An ideal payload for a mobile client would connect back to the penetration tester from whatever network the client was connected to. The payload could monitor the state of the network interfaces, and whenever a network interface became active, it would ``phone home'' to a server on the Internet. The payload could be configured to automatically terminate at a certain date, coinciding with the end of the penetration testing engagement.
A second payload style that takes advantage of the target-side logic is the ``file searcher'' payload. This payload would search local documents and files on the target systems' hard drives for key words or patterns. Matching files would be collected, encrypted, and sent to the penetration tester for analysis. Performing the file searching on the target prevents excessive amounts of file data from being sent across the network.
Finally, remote target-side payloads could scan the remote network for other vulnerabilities or automatically gain access to other remote systems. For example, a long running password brute force may be unreasonable to launch when the penetration tester must be continually connected to the target system. If the process were run autonomously on a compromised system, the attack could proceed disconnected and report results asynchronously. A similar model would be beneficial for other long-running attacks such as network sniffing and hosting web exploits on the target network. Hosting web exploits on the target's internal network typically grants the attacker some level of privilege escalation as the exploits are placed within Internet Explorer's Local Intranet security zone thus gaining additional privileges over an Internet-based web attack.