ESP32 Marauder · Volume 12
ESP32 Marauder Firmware Volume 12 — Cheatsheet (the laminate-ready field card)
Menu maps, attack quick-refs, SD layout, hashcat commands, channel chart, build flags, troubleshooting flows, one-page references
Contents
1. About this volume
Vol 12 is the laminate-ready field card — synthesis of every preceding volume’s most-referenced content into one-page-printable per section. Build it last; it’s the synthesis of everything that came before.
The intent: print this volume, laminate it, carry it. In the field, lookups are by section number — Section 3 for Wi-Fi attacks, Section 6 for SD layout, Section 9 for the hashcat command you forgot. No need to navigate menus or scroll the deep dive; the answer is on the card.
Pages are sized for typical 8.5×11 or A4 print at a readable type size. Some sections are dense — print at 100% scale, not “fit to page”.
2. Menu map (mainline top-level)
ESP32 Marauder (Main Menu)
├── WiFi
│ ├── Sniffers
│ │ ├── Probe Request → /marauder/probes_<ts>.csv
│ │ ├── Beacon → /marauder/beacons_<ts>.csv
│ │ ├── PMKID/Probe → /marauder/pcaps/pmkid_<ts>.pcap
│ │ ├── EAPOL → /marauder/pcaps/eapol_<ts>.pcap
│ │ ├── AP+Client → /marauder/apclient_<ts>.csv
│ │ └── Detect (anomaly) → on-screen only
│ ├── Attacks
│ │ ├── Deauth ← gated by MARAUDER_DEAUTH build flag
│ │ ├── Beacon Spam ← uses /marauder/beacons.txt
│ │ ├── Probe Spam
│ │ ├── Karma (basic)
│ │ └── Evil Portal ← uses /marauder/evil_portal/index.html
│ └── Generals
│ ├── Save → SD
│ ├── Load ← SD
│ ├── Clear
│ └── Set Target [BSSID / Client MAC]
├── Bluetooth
│ ├── Sniffers
│ │ ├── BLE Scan → /marauder/ble_<ts>.csv
│ │ └── BT Scan (classic ESP32 only)
│ └── Attacks ← (most BLE-spam is in Ghost ESP / Bruce, not mainline)
├── GPS ← on HAS_GPS builds (AWOK V3, some custom)
│ ├── Tracker
│ └── NMEA
├── Device
│ ├── Settings ← /marauder/settings.txt
│ ├── Update Firmware
│ ├── Reboot
│ └── About
└── Color [Theme picker, instant apply]Per-fork deltas:
- Ghost ESP: adds Bluetooth → Attacks → Sour Apple / Swiftpair / Easysetup / Fast Pair / AirTag Detect; adds WiFi → Visualizer with RSSI bar graphs.
- Bruce: top-level menu radically different — Marauder is one entry under a unified meta-menu that also exposes sub-GHz / IR / RFID / BadUSB.
- Bad Pinguino: single-screen one-attack-at-a-time variant.
3. Wi-Fi attack quick-ref
| Attack | Menu path | Pre-reqs | Default channel mode | SD output | Time-to-effect | Notes |
|---|---|---|---|---|---|---|
| Deauth | WiFi → Attack → Deauth | AP-scan first; target BSSID set; client MAC (or FF:FF:FF:FF:FF:FF broadcast); MARAUDER_DEAUTH built-in | Static (lock to target channel) | none | Immediate; clients disconnect within 1-2 sec | WPA3 PMF immune. Vol 5 § 2 |
| Beacon Spam | WiFi → Attack → Beacon Spam | beacons.txt on SD (or built-in list) | Static recommended for iOS-UI denial | none | ~10-15 sec to iOS UI denial | Vol 5 § 3 |
| Probe Spam | WiFi → Attack → Probe Spam | none | Static or hopping | none | Limited operational value | Vol 5 § 4.1 |
| Karma (basic) | WiFi → Attack → Karma | none | Static | none | Modern OSes mostly defend; Vol 5 § 4.2 | |
| Evil Portal | WiFi → Attack → Evil Portal | evil_portal/index.html on SD; Evil Portal SSID set | n/a (SoftAP) | creds.txt + evil_portal.log | Captures arrive when users join + submit form | Vol 5 § 5 |
4. Bluetooth attack quick-ref
| Attack | Mainline | Ghost ESP | Bruce | Target OS | Notes |
|---|---|---|---|---|---|
| BLE Scan | ✓ | ✓ (richer parses) | ✓ | all | Vol 6 § 4 |
| BT-classic Scan | ✓ (classic ESP32 only) | ✓ | ✓ | older BT-classic devices | Vol 6 § 7 |
| Sour Apple | ✗ | ✓ | ✓ | iOS / iPadOS / watchOS | iOS lockup edge case — caution. Vol 6 § 5.2 |
| Swiftpair | ✗ | ✓ | ✓ | Windows 10+ | Toast queue congestion |
| Easysetup | ✗ | ✓ | ✓ | Samsung Galaxy | S22+ reliable; older sporadic |
| Google Fast Pair | ✗ | ✓ | ✓ | Pixel + Google-Services Android | Opt-in per OEM |
| AirTag Detect | ✗ | ✓ | ✓ | reads Apple Find My beacons | 2-sec adv-interval signature. Vol 6 § 6 |
5. Wi-Fi scan / capture quick-ref
| Scan | Menu path | What it captures | Channel mode | Time recommendation | SD output |
|---|---|---|---|---|---|
| Probe Request | WiFi → Sniffer → Probe Request | client probes (MAC + SSID + RSSI) | Hopping (default) or static | 10-30 min for site survey | probes_*.csv |
| Beacon | WiFi → Sniffer → Beacon | AP beacons (BSSID + SSID + encryption + RSSI) | Hopping | 5-15 min | beacons_*.csv |
| EAPOL | WiFi → Sniffer → PMKID/Probe | EAPOL handshakes + PMKID | Static (lock to target channel) | Until handshake captured (1-2 min after deauth) | eapol_*.pcap |
| PMKID | (same menu) | PMKID from beacon RSN IE or EAPOL M1 | Hopping for opportunistic, static for targeted | Hours for passive harvest | pmkid_*.pcap |
| AP+Client | WiFi → Sniffer → AP+Client | Synthesized AP-list with associated clients | Hopping | 10-30 min | apclient_*.csv |
6. SD card layout — one-page reminder
SD card (FAT32 mandatory; 8-32 GB recommended)
└── /marauder/
├── pcaps/ ← packet captures
│ ├── eapol_<timestamp>.pcap
│ ├── pmkid_<timestamp>.pcap
│ └── ble_<timestamp>.pcap
├── evil_portal/ ← Evil Portal user content
│ ├── index.html ← captive page (override SPIFFS)
│ ├── style.css (optional)
│ └── logo.png (optional)
├── wordlists/ ← user wordlists (host-side use)
│ └── rockyou.txt etc.
├── beacons.txt ← beacon-spam SSID list (UTF-8, 32B/line)
├── creds.txt ← Evil Portal credential log
├── evil_portal.log ← Evil Portal events log
├── settings.txt ← runtime settings (key:value, no spaces)
└── (fork-specific dirs created by Ghost ESP / Bruce as needed)Critical: FAT32 required; exFAT NOT supported. Cards > 32 GB need explicit FAT32 reformat.
7. Build-flag reminder
The build flags you’ll actually flip:
build_flags =
-DBOARD_HAS_PSRAM ; ESP32-S3 N16R8 etc.
-DARDUINO_USB_CDC_ON_BOOT=1 ; S3 native USB
-DARDUINO_USB_MODE=1
-DHAS_SCREEN ; display wired
-DHAS_BUTTONS ; tactile buttons
-DHAS_TOUCH ; touchscreen instead
-DHAS_GPS ; GPS module wired
-DBOARD_HAS_PSRAM ; (repeat from above)
-DMARAUDER_V6_1 ; board identity (pick one)
-DMARAUDER_DEAUTH=1 ; ← THE most-asked. enables deauth.
-DMARAUDER_BEACON_SPAM=1 ; usually on
-DMARAUDER_EVIL_PORTAL=1 ; usually on
-DCOUNTRY_US ; channel-plan region (pick one)
-DTFT_WIDTH=240 -DTFT_HEIGHT=320 ; display dimensions
-DTFT_MOSI=11 -DTFT_SCLK=12 -DTFT_CS=10 ; TFT_eSPI pin map (board-specific)
-DTFT_DC=9 -DTFT_RST=8 -DTFT_BL=13
-DST7789_DRIVER ; or ILI9341_DRIVER
-DSPI_FREQUENCY=40000000 ; TFT SPI clock
-DUSER_SETUP_LOADED=1 ; tells TFT_eSPI to use these definesRegion: pick one of COUNTRY_US, COUNTRY_DE, COUNTRY_JP, COUNTRY_ANY per build.
The flag that surprises everyone: MARAUDER_DEAUTH=1. Often omitted in pre-built mainline binaries. If your Deauth menu entry is missing, this is why.
8. Channel chart — 2.4 GHz
Channel | Frequency (MHz) | Width | US 1-11 | DE 1-13 | JP 1-14
-----------------------------------------------------------------
1 | 2412 | 22 | ✓ | ✓ | ✓
2 | 2417 | 22 | ✓ | ✓ | ✓
3 | 2422 | 22 | ✓ | ✓ | ✓
4 | 2427 | 22 | ✓ | ✓ | ✓
5 | 2432 | 22 | ✓ | ✓ | ✓
6 | 2437 | 22 | ✓ | ✓ | ✓
7 | 2442 | 22 | ✓ | ✓ | ✓
8 | 2447 | 22 | ✓ | ✓ | ✓
9 | 2452 | 22 | ✓ | ✓ | ✓
10 | 2457 | 22 | ✓ | ✓ | ✓
11 | 2462 | 22 | ✓ | ✓ | ✓
12 | 2467 | 22 | | ✓ | ✓
13 | 2472 | 22 | | ✓ | ✓
14 | 2484 | 22 | | | ✓ (Japan only)Non-overlapping subset (US/global): channels 1, 6, 11. These three channels’ 22 MHz bands don’t overlap; everything else does. Real AP configurations cluster on these three.
Typical channel distribution at a US site:
- ~50% of APs on channel 6
- ~25% on channel 1
- ~20% on channel 11
- ~5% scattered across 2-5 / 7-10 (often auto-channel selection with non-1/6/11 result)
BLE advertising channels: 37 (2402 MHz), 38 (2426 MHz), 39 (2480 MHz). Spaced between Wi-Fi ch 1/6/11.
9. Hashcat 22000 command reference
# Convert Marauder pcap to hashcat format
hcxpcapngtool -o handshakes.hc22000 /path/to/pcap/file.pcap
# Crack with wordlist
hashcat -m 22000 handshakes.hc22000 /path/to/rockyou.txt
# With rules (recommended)
hashcat -m 22000 handshakes.hc22000 rockyou.txt -r /path/to/best64.rule
# Mask attack (8 chars all printable)
hashcat -m 22000 -a 3 handshakes.hc22000 '?a?a?a?a?a?a?a?a'
# Resume interrupted run
hashcat --restore
# Show cracked
hashcat -m 22000 handshakes.hc22000 --show
# Status during long run
hashcat -m 22000 handshakes.hc22000 rockyou.txt --status --status-timer 60
# GPU-only (skip CPU)
hashcat -m 22000 handshakes.hc22000 rockyou.txt -D 2Mask character classes:
| ?l | lowercase | a-z | | ?u | uppercase | A-Z | | ?d | digit | 0-9 | | ?s | special | !@#$%^&*()-_=+ etc. | | ?a | all | ?l + ?u + ?d + ?s | | ?h | lowercase hex | 0-9a-f | | ?H | uppercase hex | 0-9A-F |
Common router-default password masks:
- 8 digits (phone number / common default):
?d?d?d?d?d?d?d?d - 8 hex (router default):
?h?h?h?h?h?h?h?h - 10 digits (US phone number):
?d?d?d?d?d?d?d?d?d?d
GPU rental costs (for quick crack jobs):
- RTX 4090 on RunPod: $0.40-0.80/hr
- 5-min rockyou run on RTX 4090: ~$0.05
10. Fork-by-fork feature presence
Condensed from Vol 7 § 7 for one-page reference. Bold = the operationally consequential mainline omissions.
| Feature | Mainline | Ghost ESP | Bruce | Bad Pinguino |
|---|---|---|---|---|
| Deauth | ✓ (gated) | ✓ | ✓ | ✓ |
| Beacon spam | ✓ | ✓ + runtime tunable | ✓ | ✓ |
| Probe spam | ✓ | ✓ | ✓ | ✗ |
| Karma | basic | multi-SSID | basic | ✗ |
| Evil Portal | ✓ | ✓ | ✓ | ✗ |
| BLE Scan | ✓ | ✓ + richer | ✓ | ✗ |
| BLE-spam Sour Apple | ✗ | ✓ | ✓ | ✗ |
| BLE-spam Swiftpair | ✗ | ✓ | ✓ | ✗ |
| BLE-spam Easysetup | ✗ | ✓ | ✓ | ✗ |
| BLE-spam Fast Pair | ✗ | ✓ | ✓ | ✗ |
| AirTag Detect | ✗ | ✓ | ✓ | ✗ |
| Sub-GHz (CC1101) | ✗ | partial | ✓ | ✗ |
| IR | ✗ | partial | ✓ | ✗ |
| RFID (PN532) | ✗ | ✗ | ✓ | ✗ |
| BadUSB | ✗ | ✗ | ✓ | ✗ |
| Runtime country code | ✗ | ✓ | ✓ | ✗ |
| Documented board envs | ~15 | ~10 | ~8 | ~5 |
| License | GPLv3 | AGPLv3 | AGPLv3 | GPLv3 |
Migration: mostly via web flasher (~5 min). SD content portable for pcaps/, evil_portal/, wordlists/, beacons.txt. settings.txt re-do on Bruce.
11. Pre-engagement checklist (one-page)
Print this. Tape it to the inside of your gear bag.
- Written authorization signed and dated, covering today’s date and the planned attack scope
- RF coverage scope specified (target BSSIDs and geographic area)
- Attacks permitted specified (deauth + capture? Evil Portal? BLE-spam?)
- Stop condition defined (time limit, signal-of-completion)
- Battery charged (≥ 50% if engagement < 1 hr; ≥ 90% if longer)
- SD card formatted FAT32, fresh
evil_portal/index.htmlif Evil Portal in scope, emptycreds.txt - Firmware matches engagement (mainline / Ghost ESP / Bruce per attack needs)
- Region setting matches venue (US / DE / JP / ANY)
- Target BSSID(s) loaded in Settings; client MAC if surgical deauth planned
- Evil Portal SSID configured if Evil Portal in scope
- RandomMAC enabled in settings
- Logging plan: where will captures go? Who has access?
- Sanitization plan: how / when is SD content erased?
- Discovery response: if observed, stop, produce authorization, document
- Out-of-band channel prepared for security team to reach me
If any item isn’t checked, abort. Don’t compromise on the checklist.
12. Troubleshooting flow
Marauder won't boot?
│
┌─────┴─────┐
↓ ↓
Display off Display on, looping
│ │
↓ ↓
SD card Check Settings →
formatted? About → version
│ │
FAT32 → reflash Confirms boot →
exFAT/wrong → issue isn't bootloop
reformat
│
↓
Issue is in feature → see below
No scan results?
│
┌────┴────┐
↓ ↓
Country Antenna
setting plugged in /
matches U.FL connected
venue? properly?
Try: Try:
rebuild reseat
with diff antenna
region
Evil Portal not capturing?
│
┌────┴────┐
↓ ↓
SSID set? HTML form
Open has action="/get"
security? + named inputs?
File at
/marauder/evil_portal/
index.html?
Deauth menu missing?
│
↓
MARAUDER_DEAUTH not in build
│
↓
Rebuild from source (Vol 10 § 3.4)
OR flash Ghost ESP (default-on)
BLE-spam not working?
│
↓
Mainline doesn't ship BLE-spam (Vol 7 § 3.2)
│
↓
Flash Ghost ESP or Bruce
hashcat says "No hashes loaded"?
│
↓
Run hcxpcapngtool first
(Vol 9 § 4.1) — convert pcap to .hc2200013. Key references in one block
Upstream
- Marauder: https://github.com/justcallmekoko/ESP32Marauder
- Marauder wiki: https://github.com/justcallmekoko/ESP32Marauder/wiki
- Marauder web flasher: https://flasher.marauder.maurersystems.com/
- JustCallMeKoko Tindie: https://www.tindie.com/stores/justcallmekoko/
Forks
- Ghost ESP: https://github.com/Spooks4576/Ghost_ESP
- Bruce: https://github.com/pr3y/Bruce · https://bruce.computer/
- Bad Pinguino: https://github.com/bmorcelli/Bad-Pinguino
Tools
- Wireshark: https://www.wireshark.org/
- hashcat: https://hashcat.net/hashcat/
- hcxtools: https://github.com/ZerBea/hcxtools
- aircrack-ng: https://www.aircrack-ng.org/
- bettercap: https://www.bettercap.org/
- PlatformIO: https://platformio.org/
Standards
- IEEE 802.11-2020 (frame anatomy)
- Bluetooth Core Spec 5.3
- US 47 CFR Part 15 (2.4 GHz rules)
- Bluetooth company-identifier list: https://www.bluetooth.com/specifications/assigned-numbers/company-identifiers/
Wordlists
Hack Tools cross-references
../../../_shared/comparison.md— cross-tool decision matrix../../../_shared/capability_matrix.html— sortable matrix../../../_shared/legal_ethics.md— Hack Tools project posture../../../AWOK Dual Touch V3/03-outputs/AWOK_Dual_Touch_V3_Complete.html— tjscientist’s daily-driver Marauder host../../../Flipper Zero/03-outputs/Flipper_Zero_Complete.html— Flipper WiFi Devboard coverage../../../M5Stack Cardputer ADV/03-outputs/cardputer_adv_deep_dive.html— Cardputer Marauder coverage../../../Ruckus Game Over/03-outputs/game_over_complete.html— Game Over vendor fork
This is the final volume of the ESP32 Marauder Firmware 12-volume series. Series complete. Print, laminate, carry.