows and Kali VMs. The stickers are gone, the camera is physically disconnected, the microphone has a hardware kill switch I installed myself. The SSD is encrypted with VeraCrypt, hidden OS partition, plausible deniability.
This is where Wireshark lives. Where Bettercap lives. Where my local Claude wrapper lives, trained on ten years of my notes in Obsidian and Trilium. It doesn't touch the cloud unless I wrap it in proxychains and Tor. It knows my writing style better than my mother does.
On here is ffuf, dirbuster, subfinder, amass, recon-ng, Maltego. I map companies for fun. Not to attack them. To see how much of themselves they've left on the sidewalk. Last week I found a Jenkins server for a fintech startup with no auth, just sitting on a subdomain they forgot to delete. I didn't touch it. I sent them an anonymous email from the burner. They fixed it in three hours.
Also on here: Ghidra, Binwalk, ExifTool. I don't trust files. A PDF resume once tried to phone home to a marketing tracker. I stripped it, rebuilt it, sent it back clean.
If IT imaged this machine they'd find no corporate antivirus, no MDM, no Intune, no CrowdStrike. They'd find custom scripts that kill telemetry, firewall rules that block Microsoft endpoints, and a hosts file that redirects half the internet to 0.0. They'd find evidence of intent. Not malice. Intent to be left alone.
Final Thoughts
None of this is about crime. It's about the same thing the last guide was about: control. I carry these tools because the world is built on systems that assume you won't look too closely. Badge readers that trust any card. WiFi that trusts any name. USB ports that trust any device. Laptops that trust any cable.
If I worked in your office, IT would open my backpack during a random bag check and I'd be walked out before lunch. Not because I stole data, but because I brought the ability to prove your security was a PowerPoint deck.
I don't have a boss because bosses require trust in systems I don't trust. I work in the space between packets. Every morning I unzip this bag, smell the ozone and coffee, and boot up Wireshark to hear what my machine is saying before I say anything at all.
If you want to be free, stop asking for permission to carry the tools that let you see clearly. Build a backpack your employer's security team would have a panic attack over. Then learn how to use every single thing in it like it's an extension of your hands.
I just zipped mine shut. The Flipper blinked once from inside, like it was saying goodnight.
