Physical Access Red Team

Red Team Dropbox — Raspberry Pi with Tailscale

A Raspberry Pi dropbox that gives you remote access to internal networks using Tailscale. No VPS, no SSH tunnels, no port forwarding.

Raspberry Pi 4
Tailscale VPN
Subnet Routing
SSH Disabled
Red Team Dropbox
Red Team Dropbox built with Raspberry Pi and Tailscale.

1. What Is a Dropbox?

A dropbox is a small device that you plug into a target network during a red team engagement. It sits on the internal network and gives you remote access from anywhere. You can run tools like nmap, Responder, or CrackMapExec through it without being on site.

The setup is simple: a Raspberry Pi with an Ethernet connection and a way to reach it from the internet.

Raspberry Pi Zero and Wi-Fi Adapter
Raspberry Pi Zero with a USB Wi-Fi adapter.
Raspberry Pi 4
Raspberry Pi 4 inside a case with a fan.

You can use a Raspberry Pi Zero for this with a USB Wi-Fi adapter, or a Pi 4 for more power. I used a Pi 4 for this build.


2. Tailscale vs Reverse SSH

The common approach is to use SSH reverse port forwarding. You set up a VPS with a public IP, and the Pi opens an outbound SSH tunnel to it. Then you SSH into the VPS and get forwarded to the Pi. This works but needs a VPS, SSH key management, and tools like autossh to keep the tunnel alive. The folks at BreachForce have a detailed guide on this method.

We will do the same thing differently. Instead of a VPS and SSH tunnels, we use Tailscale. Tailscale is a mesh VPN built on WireGuard. Every device in your Tailscale network gets a private IP and can reach every other device directly. No port forwarding, no VPS, no complex config.

Here is how they compare:

SSH Reverse Tunnel Tailscale
Needs a VPS with public IP No server needed
Manual SSH key management OAuth login (Google, GitHub, Microsoft)
Tunnel breaks on network drop Auto-reconnects
Needs autossh to stay alive Zero config

3. Hardware

Component Details
Board Raspberry Pi 4B, 4GB RAM
Storage 64GB microSD (Class 10)
Power USB-C 5V/3A adapter
Network Built-in Gigabit Ethernet

4. Flashing the OS

Step 4.1 — Open Raspberry Pi Imager

Download and open Raspberry Pi Imager. The homepage looks like this:

Raspberry Pi Imager Homepage
Raspberry Pi Imager v1.8.5 homepage.

Step 4.2 — Select the OS

Click Choose OS and select Raspberry Pi OS Lite (64-bit). This is the headless version with no desktop, which is all we need.

Select OS for Flashing
Selecting Raspberry Pi OS Lite (64-bit) in the Imager.

Step 4.3 — Configure and Flash

Click the gear icon and set:

Select your microSD card as storage and click Write.


5. Installing Tailscale

Step 5.1 — SSH into the Pi

Insert the microSD card into the Pi, connect Ethernet, and power it on. Find its IP and SSH in:

Terminal

Step 5.2 — Install Tailscale

Run the install script:

Terminal
curl -fsSL https://tailscale.com/install.sh | sh

Step 5.3 — Authenticate

Start Tailscale:

Terminal
sudo tailscale up --ssh

This prints a URL in the terminal. Open it in your browser:

Tailscale Authentication URL
Tailscale prints a URL to authenticate the device.

The browser opens the Tailscale website asking you to connect the device to your account:

Tailscale Connect Device
Authorizing the Raspberry Pi in the Tailscale web portal.

Click Connect. The device is now on your Tailscale network.


6. Verifying the Connection

Run ip a or ifconfig on the Pi to see the new Tailscale interface:

Tailscale Interface on Raspberry Pi
The tailscale0 interface with its Tailscale IP address.

The Pi gets a 100.x.x.x IP address on the Tailscale network.

Disable Key Expiry

Go to the Tailscale admin console, find your device, and click Disable key expiry. This keeps the device connected indefinitely:

Disable Key Expiry
Disabling key expiry on the Tailscale admin dashboard.

Check Local Network Interface

Verify the Pi's local Ethernet IP:

Ethernet Interface on Pi
The eth0 interface shows the Pi's local network IP.

7. Remote Access

On your Windows PC (or any machine with Tailscale installed), check your own Tailscale IP:

Windows Tailscale IP
Windows command prompt showing the Tailscale adapter IP.

Now you can ping the Pi from your Windows machine using its Tailscale IP:

Ping Test to Dropbox
Pinging the Raspberry Pi dropbox from a Windows PC over the Tailscale network.

You can also SSH directly:

Terminal
ssh pi@dropbox-1

Tailscale's MagicDNS resolves the hostname automatically so you do not need to remember the IP.


8. Subnet Routing

This is the most useful feature. Subnet routing lets you access the entire target network from your laptop through the Pi, not just the Pi itself.

Step 8.1 — Enable IP Forwarding on the Pi

Terminal (on Pi)
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Step 8.2 — Advertise the Target Subnet

Replace 192.168.1.0/24 with the actual subnet of the target network:

Terminal (on Pi)
sudo tailscale up --ssh --advertise-routes=192.168.1.0/24 --accept-routes

Step 8.3 — Approve Routes in Admin Console

Go to the Tailscale admin console, click Edit route settings for your device, and enable the subnet route:

Approve Subnet Routes
Enabling the subnet route in the Tailscale admin dashboard.

Step 8.4 — Accept Routes on Your Laptop

Terminal (on laptop)
# Linux / macOS sudo tailscale up --accept-routes # Windows — Tailscale system tray → Preferences → Use Tailscale subnets

Now from your laptop you can directly access hosts on the target network:

Terminal (on laptop)
nmap -sV 192.168.1.0/24 responder -I tailscale0

The traffic goes from your laptop through the Tailscale tunnel, exits the Pi's Ethernet port, and enters the target network.


9. Conclusion

A red team dropbox does not need to be complicated. A Raspberry Pi, a microSD card, Raspberry Pi OS Lite, and Tailscale are all you need. No VPS, no SSH tunnels, no port forwarding. Tailscale handles all the networking.

For engagements, ship the device to the client. They plug it into a network port. Within 90 seconds you have internal network access from anywhere.

This project was built for educational and portfolio purposes. All testing was performed against my own lab network. No unauthorized access was performed against any external systems.


References