Tools

RTL8812AU dual-band Wi-Fi adapter with monitor mode and injection — the workhorse 802.11 capture/injection radio for surveys and handshake capture.

IEEE 802.15.4 / Zigbee sniffing-and-injection hardware (CC2420-based) built as the reference KillerBee radio — it can both capture and transmit frames, which makes it the go-to board for KillerBee's active and attack tools (zbreplay, zbstumbler).

A ~$15 nRF51822 board — the reference cheap radio for running Btlejack to sniff, jam and hijack BLE connections.

Wideband full-duplex SDR (AD9361). ~56 MHz standard, and since the 2023.02 release an oversampling mode reaches 122.88 MHz instantaneous bandwidth (at 8-bit depth over USB 3.0) — enough to cover the entire 80 MHz BLE band in a single pass.

PN7150-based NFC tool for read/emulate and NFC relay (RelayNFC), plus magnetic-stripe emulation (MagSpoof) to legacy readers.

CC1352 + RP2040 multiprotocol sniffer; runs Sniffle for modern BT5/4.x LE capture, plus Sub-GHz/Zigbee/LoRa workflows. On Linux it can also present as a virtual HCI host BLE adapter via the catnip tool.

HF/LF card emulator (nRF52840) for reader-side testing and credential impersonation; emulates full MIFARE Classic with Crypto1.

The ~$15 'Cheap Yellow Display': an ESP32-WROOM-32 board with a built-in 2.8" touch TFT, microSD and USB-UART. Hugely popular as a cheap touchscreen pentest handheld — runs ESP32 Marauder (and CYD-specific forks), Bruce and Ghost ESP with a usable on-screen UI and no soldering. The linked repo is the community hardware/pinout reference.

The generic original ESP32 dev board (WROOM-32 / WROVER module) — the cheapest substrate for the umbrella firmwares (Marauder, Bruce, Ghost ESP) and the bare-metal Wi-Fi/BLE tools. Crucially, the ORIGINAL ESP32 is the only variant with a Bluetooth Classic (BR/EDR) radio, so it is also the board the BR/EDR sniffer and BrakTooth PoC run on. A bare board with no screen or SD — add a microSD for capture-to-card firmwares. 2.4 GHz only (no 5/6 GHz).

Espressif's ESP32-S3: LX7 dual-core with Bluetooth 5 (LE), native USB-OTG and more RAM than the original ESP32 — which is why most modern handheld pentest boards (Cardputer, LilyGo T-series) are S3-based. Supported by Marauder, Bruce and Ghost ESP, and the BLE-capable target for the focused BLE tools. Note: the S3 has BLE but NO Bluetooth Classic radio — for BR/EDR work use the original ESP32.

Handheld multitool whose built-in CC1101 transceiver receives and transmits across the 300–348, 387–464 and 779–928 MHz sub-GHz bands — the everyday field radio for reading, saving and replaying garage/gate/doorbell remotes and other fixed-code devices, with no laptop or SDR. OOK/ASK and (G)FSK; its Read mode decodes known protocols and Read RAW captures unknown ones for later replay.

Official Flipper Zero add-on built on an ESP32-S2-WROVER. Sold for wireless firmware flashing / debugging, but the community flashes ESP32 Marauder onto it to give the Flipper a Wi-Fi attack add-on (deauth, beacon spam, Evil Portal). Because the S2 has no Bluetooth radio, the BLE features are NOT available on this board — it is Wi-Fi only.

Forthink's commercial UWB-Dongle-Sniffer — a closed, purchased FT4222H-interfaced UWB capture dongle (not open hardware). It is the radio the open Forthink sniffer software and Wireshark plugin run against; the dongle must be bought from Forthink.

1 MHz–6 GHz half-duplex SDR — the discovery radio for 'Rapid Radio Reversing': find and characterise an unknown signal before working it with a narrowband tool.

LilyGo handheld on an ESP32-S3 with a rotary encoder, LCD, IR and an onboard CC1101 sub-GHz transceiver. The CC1101 makes it a favourite Bruce target because one device covers Wi-Fi/BLE AND sub-GHz/IR. (The CC1101 sub-GHz capability is separate from the 2.4 GHz ESP32 radio used by the Wi-Fi/BLE attacks here.)

Pocket keyboard-computer on the M5StampS3 (ESP32-S3): full keyboard, LCD, microSD, IR and battery in a card-sized case. A pentest-community favourite chassis — runs ESP32 Marauder, Bruce and Ghost ESP out of the box (Marauder added Cardputer ADV support in v1.12.0). Bruce's flagship target.

Low-cost open hobbyist board pairing an ESP32 with a Qorvo DW3000 (DW3110) UWB transceiver — the accessible way to bring up two-way ranging and tag/anchor positioning experiments in the Arduino/ESP-IDF ecosystem. Open example firmware and an Arduino DW3000 library ship in the Makerfabs GitHub repo. A development/ranging board, not a turnkey sniffer; use it to learn the radio, characterise a scheme's parameters, or build a controllable peer for authorised testing.

ESP32-C6 pocket multitool (GPS, microSD, OLED). For Wi-Fi (2.4 GHz only) it does wardriving, an AP/SSID sniffer with Wireshark-compatible output, a deauther and console-driven DoS, an analyzer, SSID spammer, and Wi-Fi deauthentication detection. It also has a native BLE suite — an advertising scanner, tracker/AirTag detection, BLE notification spam and BLE HID — plus 802.15.4 (Zigbee/Thread) field recon.

A compact production UWB module built on NXP's Trimension SR150 (not a DW3000) — included here because the NXP UWB silicon family is the other half of the deployed ecosystem (NXP chips feature in car digital-key and phone designs, and inter-operate with Apple U1 in the Ghost Peak results). FiRa Certified, supports two-way ranging and 2D/3D Angle-of-Arrival with up to three antennas. A module for building/representing an NXP-based ranging peer; identify it by its SR150 silicon rather than assuming every UWB target is a Qorvo DW3000.

Low-cost Nordic nRF52840 USB dongle; hosts the nRF Sniffer firmware (with the Wireshark plugin) and the InjectaBLE injection firmware.

Low-cost (~US$20–30) Qualcomm-based LTE mobile hotspot (also branded Kajeet RC400L) that exposes a /dev/diag diagnostic interface — the reference, best-tested hardware for running EFF's Rayhunter IMSI-catcher detector. The TP-Link M7350 is also supported; in principle any device with a Qualcomm modem exposing /dev/diag may work.

Cheap USB 13.56 MHz HF reader (ACR122U / PN532 breakout) — the standard libnfc target for reading and dumping ISO 14443-A MIFARE cards and for running the mfoc/mfcuk crackers. HF only; no LF, and weaker than a Proxmark for adversarial work.

The reference RFID/NFC tool: LF+HF, full MIFARE Crypto1 attack suite (darkside/nested/hardnested), read/write/emulate. The Iceman fork is the actively maintained client/firmware.

The reference DW3000-family UWB development shield: a DWM3000 module (DW3110 second-generation impulse-radio transceiver) on an Arduino form factor. Designed against the FiRa PHY/MAC and interoperable with Apple's U1 & U2 chips, on channels 5 (6.5 GHz) and 9 (8 GHz). Drive it from a host MCU (e.g. a NUCLEO-F429ZI or nRF52840) to range, log or — with the SEEMOO sniffer firmware — capture 802.15.4z frames. The same board (a ~$65 EVB + nRF52DK) was the attack platform in the Ghost Peak research.

The classic first-generation Decawave/Qorvo RTLS development kit: twelve enclosed DWM1001-DEV boards (each a DW1000 UWB transceiver plus an nRF52832 host), configurable as anchors, tags or bridge nodes to stand up a real-time location system out of the box. DW1000 is the older generation — it predates the 802.15.4z STS security enhancements that the DW3000 family adds — so it is ideal for learning UWB ranging mechanics, less so for assessing modern secure-ranging schemes. Note: end-of-life as of Dec 2025 (last orders mid-2026); Qorvo points new designs at the QM33-series kits.

Commercial 5G NR Sub-6 (FR1) modem module built on the Qualcomm Snapdragon X55 (SDX55). Being Qualcomm-based it exposes a DIAG interface, so QCSuper can pull raw 5G/LTE signalling off it into Wireshark — a no-SDR route to 5G control-plane frames (5G frame coverage is modem/firmware-dependent).

RAKwireless multi-channel LoRaWAN gateway built on a Raspberry Pi CM4 with an SX1302/SX1303 concentrator. Receives every LoRaWAN channel at once and feeds frames over the Semtech UDP packet forwarder — the gateway ChirpCat is designed to run on for uplink/downlink capture.

Budget RX-only dongle. Does NOT reach 2.4 GHz, so it cannot receive BLE, Wi-Fi or Zigbee — but it is a fine cheap receiver for sub-GHz, LoRa and ADS-B (1090 MHz).

AD9361-based SDR in a Raspberry-Pi form factor (Zynq 7020); the widest instantaneous bandwidth in this list at 61.44 MHz, and it can emulate a USRP B210 / ADALM-Pluto. Newer/emerging product — verify ice9 support and availability before relying on it.

Silicon Labs' EFR32ZG14 USB stick that exposes the Z-Wave Serial API to a host — the controller adapter the Z-Wave PC Controller drives, and (re-flashed with Zniffer firmware) the capture adapter for the Z-Wave Zniffer. The official native-radio hardware for both vendor tools, ~US$21.

Low-cost commercial SIMCom LTE Cat-4 modem (Qualcomm MDM-based). Reports serving- and neighbour-cell information through its own AT command set — AT+CPSI? returns the system mode, operator (MCC-MNC), LAC, Cell ID, band and EARFCN — a no-SDR way to read which cell a target is on and identify it. Because the baseband is Qualcomm and exposes a /dev/diag port, the same module can also feed QCSuper to capture raw cellular signalling.

Any STM32WLxx-based board (e.g. Nucleo-WL55JC, Seeed LoRa-E5) — an Arm Cortex-M4 with an integrated sub-GHz radio. Flashed with WHAD's stm32wlxx-firmware it becomes a WHAD-driven LoRa/LoRaWAN sniff-and-inject radio.

Cheap TI CC2531 USB dongle flashed with packet-sniffer firmware — a 2.4 GHz 802.15.4 capture-only radio (no injection). Bridged to Wireshark by whsniff.

The everyday GPS-receiver path: a cheap, common u-blox NEO-class module (NEO-6M / 7 / 8 / 9, often on a USB-serial breakout) that tracks the satellites itself and reports the solved position/time as plain NMEA 0183 sentences (plus binary UBX). This is how most projects 'get GPS' — no SDR, no signal processing on your side; the chip does the acquisition and you just read the serial stream. Use it with an active GPS antenna for a usable fix indoors-adjacent.

Open BLE/Bluetooth sniffer that follows connections by default (target a BD_ADDR with -t) and captures some Basic Rate Classic. Affordable and battle-tested, but pre-BT5 and weaker on long-lived connections than modern CC1352 sniffers.

Any standard USB Bluetooth LE adapter (e.g. a CSR8510-class dongle) provides the host HCI controller that GATT tools like Bleak and bettercap drive.

Lab-grade full-duplex SDR (AD9361) with a disciplined clock option. Up to ~56 MHz real-time bandwidth (halved to ~30.72 MHz in 2×2 MIMO). A common ice9 target for BLE/BT capture.

Purpose-built Wi-Fi auditing platform that automates evil-twin, capture and recon workflows.

CC1111 sub-GHz transceiver (300–928 MHz) driven by rfcat — receive, replay and transmit OOK/ASK/FSK from a Python shell. The reference cheap Sub-GHz work tool, paired with a HackRF for discovery.

5G NR attack and fuzzing suite that disrupts COTS smartphones (Qualcomm, MediaTek basebands) from a malicious gNB: a set of pre-authentication RRC/NAS vulnerabilities plus a 5G fuzzer, run on top of an OpenAirInterface gNB. For authorised, RF-contained testing of a UE's resilience to a hostile base station.

5G network-traffic fuzzer and replay engine (built on Montimage's MMT). Takes captured 5G control-/data-plane traffic, lets you write rules to modify fields, and replays the altered packets — online or offline — toward a target 5G component (AMF/SMF over NGAP/SCTP, or a gNB) for protocol fuzzing and attack-injection testing. Operates on traffic, not radio: it consumes a capture (e.g. from Wireshark) and a target core, no SDR.

Open-source 5G NR Physical Downlink Control Channel (PDCCH) blind decoder: passively recovers the Downlink Control Information (DCI) and the RNTIs active in a cell, exposing scheduling/identity activity for traffic analysis. Written in C++ on srsRAN libraries; FDD, FR1 sub-6 GHz. Research-grade — the current release recommends working from a recorded I/Q file rather than live SDR, and live capture needs extra setup.

A Python encoder that builds forged 1090ES ADS-B Extended Squitter frames (chosen ICAO address, position, altitude) into an I/Q sample file for transmission by a TX-capable SDR (HackRF via hackrf_transfer). The concrete way to demonstrate ADS-B spoofing/injection — there is no authentication on the link, so a higher-power forged frame is accepted as a real aircraft. Author states it is for academic purposes only. AUTHORIZED, RF-CONTAINED testing only: never radiate on-air — use a shielded enclosure or a conducted (cabled) setup. Stable but inactive (last commit ~2021).

The classic 802.11 suite: monitor-mode capture, deauth, handshake capture and offline cracking (with hashcat for modern WPA).

The original Apple BLE proximity-pairing message-spoofing research/PoC (~1.9k stars, Apache-2.0, last push 2024-06) — the upstream source of the 'Apple BLE spam' payloads reused by Marauder, Bruce, Ghost ESP and EvilAppleJuice. A reference corpus rather than a polished tool; payloads date as Apple patches, so treat as representative, not current.

Network attack/recon framework with a BLE module for device discovery and GATT enumeration, plus Wi-Fi recon and handshake capture.

Cross-platform async Python BLE GATT client (Windows/Linux/macOS): discover, connect, read/write/subscribe characteristics. The fastest way to script application-layer interaction and replay learned commands.

The public PoC release for the BrakTooth family of Bluetooth Classic baseband/LMP vulnerabilities — roughly 16 CVEs and 20+ attack variants against the BR/EDR controllers of dozens of SoCs (Espressif ESP32, Intel AX200, Qualcomm, Cypress/Infineon, TI CC2564 and more). Built on the patched-ESP32 sniffer; the attacks range from crash/DoS to, on some targets, RCE. Representative — check vendor advisories for current patch status. Authorised testing only, against devices you own or are contracted to assess.

Predatory ESP32 red-team multitool firmware (~5.9k stars, AGPL-3.0; the repo moved from pr3y/Bruce to the BruceDevices org, the old path redirects). Wi-Fi: Evil Portal, wardriving, EAPOL handshake capture and deauth. BLE: scan, pairing-popup spam (AppleJuice / Sour Apple / Swift Pair / Android / Samsung) and Bad BLE (HID injection over a bonded link). Also drives sub-GHz, IR and RFID where the board supports it. Targets M5Stack and LilyGo boards plus the CYD. Authorised testing only.

Sniff, jam and hijack BLE connections from low-cost hardware (BBC micro:bit / nRF51822). Established the practical jam-and-hijack technique for taking over a live connection.

The CatSniffer V3 host toolset (CatSniffer-Tools / catnip): one CLI over the CatSniffer that manages firmware and captures across protocols. It sniffs BLE (via the Sniffle firmware), IEEE 802.15.4 Zigbee/Thread and LoRa straight into Wireshark over an extcap; its cativity mode shows live 802.15.4 channel activity and Zigbee/Thread network topology; its SX1262 spectrum analyzer scans the sub-GHz/LoRa bands in real time; it decodes Meshtastic live or offline (trying default PSKs, with a TUI dashboard); the SX1262 reads and transmits (G)FSK packets on 433/868/915 MHz over a scriptable serial bridge; it scans Apple Find My / AirTag devices; and on Linux it presents the CatSniffer as a native HCI (hciX / vHCI) Bluetooth adapter for host tools like Bleak and bettercap.

Cross-platform Flutter app (Windows, Linux, macOS, Android, iOS/iPadOS) that drives the ChameleonUltra/Lite: read HF/LF cards, manage and write emulation slots, save card data, run the MIFARE Classic dictionary/recovery flow and emulate stored credentials. The host front-end for the otherwise headless Chameleon.

The Python Matter controller and interactive REPL from the connectedhomeip SDK (src/controller/python, matter-repl.py). Same native CHIP device-controller stack as chip-tool but scriptable: stand up a fabric, commission over BLE, then read/subscribe/write attributes and invoke cluster commands from Python — convenient for automating commissioning-attack and cluster-enumeration workflows and for multi-fabric tests.

The Matter controller/commissioner CLI from the connectedhomeip SDK (examples/chip-tool). Commissions a Matter device over Bluetooth LE — establishing a PASE (SPAKE2+) session from the setup passcode, handing over Thread/Wi-Fi credentials with `pairing ble-thread` / `pairing ble-wifi` (or `pairing onnetwork` / `pairing code` once on-network) — then drives it with CASE-secured operational commands. Also opens a second commissioning window (`pairing open-commissioning-window`) to test multi-admin. The tool for assessing Matter onboarding and the application-layer cluster interface.

LoRa/LoRaWAN discovery, classification and capture platform. Listens to LoRaWAN traffic — both uplink and downlink frames — through a gateway backend (Semtech UDP packet forwarder on port 1700), clusters packets by RF characteristics, scores/classifies targets and dispatches follow/capture tasks to CatSniffer workers. Designed to run on the RAK WisGate Connect (Raspberry Pi CM4).

Open-source LoRaWAN Network Server stack (gateway bridge, network server, application server). Provides the network-server side a replay or fuzzing attack is staged against — stand up a ChirpStack instance to model the target's server and observe how it handles replayed, forged or malformed frames.

A small Arduino-ESP32 library that performs a true Bluetooth Classic (BR/EDR) inquiry scan via the Bluedroid GAP API — returning each discovered device's MAC address, name, RSSI and Class-of-Device (CoD). The BR/EDR analogue of a BLE advertising scan (MIT, last push 2020). Only finds devices in discoverable / inquiry-scan mode; pin it to a known ESP-IDF as it is unmaintained.

Cracks BLE LE Legacy pairing: brute-forces the TK (Just Works / 6-digit PIN), derives the session keys and decrypts the capture. Feed it a PCAP containing the pairing event (e.g. from Ubertooth). Does not apply to LE Secure Connections.

EFF's 4G fake-eNodeB / IMSI-catcher detector: passively monitors LTE broadcast (PCI, EARFCN, SIBs) to fingerprint cell-site simulators (Stingray/Hailstorm class) by their anomalies. Built on srsRAN; the defensive counterpart used to validate that a rogue-eNB test is detectable.

The classic 1090 MHz Mode S / ADS-B decoder for RTL-SDR. Demodulates the 1 Mbps PPM Extended Squitter, decodes DF17/DF18 frames (ICAO 24-bit address, callsign, position, velocity, altitude) and serves the result over a built-in web map and on Beast/raw/JSON network ports. The maintained dump1090-fa fork is the de-facto reference receiver; pure RX, no transmit.

Decoder for the US 978 MHz UAT (Universal Access Transceiver) variant of ADS-B used by lower-altitude general aviation. Demodulates the UAT waveform from an RTL-SDR and decodes the messages, feeding the same maps/aggregators as the 1090 path. Use it alongside dump1090/readsb to cover both ADS-B links; pure RX.

An open port of Qorvo/Decawave's DWM3000 driver and ranging examples (the dwt_uwb_driver API) to the DWS3000 Arduino shield, runnable under Zephyr. The practical glue for bringing up a DW3000 board, configuring its 802.15.4z PHY parameters (channel, preamble, PRF, STS mode), and running two-way-ranging exchanges you can log — the dev-board path for capturing/characterising ranging behaviour. A development driver, not an attack tool.

Targeted evil-twin attacks against WPA2/WPA3-Enterprise (802.1X): stands up a hostile AP/RADIUS to capture EAP (e.g. MSCHAPv2) credentials and run hostile-portal pivots. Built on hostapd-mana.

ESP32 firmware that scans for Apple AirTag / Find My MAC addresses and BLE payloads without an Android phone or nRF Connect (~110 stars, last push 2024-04). Passive scan only — no spoofing or emulation; output over UART. Supports ESP32-WROOM and ESP32-S3. Useful at the survey step to detect trackers in the environment.

An ESP32 driving two nRF24L01+PA+LNA modules to flood the 2.4 GHz ISM band with noise, hopping channels to disrupt Bluetooth Classic (79 ch), BLE (40 ch), Wi-Fi (14 ch) and 2.4 GHz RC/drone links. WARNING: RF jamming is illegal in most jurisdictions (e.g. unlawful in the US under FCC rules) — use only in an RF-shielded / controlled environment for authorised resilience testing. Requires two nRF24L01+PA+LNA modules in addition to the ESP32.

The reference active BR/EDR sniffer on commodity ESP32 hardware (~$4–10; ~590 stars, GPL-2.0). It patches the ESP32 ROM Bluetooth stack to dump baseband packets — BT header, channel, device role, FHS, ACL and LMP — over USB serial to a host Python tool (BTSnifferBREDR.py) with Scapy/Wireshark output. This is Bluetooth CLASSIC (BR/EDR), not BLE. It actively connects to the target, so authorised testing only.

An ESP-IDF port of the Spacehuhn deauther to the ESP32, built on the esp_wifi_80211_tx frame-injection function — the canonical bare-ESP32 deauth path referenced by risinek's penetration tool. NOTE: unmaintained since 2021 and ships no license file; confirm it builds against a current ESP-IDF before relying on it. (The famous Spacehuhn esp8266_deauther is ESP8266-only and does not run on the ESP32.)

The reference ESP32 Wi-Fi + BLE offensive/defensive firmware (~11k stars, actively maintained). Wi-Fi: scan APs/stations, packet sniff, GPS wardrive, deauth, beacon spam (list/random), probe-request flood, EAPOL/PMKID capture to SD, and an Evil Portal captive-portal credential harvester. BLE: scan/sniff, wardrive, AirTag sniff and spoof, and advertising spam (Apple/Sour Apple, Samsung, Swift Pair). Runs on ESP32/S2/S3/C5 and 20+ boards (Cardputer, CYD, Flipper Wi-Fi dev board) — but NOT the ESP32-C6. 2.4 GHz only. Representative of the ESP32 attack surface — authorised testing only on active features.

A focused PoC that crashes/freezes iOS devices by flooding them with BLE pairing-request advertisements (~595 stars, GPL-3.0). Tested on ESP32-S3 and ESP-WROOM-32 (an ESP8266 cannot run it — no BLE radio). Genuinely disruptive — it can freeze nearby iPhones — so authorised testing only, on hardware you own. Target/payload effectiveness dates as Apple patches.

Focused ESP-IDF framework for ESP32 Wi-Fi attacks (~2.9k stars, MIT, last push 2024-02). Captures WPA/WPA2 PMKIDs and 4-way handshakes (passively, via a rogue duplicate AP, or by forcing re-auth), formats captures to PCAP and converts them to a hashcat-ready HCCAPX; also runs deauthentication and DoS attacks. Driven entirely from an on-device management-AP web UI — no screen needed. Includes a WSL bypasser to emit arbitrary 802.11 frames on a plain ESP32.

An Arduino-ESP32 sketch that brings up the Bluedroid stack in dual-mode (Classic + BLE) and dumps discovered devices in pairing/inquiry mode (MIT). Discovery only — no pairing or connection. Classic (BR/EDR) discovery needs the original ESP32, not the C-series, which has no Bluetooth Classic radio.

A self-contained ESP32 sketch that spams Apple BLE proximity-pairing messages — the 'connect AirPods / setup' style popups — on nearby iOS devices (~2.1k stars). Single-purpose Apple advertising spam, derived from the AppleJuice proximity-spoof research. Authorised testing only; disruptive to all nearby Apple devices.

The reference open Z-Wave assessment suite (GNU Radio + Scapy-radio): ezstumbler does passive discovery and active network enumeration, ezrecon interrogates a device (manufacturer/model, firmware version, supported command classes, configuration), and ezfingerprint identifies the Z-Wave module generation via a PHY preamble-length manipulation. Default config drives two HackRF One SDRs. Python 2.7 / GNU Radio 3.7 era — dated but still the canonical exploitation toolkit.

Fast Analysis of LTE Control channels — built on srsRAN to blind-decode the entire PDCCH in real time, exposing every DCI/RNTI scheduling grant in a cell. A passive view of live control-channel activity and resource usage.

The open-source firmware that runs the Flipper Zero's Sub-GHz app: Read (decode a known protocol), Read RAW (capture an unknown signal as raw timings), Save and Send (replay/emulate a saved signal), and a manual virtual-remote builder. The official firmware deliberately refuses to save or replay rolling-code signals (e.g. KeeLoq) as a built-in safety limit — capture-and-replay works on fixed-code devices, not rolling-code ones, on stock firmware.

Open-source host software and a Wireshark plugin (forthink-xyz/uwb-sniffer-wireshark) that monitor and decode CCC, FiRa and IEEE 802.15.4a/z UWB — including parameters for Apple Car-Key and AirTag/Nearby-Interaction (FiRa) traffic. Caveat: the software is open but it REQUIRES Forthink's COMMERCIAL UWB-Dongle-Sniffer hardware (an FT4222H-interfaced dongle) — the radio itself is a closed, purchased product, not open hardware. Listed for completeness as the most capable off-the-shelf UWB capture path; it observes frames, it does not defeat STS-protected ranging integrity.

Open-source 3GPP Release-15 5G Core network in Go — AMF, SMF, UPF, AUSF, UDM, NRF and the rest of the SBA. An alternative to Open5GS as the 5GC behind a test gNB (srsRAN/OAI): provision test subscribers, drive 5G-AKA authentication and the NAS-5GS registration procedures, and exercise NGAP between your gNB and core. Standalone (SA) only.

Maintained ESP-IDF revival of Ghost ESP (~740 stars, GPL-3.0). The original Spooks4576/Ghost_ESP is archived (read-only since 2025-04); this Revival fork is the live successor and supports 40+ boards. Wi-Fi: AP/station scan, beacon spam, deauthentication, capture (probe/beacon/deauth/raw to SD) and Evil Portal. BLE: raw scan/wardrive, BLE-to-Wireshark advertising capture, BLE spam and AirTag spoof. Authorised testing only on active features.

Open-source software-defined GNSS receiver. Takes raw L-band I/Q from an SDR and runs the full receive chain — acquisition, tracking, telemetry decoding of the navigation message, and PVT (position/velocity/time) computation — for GPS L1/L2/L5, Galileo, GLONASS and BeiDou. The reference way to receive and decode a live civilian GNSS signal in software.

Generates a GPS L1 C/A baseband I/Q file from a RINEX broadcast ephemeris and a chosen static or moving position, for transmission by an SDR (HackRF / bladeRF / USRP). Because civilian C/A is unauthenticated, a replayed/synthesised signal at higher power can pull a receiver's position and clock to attacker-chosen values — the canonical GPS spoofing tool. AUTHORIZED, RF-CONTAINED testing only: transmitting GPS over the air is illegal in most jurisdictions — use a shielded enclosure or a cabled (conducted) setup. Repo is archived but remains the de-facto reference.

The GPS service daemon: it reads the NMEA 0183 / UBX stream from a GNSS receiver on a serial or USB port, parses it, and re-serves the solved position/velocity/time to clients over a simple TCP/JSON protocol — with gpsmon and cgps for live terminal display of the fix, satellites and raw sentences. The standard way to consume a real GPS receiver on Linux/BSD and the normal 'see what the receiver reports' tool. Hosted on GitLab/Savannah, not GitHub.

Live spectrum + waterfall SDR receiver (HackRF, bladeRF, USRP…) — the quickest way to see what is transmitting and where, and to judge how much of the band a given radio covers.

A GNU Radio Mode S / ADS-B receiver: a flowgraph that demodulates 1090 MHz and decodes the Extended Squitter, with a live map output. The choice when you want the signal inside a GNU Radio flowgraph to see and modify each DSP block rather than a black-box decoder. Older codebase (last active ~2021) — a learning/DSP receiver rather than a polished aggregator.

GNU Radio blocks and tools to receive and demodulate the GSM downlink from an SDR. grgsm_livemon tunes a found ARFCN, demodulates the GMSK bursts, decodes the control channels (BCCH/CCCH/SDCCH) and forwards the frames as GSMTAP over UDP to Wireshark. The de-facto open-source GSM receiver, successor to airprobe.

Full GNU Radio software-defined-radio implementation of a LoRa transceiver, including a complete CSS receiver with synchronisation and CFO/STO correction that decodes correctly even at very low SNR. The reference open-source way to de-chirp and demodulate LoRa off an SDR (HackRF / USRP / bladeRF / RTL-SDR).

GNU Radio LTE receiver flowgraph: synchronisation, channel estimation and PBCH decoding implemented as composable DSP blocks. A learning/receiver toolkit for understanding the LTE downlink rather than a full SIB/PDCCH suite (last active ~2020).

A GNU Radio out-of-tree module that transmits (and helps decode) Z-Wave signals, tested with a USRP B210; integrated into AINFOSEC's FISSURE RF framework. Branches for GNU Radio 3.7/3.8/3.10. A maintained GNU Radio block path for Z-Wave TX when you want a flowgraph rather than the Scapy-radio stack.

GPU-accelerated password recovery. For Wi-Fi, mode 22000 cracks both WPA/WPA2 4-way handshakes and PMKIDs from a .hc22000 hash using dictionary, rule and mask attacks — the fastest offline WPA cracker.

Capture tool focused on WPA/WPA2 key material: requests the PMKID directly from an AP (often with no connected client) and grabs EAPOL 4-way handshakes, writing pcapng for offline cracking. The clientless PMKID grab is its signature.

Companion converters for hcxdumptool captures. hcxpcapngtool turns a captured pcapng into the hashcat/John .hc22000 hash format — the bridge from a raw capture to an offline crack.

SensePost's modified hostapd for Wi-Fi attacks — the 'MANA' rogue AP that lures clients using their probe history and captures Enterprise/EAP credentials. The engine underneath EAPHammer.

SDR-based, Wireshark-compatible all-channel sniffer (HackRF / bladeRF / USRP). Unlike most sniffers it can sniff connections that are already established — invaluable when you cannot catch the connection request. Needs an SDR and GPU/CPU for channelisation.

Python tool that reads the GSMTAP stream produced by gr-gsm and pulls the IMSI / TMSI identities the network pages over the air, printing the cellphones it sees around you. A PASSIVE IMSI catcher — it harvests identities off the broadcast/control channels without transmitting anything (no rogue cell); the active catcher is a rogue BTS (osmo-bts / OpenBTS).

nRF52840-dongle firmware implementing the InjectaBLE strategy: eavesdrop a connection and inject link-layer frames to hijack a role or run a man-in-the-middle.

GSM frequency scanner: sweeps a band (GSM850/900/1800/1900) for active base-station carriers by locking onto their FCCH/SCH bursts, reporting each ARFCN, its power and the radio's clock-frequency offset (ppm). The kalibrate-rtl fork drives an RTL-SDR; sibling forks exist for HackRF and UHD. The first step before any capture: it tells you which ARFCNs have a live BTS.

The reference IEEE 802.15.4 / Zigbee security toolkit. A Python framework plus command tools — zbstumbler (active network discovery), zbid (list capture interfaces), zbdump (capture to PCAP), zbwireshark (live feed to Wireshark), zbreplay (replay frames) and zbdsniff (extract a network key from a join capture). Drives a range of capture radios (ApiMote, CC2531, nRF52840, RZUSBstick).

Passive wireless detector, sniffer and wardriving tool. Channel-hops to log every AP, client and SSID (with GPS) and captures to pcapng without ever transmitting — the reference quiet survey/capture tool. Beyond Wi-Fi it has the widest 802.15.4/Zigbee datasource support of any tool here: a dedicated CatSniffer v3 Zigbee source (channels 12–26) plus nRF52840, CC2531, RZUSBstick, nRF51822 and NXP KW41Z (Kismet git / 2025-10+ releases).

GPU/CPU cracker that recovers an A5/1 session key from a captured keystream segment using the ~1.6–2 TB A5/1 rainbow tables (the Berlin A5/1 Security Project). Recovers Kc, which decrypts the rest of a captured call/SMS session. Old but the reference open A5/1 attack; requires the bulky precomputed tables and a known-keystream slice from the capture.

Platform-independent NFC library and tools (nfc-list, nfc-mfclassic) that drive PN532/ACR122U-class HF readers to read and dump ISO 14443-A MIFARE cards — and the host stack the mfoc and mfcuk Crypto1 crackers build on.

Self-hosted wideband LoRa intercept receiver: streams wideband IQ from a SoapySDR/bladeRF SDR and decodes Meshtastic, LoRaWAN and MeshCore across SF7-SF12 at every standard bandwidth (62.5/125/250/500 kHz) in software, near-real-time, surfacing decoded packets, node identities and a live spectrum waterfall in a local Flask web UI. Captures the whole sub-band at once (~28 Msps on a multi-core host) rather than one channel — validated on bladeRF (native, 28 Msps) and USRP B210/B205mini (SoapyUHD).

Proof-of-concept LoRaWAN session cracker that exploits weak or shared Application Keys: given a known/guessable AppKey it derives the session keys from captured packets and validates against the MIC, demonstrating the danger of reused or default AppKeys. Not a brute-forcer of strong AES-128 keys.

LoRaWAN security-assessment toolkit: multi-channel SDR sniffing, session-based capture with automatic handshake storage, session key derivation, Wireshark-compatible PCAP output (LoRaTap DLT), and replay/packet-crafting for vulnerability testing. Built on GNU Radio + USRP; actively under construction.

Tools to craft, parse, send, analyse and crack LoRaWAN packets to audit or pentest a LoRaWAN infrastructure — MIC recomputation/validation, key-candidate testing and frame forging.

Open-source LTE downlink/uplink eavesdropper: decodes PDCCH DCIs and the scheduled PDSCH/PUSCH of a cell, recovering RNTIs and per-UE scheduling information passively. Built for security research on a USRP-class SDR.

Electronic Cats' Android companion app that drives an ESP32 Marauder board over a phone UI instead of the on-device screen. A host front-end for the Marauder firmware (not a firmware or a board itself) — the EC tie-in to the ESP32 Marauder ecosystem.

The CSA-run public ledger (Cosmos SDK / CometBFT) of Matter device data: vendor and product info keyed by Vendor ID (VID) and Product ID (PID), certification status, and the Product Attestation Authority (PAA) root certificates that commissioners trust for device attestation. At Identify, the DCL turns the VID/PID read off a device's onboarding payload into a known vendor/product and certification record — and a Test-Vendor VID (0xFFF1–0xFFF4) on a 'production' device is an immediate red flag.

The official open-source Matter (formerly Project CHIP) SDK from the Connectivity Standards Alliance. Provides the device stack, example apps and the chip-tool controller — the reference codebase for building and exercising Matter-over-Thread and Matter-over-Wi-Fi nodes and their commissioning.

802.11 stress-testing and DoS toolkit: deauthentication floods, beacon floods (fake SSIDs), authentication floods, probe and other attacks — for testing how an AP and clients hold up under adversarial traffic.

MiFare Classic Universal toolKit implementing the darkside attack to recover a first Crypto1 key when no default key works — the bootstrap that lets mfoc finish the rest. Runs on a libnfc PN532/ACR122U reader.

Parses MIFARE Classic 1k/4k dumps into human-readable form — per-sector data, keys A/B and access-condition bits — so a recovered dump becomes readable application data.

MIFARE Classic Offline Cracker: given at least one known sector key it runs the nested attack to recover all remaining Crypto1 keys and dump the card, over a libnfc-driven PN532 reader. Default/transport keys are tried automatically.

Passive UE-side cellular analyzer: decodes the device's own LTE control-plane messages (RRC, NAS, paging, measurement reports) from a diagnostic feed, so you can observe paging/tracking and measurement behaviour and confirm the effect of an attack from the victim UE's perspective.

Nordic firmware plus a Wireshark extcap plugin and Python script for the nRF52840 (DK or Dongle) that sniffs raw IEEE 802.15.4 frames straight into Wireshark. The turnkey capture path for Thread/Zigbee on Nordic hardware; supply the Thread network key in Wireshark to decrypt.

Vendor BLE sniffer firmware (nRF52 DK / dongle) with a Wireshark plugin. Easy and well-documented, but follows a single connection and is less capable than Sniffle for adversarial work.

Open-source C implementation of the EPC (and 5G Core): MME/HSS/SGW/PGW for LTE. Paired with srsENB it provides the core network behind a test/rogue eNodeB so you can provision test subscribers and drive attach/authentication/identity NAS procedures end-to-end.

Full open-source LTE/NR RAN and core reference stack (eNodeB/gNB, UE and EPC). A second independent platform — alongside srsRAN — for standing up a test/rogue eNodeB on a TX-capable SDR and for RRC/NAS signalling experiments and protocol fuzzing in an authorised lab.

The original 'GSM in a box': a single application that presents a GSM air interface on a USRP and routes calls/SMS over SIP/Asterisk, replacing the traditional RAN+core. A self-contained alternative to the Osmocom stack for fake-BTS / IMSI-catcher work; build via the RangeNetworks 'dev' environment.

Academic framework for tracking personal BLE devices via Apple's Find My network (~13k stars, AGPL-3.0). It ships ESP32 (and nRF51822) firmware that advertises as a Find My beacon, so an ESP32 can act as a DIY 'AirTag' — the AirTag/Find-My beacon spoof/emulation path on cheap hardware. Authorised research only; covertly placing a Find My beacon to track a person is unlawful.

Google's open-source implementation of the Thread networking stack (IEEE 802.15.4, 6LoWPAN, MLE, commissioning). Flashed to a supported radio (e.g. nRF52840) it becomes an NCP/RCP you drive over Spinel, and with pyspinel that same device turns into an 802.15.4 packet sniffer or a node that can scan for and try to join a Thread mesh.

The Osmocom open GSM network stack: osmo-trx drives the SDR, osmo-bts is the base station, with osmo-bsc / osmo-msc / osmo-hlr forming the core. Together they stand up a full 2G cell on an SDR — the reference open platform for a test/rogue BTS and active IMSI-catcher research. Actively maintained.

A two-board ESP32 evil-twin / deauther whose captive portal VERIFIES the entered password against the real AP, plus a WPA3-SAE overflow mode (MIT, active but small/early). Runs on ESP32 and ESP32-C5, driven from a CLI or a Flipper Zero. Low-maturity project — verify its behaviour on the bench before field use; the password-verifying portal and SAE-overflow angle are what make it worth noting.

The host client that drives the Proxmark3 over USB — the `pm3` shell from the RfidResearchGroup/proxmark3 (Iceman) repo. Runs every Proxmark workflow from the laptop: `lf/hf search` to fingerprint a tag, read/dump LF IDs and HF cards, the full Crypto1 suite (`hf mf darkside`/`nested`/`hardnested`/`mfkey`), clone/simulate, and `hf 14a` sniff plus the `hf_reblay` standalone mode for an ISO 14443-A relay/MITM. The firmware and client ship together; this is the software you actually type into.

A pure-Python decoder library for Mode S and ADS-B messages: feed it hex frames (or stream them from dump1090 over TCP/Beast) and it returns the decoded fields — ICAO address, callsign, airborne/surface position (CPR), velocity, altitude — plus DF4/5/11/20/21 surveillance and Comm-B BDS registers. The reference way to interpret message contents and to run plausibility / anti-spoof checks on a decoded feed in your own code.

Python CLI for the Spinel protocol that configures and manages an OpenThread NCP/RCP. Its sniffer.py converts an OpenThread co-processor into an 802.15.4 packet sniffer, streaming captured Thread frames to Wireshark (live extcap or pcap) for dissection and key-based decryption. Repository is archived but still the reference Spinel CLI.

A CSA-certified Matter Controller Server (the one behind Home Assistant's Matter integration) that wraps the CHIP SDK and exposes commissioning and the operational cluster model over a WebSocket API. Acts as a standing controller/commissioner you can drive programmatically — commission a node over BLE, then enumerate and exercise its clusters. Maintenance mode (being rebuilt on matter.js), but a real, working Matter controller.

Captures raw 2G/3G/4G (and, on some modems, 5G) radio frames from Qualcomm-based phones and modems via the /dev/diag DIAG interface, wraps them in GSMTAP and streams a live PCAP into Wireshark. Turns a cheap Qualcomm modem such as the SIM7600 into a passive cellular-signalling sniffer — an alternative to an SDR cell-search receiver.

EFF's IMSI-catcher / cell-site-simulator detector. Runs as firmware on a cheap Qualcomm-based mobile hotspot (Orbic RC400L, TP-Link M7350) and passively analyses the LTE control plane from the modem's /dev/diag feed, raising an alert on cell-site-simulator behaviour — unexpected identity/IMSI requests, downgrade attempts or suspicious tower configuration. The portable, low-cost blue-team counterpart to Crocodile Hunter for confirming whether a rogue station is present, with no SDR or host PC.

A modern, high-performance fork of the dump1090 lineage and the actively maintained ADS-B 'swiss-knife' decoder. Decodes 1090ES Mode S / ADS-B (and ingests UAT from dump978), tracks many aircraft at once, and outputs Beast, raw and JSON for downstream maps like tar1090. The default decoder for a permanent receiver today.

Attacks the WPS registration PIN to recover a WPA/WPA2 passphrase, including the offline Pixie-Dust attack against weak WPS implementations. The actively maintained community fork; works only where WPS is enabled.

Python shell for CC1111-class transceivers (YARD Stick One): set layer-1 parameters and receive, replay or forge OOK/ASK/FSK.

Generic ISM-band receiver and decoder for 315 / 433.92 / 868 / 915 MHz devices. Out of the box it recognises 320+ device protocols — weather and soil/temperature sensors, TPMS tyre-pressure monitors, energy/water meters, doorbells, contact sensors and many remotes — and demodulates both OOK/ASK and FSK, printing each decoded device as a line of JSON (also CSV, MQTT, InfluxDB, syslog). It is itself the decoder: where Wi-Fi or BLE hand a PCAP to Wireshark, rtl_433 turns raw I/Q straight into named, fielded device events. Runs on RTL-SDR natively and on HackRF / other radios via SoapySDR.

The original G.9959 (Z-Wave) demodulator for the RTL-SDR: pipe `rtl_sdr` samples into it and it prints decoded Z-Wave frames. Lightweight, receive-only, and the codebase Waving-Z grew out of — a minimal way to confirm Z-Wave traffic and read frame headers on a ~$30 dongle.

GNU Radio flowgraphs plus a patched Scapy that lets you sniff, dissect, craft and replay several sub-GHz/2.4 GHz protocols — including a Z-Wave layer — straight from a Python/Scapy session over an SDR (HackRF). The radio/Scapy plumbing EZ-Wave builds on, and a standalone way to script Z-Wave frame capture and injection.

The reference OPEN UWB sniffer: firmware for a Qorvo DWM3000EVB driven by a host (a NUCLEO-F429ZI in the reference build; an nRF52840 with code changes) that captures IEEE 802.15.4z UWB frames and forwards them to Wireshark over a sensniff named pipe, with timestamps at the DW3000's 15.65 ps accuracy. Comes out of the SEEMOO/ETH Ghost Peak line of research. Honest limits: UWB has many PHY parameters (channel, preamble code, data rate, STS mode and length) that must be known IN ADVANCE to lock onto a link, and it forwards malformed frames too — so it is a research instrument, not a push-button capture. It does NOT break the STS or recover keys; it captures the over-the-air frames you can already decode.

Open-source 5G NR sniffer and downlink injector framework built on srsRAN. Passively captures unencrypted MAC-NR messages between a gNB and a UE (with Wireshark support) and can inject crafted MAC-NR packets to a target at specific post-connection states (registration/authentication/RRC) — used for modem crashes, downgrades, fingerprinting and auth-bypass research without a rogue base station. Heavy host requirements; FR1 sub-6 GHz on a USRP.

The reference modern open-source sniffer for Bluetooth 5 and 4.x LE on TI CC1352/CC26x2 (and CatSniffer). Python host, all BT5 PHYs, extended advertising, follows connections — the default LL-layer capture choice today.

Open-source SDR 4G suite: srsUE (cell search, MIB/SIB receiver, MAC-LTE/RRC PCAP output), srsENB (a full eNodeB) and srsEPC. The reference open LTE stack on HackRF/bladeRF/USRP — passive receiver for Capture, and the basis for fake-eNB/IMSI-catcher research when transmitting under authorisation.

A small research project that modifies srsRAN_4G's srsENB into an active IMSI catcher — stands up a fake base station that lures UEs and issues an identity request to extract the IMSI over the unauthenticated pre-AKA NAS exchange. A concrete worked example of the IMSI-catcher attack on srsRAN.

SRS's O-RAN 5G CU/DU solution (with 4G support). The newer codebase from the srsRAN team; for LTE cell-search/eNodeB work the srsRAN_4G suite is the directly applicable tool. Note: the srsRAN_Project GitHub repo is archived — check srsran.com for the current distribution.

An improved web map front-end for the decoded traffic from readsb or dump1090-fa: a live, interactive map of every tracked aircraft with history trails, filtering and per-aircraft detail. It consumes the decoder's JSON output and is the readable 'air picture' view, not a decoder itself.

u-blox's free (proprietary) evaluation and configuration software for u-blox receivers. Connects over the serial/USB port and shows the raw NMEA and binary UBX messages, satellite view, signal levels and the live fix, and lets you reconfigure the receiver. The go-to GUI for inspecting exactly what a u-blox module is reporting; Windows-native (u-center 2 for newer modules).

The host-side tools (ubertooth-btle and friends) that drive an Ubertooth One to sniff and follow BLE connections, exporting to PCAP.

Integrated reversing workbench: auto-detect modulation/bitrate, extract bitstreams, diff captures and replay — the fastest path from raw I/Q to a labelled frame format.

An ITU-T G.9959 (de)modulator for Z-Wave (started as a fork of andersesbensen/rtl-zwave). `wave-in` decodes Z-Wave frames from a raw I/Q stream piped in from an RTL-SDR (`rtl_sdr`) or HackRF; `wave-out` encodes frames and transmits them through `hackrf_transfer`. The rtl_433-style entry point for getting Z-Wave packets off a cheap SDR.

Wireless Hacking Devices — a unified Python framework and host protocol that drives many radios to sniff and inject across wireless stacks: BLE, IEEE 802.15.4 / Zigbee / RF4CE, Enhanced ShockBurst, Logitech Unifying, LoRaWAN and a generic PHY layer. Backends include the nRF52840 'Butterfly' firmware, an STM32WLxx (LoRa) firmware, ESP32, Ubertooth, APIMote, RZUSBstick, RFStorm/nRF24 and Yard Stick One, plus host HCI — one toolchain and PCAP/Scapy interface across protocols.

Command-line utility that interfaces a TI CC2531 USB dongle with Wireshark to capture and display IEEE 802.15.4 traffic at 2.4 GHz — pipe its output into Wireshark (or save a PCAP) for Zigbee dissection. A cheap, simple capture path when you have a CC2531.

Rogue access point framework: automates the evil-twin plus a templated phishing captive portal (router-login, fake firmware-upgrade, OAuth) to harvest Wi-Fi passphrases or web credentials after a client associates.

The universal packet dissector. Capture tools across these protocols export to PCAP, and Wireshark dissects, decodes and lets you filter the frames here — supplying a network/link key where one is needed to decrypt in place.

Silicon Labs' official GUI controller (Simplicity Studio): implements a Z-Wave controller node over the Serial API of a UZB USB adapter, so you can include/exclude nodes, browse the device's supported command classes and send them — driving a Z-Wave network legitimately from a PC. The application-layer counterpart to the Zniffer's capture.

Silicon Labs' official GUI tool (in Simplicity Studio) that captures RF communication on a Z-Wave network for debugging — the vendor sniffer. Decodes the full Z-Wave frame including command classes and shows security (S0/S2) handshakes. Needs a USB Z-Wave adapter flashed with Zniffer firmware (e.g. a UZB stick). The turnkey capture path when an SDR demod is too fiddly.

KillerBee's key-extraction tool. Scans a capture for an over-the-air key transport (APS Transport-Key during a device join) and recovers the Zigbee network key — the classic break when the key is sent under the well-known default Trust Center link key 'ZigBeeAlliance09'. Feed it a PCAP of a join and it prints the network key.