PhantomKit v1.3.0
The most powerful PhantomKit release yet — Karma Attack, Auto-Attack chain, WPA2 PMKID capture, OUI fingerprinting, and an emergency wipe system.
What's new
⚡ Auto-Attack Chain
One-click full attack from the new Auto-Attack tab. Select a network from the scan results → the device automatically changes its SSID to match, starts unicast deauth, and activates the most convincing captive portal template — all in a single API call.
☠️ Karma Attack
When enabled from Ajustes, the probe sniffer responds to every non-broadcast probe request by cloning the sought SSID on the softAP. Devices that automatically reconnect to known networks will join the Evil Twin without any manual configuration. The classic WiFi Pineapple technique, now on a $3 ESP8266.
🔑 PMKID Capture
New PMKID tab captures WPA2 PMKIDs directly from the first EAPOL Key frame of the 4-way handshake — no client association required (Jens Steube, 2018). Run alongside Deauth to force client reconnections. Captured hashes export as a .hc22000 file ready for hashcat -m 22000.
🏭 OUI Manufacturer Lookup
The probe sniffer now identifies device manufacturers from the first 3 bytes of the MAC address using a PROGMEM table covering Apple, Samsung, Google, Xiaomi, Huawei, Intel, OnePlus, Motorola, ASUS, LG, Sony, MediaTek, and Realtek. Shown as a dedicated column in the device table.
🎯 Portal Auto-Match
suggestTemplate(ssid) classifies any SSID by keyword to select the most convincing phishing page automatically:
- ISP names (Telmex, Telcel, Izzi, Megacable, Movistar…) → WiFi Login
- Corporate keywords (corp, office, work, staff…) → Microsoft
- Social (Facebook, Instagram, Twitter…) → matching template
- Streaming (Netflix) → Netflix template
🚨 Emergency Wipe
Two ways to destroy all captured data instantly:
- Hardware: hold the NodeMCU FLASH button (GPIO0) for 3 seconds
- Web:
POST /api/panic(no auth — intentional)
Deletes /credentials.csv and /notify.cfg from LittleFS, then reboots.
🔔 Real-time Credential Toast
The dashboard now shows a floating notification on any active tab the moment a new credential is captured — no need to switch tabs.
New API endpoints
| Endpoint | Method | Description |
|---|---|---|
/api/autoattack |
POST | action=start|stop|suggest |
/api/karma |
POST | action=start|stop |
/api/pmkid |
POST | action=start|stop&bssid=... |
/api/pmkid/results |
GET | JSON list of captured PMKIDs |
/api/pmkid/export |
GET | .hc22000 file download |
/api/panic |
POST | Emergency wipe (no auth) |
Upgrade from v1.2.0
git pull origin main
pio run --target uploadfs && pio run --target uploadFlash: 40.5% used · RAM: 85.3% used · Board: NodeMCU v2 / ESP-12E
For authorized security audits and educational use only.