GhostESP turns your ESP32 into a powerful, cheap and helpful wireless testing tool. Built on ESP-IDF.
⭐️ Enjoying GhostESP? Please give the repo a star!
-
Flash your device: ghostesp.net/flasher
-
Community & support: Discord
-
Learn more: Documentation • Official Website
Making content about GhostESP? Check out the Press Kit for resources.
WiFi Features
- Evil Portal
- Deauth / disassoc attacks
- Karma
- Beacon spam (single/list/random)
- AP scan / STA scan / scanall
- Probe request listening
- Handshake + PMKID capture
- WiFi capture to SD (PCAP)
- USB dongle mode for Wireshark (extcap stream)
- DHCP starvation
- ARP / port / SSH / local IP scanners
- WiFi OUI vendor lookup
- WPA3/SAE attacks
- EAPOL logoff attack
- Wardriving exports (WiFi/BLE/GPS) + sweep CSV (WiFi/BLE/GPS/802.15.4)
- Split-channel wardriving helper via GhostLink
- RSSI tracking (AP/station)
- Drone detection / spoofing
- Web UI + filesystem + remote command relay
BLE Features
- BLE scan modes (general, AirTag, Flipper)
- BLE spam modes
- AirTag scan / spoof
- BLE packet capture
- BLE stream to Wireshark
- Flipper finder + RSSI
- GATT/service scan + per-device RSSI
- BLE wardriving
- BLE skimmer detection
USB Features
- USB keyboard host mode (ESP32-S3 builds)
- Remote keyboard control over GhostLink
- BadUSB script runner
- BadUSB identity options (VID/PID/manufacturer/product/layout/randomize)
IR Features
- IR TX/RX on supported boards
- IR learn mode
- IR easy learn mode
- Flipper
.irfile support - Universal library transmit
- IR CLI tools
- IR dazzler (38 kHz high duty)
NFC Features
- PN532 NTAG/MIFARE Classic support
- Flipper
.nfcimport/export - MIFARE Classic dictionary attack
- Flipper NFC parser set (transit/parking/access)
- MIFARE Desfire detection
- Chameleon Ultra support (CLI + UI)
SubGHz Features
- Signal scanning across 64 channels
- Frequency analyzer with waterfall display
- Signal capture and decoding
- 20+ protocol decoders based on Flipper Unleashed/xMasterX
- Signal transmission and replay
- Saved signals as
.subfiles - Flipper SubGhz Key File format compatibility
- CC1101 hardware support
- Frequency bands: 315, 390, 433.92, 868.35, 915 MHz
- Full CLI support
Additional Features
- GhostLink (dual-device command and display interface)
- Setup wizard (display builds)
- Wired + web screen mirroring
- Ethernet mode + fingerprint scan
- DIAL / Chromecast V2 support
- GPS integration (
gpsinfo) - Network printer output (
powerprinter) - RGB LED modes
- Timezone configuration (
timezone) - Camera motion detection with SD card snapshot capture and Discord webhook alerts (XIAO S3 Sense)
- Rave mode (display builds)
-
ESP32 Wroom
-
ESP32 S2
-
ESP32 C3
-
ESP32 S3
-
ESP32 C5
-
ESP32 C6
Note: Feature availability may vary by model.
Supported Boards
-
DevKitC-ESP32
-
DevKitC-ESP32-S2 (lacks bluetooth hardware)
-
DevKitC-ESP32-C3
-
DevKitC-ESP32-S3
-
DevKitC-ESP32-C5
-
DevKitC-ESP32-C6
-
RabbitLabs GhostBoard
-
AWOK Mini
-
M5 Cardputer
-
M5 Cardputer ADV
-
FlipperHub Rocket
-
FlipperHub Pocker Marauder
-
RabbitLabs Phantom
-
RabbitLabs Yapper Board
-
RabbitLabs Poltergeist
-
CYD2432S028R
-
Waveshare 7″ Touch
-
'CYD2 USB'
-
'CYD2 USB 2.4″'
-
LilyGo T-Display S3 Touch
-
LilyGo T-Deck
-
JCMK Devboard Pro
-
Flipper JCMK GPS
-
CrowTech 7″
-
JC3248W535EN
-
Heltec V3
-
Lolin S3 Pro
-
Minion
-
Sunton 7″
-
Seeed XIAO ESP32-S3 Sense
-
Seeed XIAO ESP32-S3
-
Seeed XIAO ESP32-C5
View comparison table
This comparison is based on GhostESP's feature set and publicly available source for the listed projects. It is not a complete feature list for every firmware. HaleHound and nyanBOX are compared against the latest public source available to us; if newer releases are closed source, this table cannot be independently updated or verified against those builds.
| Feature | GhostESP | Bruce | HaleHound | nyanBOX |
|---|---|---|---|---|
| Current source available for audit | [x] | [x] | Limited / older public source | Limited / older public source |
| ESP-IDF-native architecture | [x] | |||
| Arduino / PlatformIO architecture | [x] | [x] | [x] | |
| Approximate source size | ~211k LOC | ~156k LOC | ~62k LOC | ~17k LOC |
| Supported board targets | 40+ | 28+ | 5 | 1 |
| Full LVGL graphical UI | [x] | |||
| Web dashboard / REST control | [x] | [x] | ||
| Captive portal web server | [x] | [x] | [x] | [x] |
| AP / station WiFi scanning | [x] | [x] | [x] | [x] |
| Deauth / disassoc testing | [x] | [x] | [x] | [x] |
| Beacon spam | [x] | [x] | [x] | [x] |
| Karma / probe response attack | [x] | [x] | [x] | |
| Handshake / EAPOL capture | [x] | [x] | [x] | |
| PMKID capture / export | [x] | [x] | ||
| Live Wireshark USB streaming | [x] | |||
| WPA3 / SAE-specific testing | [x] | |||
| EAPOL logoff attack | [x] | |||
| Channel switch attack | [x] | |||
| GTK abuse / client isolation testing | [x] | |||
| DHCP starvation | [x] | [x] | ||
| ARP / port / SSH scanners | [x] | [x] | ||
| WiFi OUI vendor lookup | [x] | [x] | [x] | |
| PineAP detection | [x] | [x] | ||
| WPS detection / reporting | [x] | [x] | ||
| Pwnagotchi-style automated capture mode | [x] | [x] | ||
| Pwnagotchi detector / spam | [x] | [x] | ||
| GPS WiFi wardriving | [x] | [x] | [x] | |
| BLE wardriving | [x] | [x] | [x] | |
| WiGLE upload integration | [x] | [x] | ||
| 802.15.4 / Zigbee sweep export | [x] | |||
| GhostLink dual-ESP control | [x] | |||
| Split-channel wardriving helper | [x] | |||
| GhostLink remote radio support | [x] | |||
| Drone / OpenDroneID detect | [x] | [x] | ||
| Drone / OpenDroneID spoof | [x] | |||
| BLE scanning | [x] | [x] | [x] | [x] |
| BLE spam modes | [x] | [x] | [x] | [x] |
| AirTag scan / spoof | [x] | [x] | [x] | [x] |
| Flipper Zero finder | [x] | [x] | ||
| GATT / service enumeration | [x] | [x] | ||
| BLE stream to Wireshark | [x] | |||
| BLE skimmer detection | [x] | [x] | ||
| FastPair / pairing exploit research | [x] | [x] | [x] | |
| BLE HID injection / DuckyScript over BLE | [x] | |||
| BLE GATT honeypot / cloned peripheral | [x] | [x] | ||
| BLE vulnerability profiling | [x] | |||
| Flock / surveillance detector | [x] | [x] | [x] | |
| PN532 NFC support | [x] | [x] | [x] | |
| Chameleon Ultra support | [x] | [x] | ||
| Chameleon Ultra BLE control | [x] | [x] | ||
Flipper .nfc import/export |
[x] | |||
| Flipper NFC parser set | [x] | |||
| MIFARE Classic default-key attack | [x] | [x] | [x] | |
| MIFARE Classic full embedded dictionary | [x] | |||
| MIFARE Classic user dictionary file | [x] | [x] | ||
| MIFARE Classic session key reuse / sector sweep | [x] | |||
| EMV / payment card reader | [x] | |||
| BadUSB / DuckyScript | [x] | [x] | ||
| USB keyboard host mode | [x] | |||
| BadUSB VID/PID identity options | [x] | [x] | ||
| IR learn / capture / replay | [x] | [x] | ||
Flipper .ir file support |
[x] | [x] | ||
| Universal IR library transmit | [x] | [x] | ||
| CC1101 SubGHz scan / replay | [x] | [x] | [x] | |
| CC1101 waterfall spectrum analyzer | [x] | [x] | [x] | |
Flipper .sub compatibility |
[x] | [x] | [x] | |
| SubGHz protocol decoders | [x] | [x] | [x] | |
| NRF24 spectrum analyzer | [x] | [x] | [x] | [x] |
| NRF24 MouseJack | [x] | |||
| Passive jamming detection | [x] | [x] | ||
| Active RF jamming shipped | Not shipped | [x] | [x] | [x] |
| Zigbee / 802.15.4 packet capture | [x] | |||
| Ethernet W5500 support | [x] | [x] | ||
| Ethernet ARP poisoning / MITM tools | [x] | [x] | ||
| TLS SNI / HTTP / FTP credential capture over Ethernet | [x] | |||
| Camera streaming / motion detection | [x] | |||
| Motion alerts with webhook support | [x] | |||
| Network printer / PJL output | [x] | |||
| DIAL / Chromecast testing | [x] | |||
| On-device setup wizard | [x] | |||
| Wired screen mirroring | [x] | [x] | ||
| Web screen mirroring | [x] | |||
| SD config backup / restore | [x] | |||
| Battery monitoring / fuel gauge support | [x] | [x] | [x] | |
| Sensor / RTC hardware support | [x] | [x] | ||
| M5 Cardputer keyboard support | [x] | [x] | ||
| Android companion app | [x] | |||
| JavaScript app engine | [x] | |||
| LoRa support | [x] | |||
| FM radio support | [x] |
GhostESP does not ship active jamming features. Distribution, promotion, sale and use of jamming devices or firmware is illegal in many jurisdictions.
Special thanks to:
 JustCallMeKoKo ESP32Marauder foundational development |
 thibauts CastV2 protocol insights |
 MarcoLucidi01 DIAL protocol integration |
 SpacehuhnTech Reference deauthentication code |
 Spooks4576 Original GhostESP Developer |
 Tototo31 Large contributions to the project |
 WillyJL Core Flipper Firmware functionality and BLE Spam code |
 Flipper Zero firmware Core IR & NFC implementation (flipperdevices/flipperzero-firmware & contributors) |
 Garag Core NFC library |
 connornishijima SensoryBridge - MIC RGB visualizer algorithms & inspiration |
 DarkFlippers Flipper Zero Unleashed firmware (SubGHz protocol decoders) |
 xMasterX Flipper Zero Unleashed SubGHz improvements |
Portions of the IR, NFC, and SubGHz functionality are adapted from the open-source Flipper Zero firmware by flipperdevices, DarkFlippers, xMasterX and their community contributors.
Ghost ESP is intended solely for educational and ethical security research. Unauthorized or malicious use is illegal. Be sure to familiarize your local laws, and always obtain proper permissions before conducting any network tests.
Note: this is a detached fork of Spooky's GhostESP which has been archived and not in development anymore.
For guidelines on using the GhostESP name and logo, please see BRAND GUIDELINES.
Interested in becoming an official partner? Email partners@ghostesp.net.
This project is open source and welcomes your contributions. If you've added new features or enhanced device support, please submit your changes!