ESP32 DevKit (WROOM-32 / WROVER)

The reference ESP32 Wi-Fi + BLE offensive/defensive firmware (~11k stars, actively maintained). Wi-Fi: scan APs/stations, packet sniff, GPS wardrive, deauth, beacon spam (list/random), probe-request flood, EAPOL/PMKID capture to SD, and an Evil Portal captive-portal credential harvester. BLE: scan/sniff, wardrive, AirTag sniff and spoof, and advertising spam (Apple/Sour Apple, Samsung, Swift Pair). Runs on ESP32/S2/S3/C5 and 20+ boards (Cardputer, CYD, Flipper Wi-Fi dev board) — but NOT the ESP32-C6. 2.4 GHz only. Representative of the ESP32 attack surface — authorised testing only on active features.

Predatory ESP32 red-team multitool firmware (~5.9k stars, AGPL-3.0; the repo moved from pr3y/Bruce to the BruceDevices org, the old path redirects). Wi-Fi: Evil Portal, wardriving, EAPOL handshake capture and deauth. BLE: scan, pairing-popup spam (AppleJuice / Sour Apple / Swift Pair / Android / Samsung) and Bad BLE (HID injection over a bonded link). Also drives sub-GHz, IR and RFID where the board supports it. Targets M5Stack and LilyGo boards plus the CYD. Authorised testing only.

Maintained ESP-IDF revival of Ghost ESP (~740 stars, GPL-3.0). The original Spooks4576/Ghost_ESP is archived (read-only since 2025-04); this Revival fork is the live successor and supports 40+ boards. Wi-Fi: AP/station scan, beacon spam, deauthentication, capture (probe/beacon/deauth/raw to SD) and Evil Portal. BLE: raw scan/wardrive, BLE-to-Wireshark advertising capture, BLE spam and AirTag spoof. Authorised testing only on active features.

Focused ESP-IDF framework for ESP32 Wi-Fi attacks (~2.9k stars, MIT, last push 2024-02). Captures WPA/WPA2 PMKIDs and 4-way handshakes (passively, via a rogue duplicate AP, or by forcing re-auth), formats captures to PCAP and converts them to a hashcat-ready HCCAPX; also runs deauthentication and DoS attacks. Driven entirely from an on-device management-AP web UI — no screen needed. Includes a WSL bypasser to emit arbitrary 802.11 frames on a plain ESP32.

An ESP-IDF port of the Spacehuhn deauther to the ESP32, built on the esp_wifi_80211_tx frame-injection function — the canonical bare-ESP32 deauth path referenced by risinek's penetration tool. NOTE: unmaintained since 2021 and ships no license file; confirm it builds against a current ESP-IDF before relying on it. (The famous Spacehuhn esp8266_deauther is ESP8266-only and does not run on the ESP32.)

The reference active BR/EDR sniffer on commodity ESP32 hardware (~$4–10; ~590 stars, GPL-2.0). It patches the ESP32 ROM Bluetooth stack to dump baseband packets — BT header, channel, device role, FHS, ACL and LMP — over USB serial to a host Python tool (BTSnifferBREDR.py) with Scapy/Wireshark output. This is Bluetooth CLASSIC (BR/EDR), not BLE. It actively connects to the target, so authorised testing only.

The public PoC release for the BrakTooth family of Bluetooth Classic baseband/LMP vulnerabilities — roughly 16 CVEs and 20+ attack variants against the BR/EDR controllers of dozens of SoCs (Espressif ESP32, Intel AX200, Qualcomm, Cypress/Infineon, TI CC2564 and more). Built on the patched-ESP32 sniffer; the attacks range from crash/DoS to, on some targets, RCE. Representative — check vendor advisories for current patch status. Authorised testing only, against devices you own or are contracted to assess.

An ESP32 driving two nRF24L01+PA+LNA modules to flood the 2.4 GHz ISM band with noise, hopping channels to disrupt Bluetooth Classic (79 ch), BLE (40 ch), Wi-Fi (14 ch) and 2.4 GHz RC/drone links. WARNING: RF jamming is illegal in most jurisdictions (e.g. unlawful in the US under FCC rules) — use only in an RF-shielded / controlled environment for authorised resilience testing. Requires two nRF24L01+PA+LNA modules in addition to the ESP32.