Releases: chrisq-dev/phantom-kit
PhantomKit v1.3.0
PhantomKit v1.3.0
The most powerful PhantomKit release yet — Karma Attack, Auto-Attack chain, WPA2 PMKID capture, OUI fingerprinting, and an emergency wipe system.
What's new
⚡ Auto-Attack Chain
One-click full attack from the new Auto-Attack tab. Select a network from the scan results → the device automatically changes its SSID to match, starts unicast deauth, and activates the most convincing captive portal template — all in a single API call.
☠️ Karma Attack
When enabled from Ajustes, the probe sniffer responds to every non-broadcast probe request by cloning the sought SSID on the softAP. Devices that automatically reconnect to known networks will join the Evil Twin without any manual configuration. The classic WiFi Pineapple technique, now on a $3 ESP8266.
🔑 PMKID Capture
New PMKID tab captures WPA2 PMKIDs directly from the first EAPOL Key frame of the 4-way handshake — no client association required (Jens Steube, 2018). Run alongside Deauth to force client reconnections. Captured hashes export as a .hc22000 file ready for hashcat -m 22000.
🏭 OUI Manufacturer Lookup
The probe sniffer now identifies device manufacturers from the first 3 bytes of the MAC address using a PROGMEM table covering Apple, Samsung, Google, Xiaomi, Huawei, Intel, OnePlus, Motorola, ASUS, LG, Sony, MediaTek, and Realtek. Shown as a dedicated column in the device table.
🎯 Portal Auto-Match
suggestTemplate(ssid) classifies any SSID by keyword to select the most convincing phishing page automatically:
- ISP names (Telmex, Telcel, Izzi, Megacable, Movistar…) → WiFi Login
- Corporate keywords (corp, office, work, staff…) → Microsoft
- Social (Facebook, Instagram, Twitter…) → matching template
- Streaming (Netflix) → Netflix template
🚨 Emergency Wipe
Two ways to destroy all captured data instantly:
- Hardware: hold the NodeMCU FLASH button (GPIO0) for 3 seconds
- Web:
POST /api/panic(no auth — intentional)
Deletes /credentials.csv and /notify.cfg from LittleFS, then reboots.
🔔 Real-time Credential Toast
The dashboard now shows a floating notification on any active tab the moment a new credential is captured — no need to switch tabs.
New API endpoints
| Endpoint | Method | Description |
|---|---|---|
/api/autoattack |
POST | action=start|stop|suggest |
/api/karma |
POST | action=start|stop |
/api/pmkid |
POST | action=start|stop&bssid=... |
/api/pmkid/results |
GET | JSON list of captured PMKIDs |
/api/pmkid/export |
GET | .hc22000 file download |
/api/panic |
POST | Emergency wipe (no auth) |
Upgrade from v1.2.0
git pull origin main
pio run --target uploadfs && pio run --target uploadFlash: 40.5% used · RAM: 85.3% used · Board: NodeMCU v2 / ESP-12E
For authorized security audits and educational use only.
PhantomKit v1.2.0
PhantomKit v1.2.0
Security and stealth upgrade — real 802.11 parsing, dashboard authentication, webhook alerts, and NTP timestamps.
What's new
🔐 Dashboard Authentication
Password-protected dashboard (auditor123 by default, configurable in config.h). Session token stored as an HttpOnly cookie. All /api/* routes require a valid session.
📡 Real Probe Sniffer
Rewrote the probe sniffer to parse actual 802.11 management frames using the ESP8266 SDK promiscuous callback. Extracts source MAC, sought SSID, and RSSI directly from frame offsets — no more heuristics.
🎯 Unicast Deauth
Added a passive 800 ms sniff window before each deauth run to detect associated client MACs. Sends targeted AP→Client and Client→AP deauth frames for each detected client, bypassing the modern mobile defense against broadcast deauth (802.11w PMF is not enforced on ESP8266 soft-APs).
🔔 Webhook Notifications
New NotifierModule — sends an HTTP POST to ntfy.sh or any custom webhook every time a credential is captured. Configure URL and topic from the Ajustes tab. Saved to LittleFS across reboots.
🕐 NTP Real Timestamps
When uplink WiFi (UPLINK_SSID / UPLINK_PASSWORD) is configured, the device syncs with pool.ntp.org on boot. Credentials and logs show YYYY-MM-DD HH:MM:SS instead of relative T+HH:MM:SS.
👻 Stealth Mode
Hides the management SSID PhantomKit from Wi-Fi scans using the ESP8266 SDK wifi_softap_set_config. Toggle from the Ajustes tab without reflashing.
✅ GitHub Actions CI
Every push to main compiles the firmware automatically. Build badge in README.
Upgrade from v1.1.0
git pull origin main
pio run --target uploadfs && pio run --target uploadSet DASHBOARD_PASSWORD in src/config.h before flashing.
For authorized security audits and educational use only.
PhantomKit v1.0.0 — Initial Release
ESP8266 PhantomKit v1.0.0
First stable release of PhantomKit — self-contained Wi-Fi auditing platform for ESP8266.
Included in this release
- Evil Portal with 8 cloned templates (Facebook, Instagram, Microsoft, X, Google, WiFi Login, Netflix, WhatsApp)
- Web dashboard at
http://192.168.4.1/dashboard - Real-time credential capture
- Deauth Attack — IEEE 802.11 deauth packets
- Beacon Flood — 50+ fake SSIDs
- Probe Sniffer — passive probe request capture
- Evil Twin — clone existing networks
- Automatic channel hopping (channels 1-13)
- Auto-Portal — environment analysis and template recommendations
Quick start
git clone https://github.com/chrisq-dev/phantom-kit.git
cd phantom-kit
pio run --target uploadfs && pio run --target uploadConnect to the PhantomKit network (password: phantom123) and open http://192.168.4.1/dashboard
For authorized security audits and educational use only. See docs/legal.md for the full disclaimer.