I briefly worked on capturing the 4-way handshake, but gave up, as I could only get the first 112 bytes of the packets in promiscuous mode. You mention that as one of the planned features. Have you found a way around that limitation? 

I'll have a try with the ESP32 next. Espressif claimed "full packet receive" in their current SDK release notes.

Looks like an awesome tool!!!

might be worth a thought - 5ghz....the ESP8266 only supports 2.4ghz

What about WPS? Would be easy to implement WPS brute forcing and/or calculation of default PIN?

I'm not completely sure, but I think the processing power and memory of the ESP is not sufficient for such an attack

I searched on Google and the only method that seems supported by the ESP8266 SDK is WPS PBC (with button). Seems like the most vulnerable method (WPS PIN) is not implemented yet. What a pity.

Awesome project, is there a link to buying a board?

You can always order the bare board from OSHPark and create a BOM from the Eagle files https://oshpark.com/shared_projects/IPe5DGPV

I'm really looking forward to test this project of my own. How is it going? Will the code be aavailble soon?

The Code in its current state is already available on github (https://github.com/dangrie158/ESPTool), however I wasn't able to develop all features yet since I'm working on my masters thesis

do you think you could made a version of esptool for this :https://goo.gl/HzFtGT 

Hi, should be really easy to do. Just add some buttons. Since the i2c pins for the display are "fixed" this should work with out (or only minor) adjustments to the firmware.

Have a look at the pin definitions in the main.cpp (https://github.com/dangrie158/ESPTool/blob/develop/Firmware/src/main.cpp)

This is what I thought as well. Since I already have wemos ESP8266 with 1.3 OLED from aliexpress. I will try finding a convinient way to add Buttons. Thanks Daniel for providing the code.

Is this "stable"? Stable as in: It's sane to order a board from OSHPark.

I don't care about the firmware (I can update it whenever I want)

The picture with the channel occupation doesn't show channel 14. I know that channel is only (legally) available in Japan, but it is sometimes being used in western Europe, which doesn't surprise me considering how crowded all other channels are.

Can this channel be added to the channel occupation part or is there a hardware limitation?

It's not a technical problem. I left it out because there was not enough space on the display :) . I may  cram it back in, but the I need to resize the font

Consider using a small i2c gpio chip for your buttons. Msop-10 could work nicely, sharing the bus with your display.

Thanks, but @Radomir Dopieralski had the great idea that I use the GPIOs from the SPI Interface, so I can read them when CS is low. Putting a resistor between the GPIOs and the button will enable the SPI device to still pull the lines high/low

Will there be code?

There definitley will, however I'm not always pushing changes directly to github, I first finish a feature then push all commits for this feature at once.

There definitley will, however I'm not always pushing changes directly to github, I first finish a feature then push all commits for this feature at once.

You shouldn't put any traces under the ESP antenna on the board, you know that? Maybe use a module capable of an external antenna, or re-position the module...

Thanks, you really looked closely on the photos :). I noticed my error after I ordered the v0.1 boards because I did not have a keepout-rectangle in the footprint. However, for the v0.2 board I did not change too much about that because I wanted to use the same solder stencil for the bottom side. The reason for v0.2 was to see if the whole electrical side works with the pin-mapping, etc. v0.3 however will be a complete relayout with a keepout zone.

In practice, however, it isn't too much of a deal. Most traces under the ESP carry mostly DC (e.g. the charge indicator LEDs). There's not much high-speed stuff going on (the I2C and SPI lines are routed on the other end of the board). 

I think the only thing that really worsens the antennas performance is that there is quite some area of ground fill under it, which gives a relatively high capacitance of the antenna to ground. 

Now for testing purposes and mostly developing the firmware I'm sitting next to my testing router anyways, so no problem.

Can it also find multiple hidden SSID's?

Thats a great idea! 

As I see it, the ESP's wifi_station_scan does have a show_hidden parameter for active SSID scanning (including hidden networks) which I set when scanning.

However it should be possible to use the promiscuous mode to scan for probing requests with a set SSID. I will look into this as soon as I implement the attacks. (I'm currently in the process to implement all the framework: UI lib, IO libs, Processing model, SW architecture...)

Thanks for the idea. I also wanted to implement an "evil twin hotspot" feature, so I would need to listen to these frames anyhow.

I'm glad to help with ideas :))

What about not only "random MAC", but also write in needed MAC address?

Channels scanning and (if possible on this modules) channels jaming.

jamming is sadly not possible due to the limited control over the rf section. However, scannin on specific channels is possible. do you want to have kind of a bargraph which channels are used by howmany APs? Or what would be your usecase for specific channels?

Entering a MAC with 3 buttons seems as a really annoying, slow process. What would be the benefit? As said I want to implement an evil-twin functionality where you can select the MAC from a list. is this what you mean?

BTW I already have a way to enter text so you can enter the passphrase for a specific Network. It really sucks and is tedious, however needed to be able to connect for the Layer 3+ attacks

Yes I want to see bargraph which channels are used by howmany APs. 

You can add 5 buttons as joystik (like @K.C. Lee write) but with more buttons. Examlpe: pressing right can select between number/number, letter/letter, number/letter, letter/number; up and down to scroll to correct value. Or select each charter in turn. After selecting correct value and pressing "Enter" can select (right-left) next section/charter to correct.

If you will add full dimension with MAC, I think what it will be wery big amount of data? Or not?

For future you can divide MAC addresses by vendor sections.

I implemented the occupation feature right on monday: look at the gallery

You can use the ADC pin to read multiple buttons.  http://letsmakerobots.com/node/33397

Replace the 5V to 3.3V in the picture below.  Multiple buttons can be pressed and detected if R1, R2 and R3 are different values e.g. 2^n multiples such as 1K, 2K, 3.9K  You need to calibrate them or allow for a range of values for tolerances.

Thanks, I was aware that one could use an ADC and an R-network to read multiple buttons, however I always thought that it would mean you could not distinguish each button good enough when multiple buttons are pressed. interesting read, thank you for the comment.

I did not yet upload my full schematic, but since the project is battery powered, I already use the one (and only) ADC to measure the battery voltage for an battery indicator. So this method is not an option for me.

BTW: The ADC of the ESP8266 is referenced to 1V, not 3V3. I think this is because otherwise it would not be able to provide a good reference when VDD is below 3V3.

Maybe some modules have a build in divider network, but at least on the 12-E (or 12-F?) modules I use, it is routed directly out to the A0 pin.

In theory that low-ish reference voltage is an advantage. 
In theory you take an 1 Ohm resistor R4, and use 10 resistors causing 2^N mA to get 10 buttons! Of course you'd need to drop a few of the low-order buttons to allow for a bit of tolerance on the resistors and the measurement. And of course running 0.5A for button 9 is not an option.... 

At least in the US, it would be illegal to jam your own wifi signal.

oh really? Man, I live in Germany and I think we have kind of the same here. However, I think no plaintiff, no judge?