Read and write NTAG tags, read MIFARE Classic with dictionary attacks
Captive portal attacks with domain spoofing and credential harvesting
Deauth, beacon spam, packet capture, karma attack, and PCAP logging
Scan, capture, spam, wardriving, and AirTag spoofing
Connect two Ghost ESP devices for dual communication and control
Learn and transmit IR signals with Flipper Zero file support
Detect Pineapples, evil twins, AirTags, card skimmers, and passive 2.4GHz jamming signatures
Detect Pineapples, evil twins, AirTags, and card skimmers
Configure device, manage files, and run commands from your browser
Touch screens, keyboards, encoders, and custom UI themes
ARP poisoning, DNS interception, host discovery, and network fingerprinting over wired connections
Frequency analyzer, capture/replay, and multi-band scanning across 315–915 MHz
Live MJPEG streaming, motion detection with Discord webhooks, and SD card snapshots
RGB effects, power saving mode, and customizable LED feedback
Based on GhostESP's feature set and publicly available source for listed projects. Not a complete feature list for every firmware. HaleHound and nyanBOX are compared against the latest public source available.
| Feature | GhostESP | Bruce | HaleHound | nyanBOX |
|---|---|---|---|---|
| Architecture | ||||
| Current source available for audit | ✓ | ✓ | Limited | Limited |
| ESP-IDF-native architecture | ✓ | — | — | — |
| Arduino / PlatformIO architecture | — | ✓ | ✓ | ✓ |
| Approximate source size | ~211k LOC | ~156k LOC | ~62k LOC | ~17k LOC |
| Supported board targets | 40+ | 28+ | 5 | 1 |
| Full LVGL graphical UI | ✓ | — | — | — |
| WiFi | ||||
| Web dashboard / REST control | ✓ | ✓ | — | — |
| Karma / probe response attack | ✓ | ✓ | ✓ | — |
| Handshake / EAPOL capture | ✓ | ✓ | ✓ | — |
| PMKID capture / export | ✓ | ✓ | ✓ | — |
| Live Wireshark USB streaming | ✓ | — | — | — |
| WPA3 / SAE-specific testing | ✓ | — | — | — |
| EAPOL logoff attack | ✓ | — | — | — |
| Channel switch attack | ✓ | — | — | — |
| GTK abuse / client isolation testing | ✓ | — | — | — |
| DHCP starvation | ✓ | ✓ | — | — |
| ARP / port / SSH scanners | ✓ | ✓ | — | — |
| WiFi OUI vendor lookup | ✓ | ✓ | ✓ | — |
| PineAP detection | ✓ | — | — | ✓ |
| WPS detection / reporting | ✓ | ✓ | — | — |
| Pwnagotchi-style automated capture | ✓ | ✓ | — | — |
| Pwnagotchi detector / spam | — | ✓ | — | ✓ |
| GPS WiFi wardriving | ✓ | ✓ | ✓ | — |
| BLE wardriving | ✓ | ✓ | ✓ | — |
| WiGLE upload integration | ✓ | ✓ | — | — |
| 802.15.4 / Zigbee sweep export | ✓ | — | — | — |
| GhostLink dual-ESP control | ✓ | — | — | — |
| Drone / OpenDroneID detect | ✓ | — | — | ✓ |
| Drone / OpenDroneID spoof | ✓ | — | — | ✓ |
| Bluetooth LE | ||||
| Flipper Zero finder | ✓ | ✓ | — | ✓ |
| GATT / service enumeration | ✓ | ✓ | ✓ | — |
| BLE stream to Wireshark | ✓ | — | — | — |
| BLE skimmer detection | ✓ | — | — | ✓ |
| FastPair / pairing exploit research | — | ✓ | ✓ | — |
| BLE HID injection / DuckyScript | — | ✓ | — | — |
| BLE GATT honeypot / cloned peripheral | — | — | ✓ | — |
| BLE vulnerability profiling | — | ✓ | ✓ | — |
| Flock / surveillance detector | — | — | ✓ | ✓ |
| NFC | ||||
| PN532 NFC support | ✓ | ✓ | ✓ | — |
| Chameleon Ultra support | ✓ | ✓ | — | — |
| Chameleon Ultra BLE control | ✓ | ✓ | — | — |
| Flipper .nfc import/export | ✓ | ✓ | — | — |
| NFC parser set | ✓ | — | — | — |
| MIFARE Classic default-key attack | ✓ | ✓ | ✓ | — |
| MIFARE Classic full embedded dictionary | ✓ | — | — | — |
| MIFARE Classic user dictionary file | ✓ | ✓ | — | — |
| MIFARE Classic session key reuse / sector sweep | ✓ | — | — | — |
| EMV / payment card reader | — | ✓ | — | — |
| BadUSB / HID | ||||
| BadUSB / DuckyScript | ✓ | ✓ | — | — |
| USB keyboard host mode | ✓ | — | — | — |
| BadUSB VID/PID identity options | ✓ | ✓ | — | — |
| Infrared | ||||
| IR learn / capture / replay | ✓ | ✓ | — | — |
| Flipper .ir file support | ✓ | ✓ | — | — |
| Universal IR library transmit | ✓ | ✓ | — | — |
| SubGHz / RF | ||||
| CC1101 SubGHz scan / replay | ✓ | ✓ | ✓ | — |
| CC1101 waterfall spectrum analyzer | ✓ | ✓ | — | — |
| Flipper .sub compatibility | ✓ | ✓ | — | — |
| SubGHz protocol decoders | ✓ | ✓ | ✓ | — |
| NRF24 spectrum analyzer | ✓ | ✓ | ✓ | ✓ |
| NRF24 MouseJack | — | ✓ | ✓ | — |
| Passive jamming detection | ✓ | — | ✓ | — |
| Active RF jamming shipped | Not shipped | ✓ | ✓ | ✓ |
| Zigbee / 802.15.4 packet capture | ✓ | — | — | — |
| Ethernet | ||||
| Ethernet W5500 support | ✓ | ✓ | — | — |
| Ethernet ARP poisoning / MITM tools | ✓ | ✓ | — | — |
| TLS SNI / HTTP / FTP credential capture | ✓ | — | — | — |
| Miscellaneous | ||||
| Camera streaming / motion detection | ✓ | — | — | — |
| Motion alerts with webhook support | ✓ | — | — | — |
| Network printer / PJL output | ✓ | — | — | — |
| DIAL / Chromecast testing | ✓ | — | — | — |
| On-device setup wizard | ✓ | — | — | — |
| Wired screen mirroring | ✓ | — | — | ✓ |
| Web screen mirroring | — | ✓ | — | — |
| SD config backup / restore | ✓ | — | — | — |
| Battery monitoring / fuel gauge support | ✓ | ✓ | ✓ | — |
| Sensor / RTC hardware support | ✓ | ✓ | — | — |
| M5 Cardputer keyboard support | ✓ | ✓ | — | — |
| Android companion app | ✓ | — | — | — |
| JavaScript app engine | — | ✓ | — | — |
| LoRa support | — | ✓ | — | — |
| FM radio support | — | ✓ | — | — |
Overview of the new Dual ESP32, 5GHZ standalone device.
Demonstration of 5GHz deauth attacks with ESP32-C5 on GhostESP
Demonstration of GhostESP and Flipper Zero deauthenticating a spy camera from a 2.4GHz WiFi network
How to use dual communication with GhostESP
How to get the T-Watch S3 into bootloader mode and flash GhostESP
Download official GhostESP assets, logos, and high-resolution images for media use
