10 Things You Can Do With BLEShark Nano (That You Probably Didn't Know)
Imagine five devices the size of a USB stick, scattered across a building - one tucked behind a couch in the lobby, one in a conference room, one near the server closet, one in the parking garage, and one in your pocket. They're all talking to each other over an encrypted mesh network. From your pocket, you can see every WiFi network in the building, every BLE device broadcasting, every IR-controlled projector and TV. You can run captive portal phishing simulations on different floors with different fake login pages and compare which one gets more clicks. You can capture WPA2 handshakes from networks three rooms away. You can detect if someone else is running deauth attacks anywhere in range.
That's not a $50,000 enterprise deployment. That's five BLEShark Nanos running Shiver mesh. Total cost: under $200.
The Shiver mesh system is what makes BLEShark Nano fundamentally different from every other pocket security tool on the market. Up to 16 devices form an encrypted ESP-NOW mesh network with 20-50m range between nodes. One device acts as the controller. The rest are nodes. Every feature the Nano has - WiFi scanning, BLE scanning, deauth, handshake capture, captive portals, IR, BLESpam, AP spam - can be triggered on any node from the controller and the results flow back in real time.
Nobody else has this. Not Flipper Zero. Not WiFi Pineapple. Not any ESP32 Marauder build. Shiver turns a pocket tool into a distributed security platform, and that changes what a single person (or a small team) can actually assess.
But Shiver is the multiplier. The features it multiplies are what make the Nano worth carrying on its own. Here are the 10 you need to know about.
1. Captive Portals With Custom HTML and JSON Submissions
The BLEShark Nano spins up a WiFi access point and serves a captive portal - a web page that appears automatically when someone connects. You control the HTML. Upload any page you want via the file portal: a fake corporate login, a hotel WiFi landing page, a security awareness quiz. Whatever fits your authorized engagement.
When someone submits the form, the credentials are captured as JSON and stored locally on the device. You can download the submissions later via the file portal - timestamped, structured, ready for your report. No cloud, no external server, no data leaving the device.
For security awareness training, this is the feature that makes people sit up. Showing an employee their own username on a screen ten seconds after they typed it into a fake portal hits differently than a slide deck about phishing.
With Shiver mesh, this gets even more interesting. Deploy different portal variants on different nodes - different SSIDs, different HTML designs, different physical locations - and compare which one is most effective. Real A/B testing for red team engagements.
For authorized use only. Deploy captive portals only on networks and in environments where you have explicit written permission.
2. WPA2 4-Way Handshake Capture (PCAP)
BLEShark Nano captures WPA2 4-way handshakes directly on-device and saves them as PCAP files. Download the capture via the file portal and run it through Hashcat or John the Ripper for offline passphrase auditing.
Most compact tools in this space can trigger a handshake (via deauth) but need a separate device to actually capture it. The Nano does both. One device, one workflow.
EU units operate in passive-listen mode - they capture handshakes during natural client association events without sending deauth frames. This is fully functional for authorized audits on networks you control; you just wait for a device to connect naturally instead of forcing it.
With Shiver mesh: trigger handshake captures on multiple networks simultaneously from nodes positioned across a building. The PCAPs stay on each node for download - or you manage the whole operation from the controller.
For authorized use only on networks you own or have explicit written permission to test.
graph TD
subgraph "ESP32-C3 Hardware"
A[RISC-V Core 160MHz] --> B[2.4GHz Radio]
A --> C[IR Transceiver]
A --> D[500mAh Battery]
A --> E[USB-C Interface]
end
subgraph "WiFi Capabilities"
B --> F[WiFi Scanning]
B --> G[Deauth Testing]
B --> H[WPA2 Handshake Capture]
B --> I[Captive Portal / Evil Twin]
B --> J[AP Spam / Beacon Flood]
B --> K[ESP-NOW Shiver Mesh]
end
subgraph "BLE Capabilities"
B --> L[BLE Device Scanning]
B --> M[BLESpam Notifications]
B --> N[Bad-BT HID Injection]
N --> O[On-Device DuckyScript Editor]
end
subgraph "IR Capabilities"
C --> P[IR Clone Remote]
C --> Q[IR Replay Signals]
C --> R[TV-B-Gone]
end
BLEShark Nano's feature architecture: a single ESP32-C3 chip drives WiFi, BLE, and IR capabilities. The 2.4GHz radio time-shares between WiFi and BLE modes, while IR operates independently through a dedicated transceiver.
3. Bad-BT With On-Device DuckyScript Editing
Bad-BT turns the BLEShark Nano into a wireless Bluetooth keyboard that injects keystrokes into a paired device. Write your payload in DuckyScript, pair over Bluetooth, press a button, and the Nano types commands faster than any human could. Open a terminal, run a script, exfiltrate data, lock a workstation - whatever your authorized engagement calls for.
Here's the feature that actually matters: the on-device DuckyScript editor.
If you've used a USB Rubber Ducky or a Flipper Zero for HID injection, you know the pain. You write the script on your computer. Upload it to the device. Test it. Something's wrong - maybe a DELAY is 100ms too long, or a STRING has a typo. So you go back to the computer, edit one line, upload again, test again. Most of your time is spent on the upload cycle, not the actual testing.
BLEShark Nano fixes this. The on-device editor lets you open any DuckyScript file and modify it right there - change a delay, fix a string, add a command. No disconnecting, no re-uploading, no laptop required. It's not designed for writing scripts from scratch (the Nano's OLED is small), but for iterating on existing payloads in the field, nothing else comes close.
The Nano also ships with a library of ready-to-go DuckyScript payloads built in. Open a browser, pop a reverse shell, display a message, lock the screen - useful starting points you can modify on-device to fit your specific target environment.
DuckyScript files can also be uploaded and downloaded via the file portal for managing your script library.
4. WiFi Scanning
The BLEShark Nano includes a built-in 2.4GHz WiFi scanner that surfaces all nearby networks with SSIDs, signal strength, security type, and channel. Useful for diagnosing channel congestion, spotting rogue access points, running a quick site survey, or just figuring out why your WiFi is slow.
With Shiver mesh: every node scans independently and results aggregate on the controller. You see every network visible from every position in the mesh - a far more complete picture than any single scan point can give you. The aggregated view shows per-node RSSI for each network, so you can identify exactly where signal is strongest and where dead zones are.
5. BLE Scanning With OUI Lookups
BLE Scanner mode turns the Nano into a passive listener, discovering every nearby Bluetooth Low Energy device along with its MAC address, signal strength (RSSI), advertised name, and manufacturer via OUI lookup. You'll see exactly what's broadcasting around you - fitness trackers, smart locks, medical devices, beacons, earbuds, phones - and who made them.
This is useful for security audits (what BLE devices are on the corporate floor?), smart home inventory, or just understanding how saturated your environment is with wireless devices. The OUI lookup immediately tells you if that unknown MAC belongs to Apple, Samsung, Xiaomi, or someone more unexpected.
With Shiver mesh: run BLE scans from multiple positions and get aggregated results with per-node RSSI - useful for triangulating device locations or building BLE coverage maps.
6. WiFi Deauth - Stress-Test Your Network
For authorized use on networks you own or have explicit permission to test. WiFi Deauthentication sends 802.11 deauth frames to disconnect clients from an access point. Security professionals use this to test network resilience, verify PMF/MFP is enabled, and demonstrate the vulnerability to network owners.
With Shiver mesh: run deauth from multiple nodes positioned across a building. Test how your infrastructure responds when deauth comes from different physical locations simultaneously. That's a level of assessment a single device can't replicate.
Deauth is disabled on EU units in compliance with the EU Radio Equipment Directive (RED).
graph TD
subgraph "Shiver Mesh Network"
A[Node 1 - Lobby] -->|ESP-NOW| B[Node 2 - Conference Room]
B -->|ESP-NOW| C[Node 3 - Server Closet]
A -->|ESP-NOW| D[Node 4 - Parking Garage]
B -->|ESP-NOW| E[Node 5 - Break Room]
end
subgraph "Node 1 Tasks"
A --> F[WiFi Scan: Guest Networks]
A --> G[BLE Scan: Visitor Devices]
end
subgraph "Node 3 Tasks"
C --> H[Monitor Server Room WiFi]
C --> I[Detect Rogue Access Points]
end
subgraph "Aggregated Results"
F --> J[Central Dashboard]
G --> J
H --> J
I --> J
J --> K[RSSI Heatmap Generation]
J --> L[Rogue AP Alert]
J --> M[BLE Device Inventory]
end
A five-node Shiver mesh deployment across a building. Each BLEShark Nano scans its local area independently, and results aggregate over ESP-NOW for comprehensive wireless coverage — no laptops or enterprise hardware required.
7. IR Receive, Transmit, and Clone
The BLEShark Nano has a built-in IR blaster and receiver. Point any IR remote at the Nano, capture the signal, store it, and replay it whenever you want. Supports NEC, RC5, RC6, Samsung, Sony SIRC, and raw mode for anything nonstandard. Build up a library of codes and use the Nano as a universal remote for TVs, projectors, AC units, ceiling fans - anything with an IR receiver.
TV-B-Gone is also built in - it cycles through hundreds of TV power-off codes until something turns off. One button, every brand.
With Shiver mesh: send IR commands to any node in the network. Turn off a TV in a conference room three floors away from your controller. Or set up an IR sensor network across a building for coordinated control.
8. WiFi AP Spam
AP Spam broadcasts hundreds of fake WiFi network names simultaneously. Pick from built-in lists (Rickrolls, funny names, random strings) or upload your own custom SSID list via the file portal. It's a visual demonstration of how easy it is to flood the WiFi discovery list on any device - and a useful tool for testing how clients and network management systems handle SSID saturation.
With Shiver mesh: run AP spam from multiple positions to flood a larger area. Or use different SSID lists on different nodes.
9. BLESpam
BLESpam broadcasts fake Bluetooth Low Energy advertising packets. iPhones get pop-ups about AirPods and Apple TVs that don't exist. Android devices get Samsung Fast Pair notifications. Windows laptops trigger Swift Pair prompts. Select your target OS or hit all of them at once.
It's entertaining, but there's a real point: this is how easy it is to spam BLE in any environment. Testing how your organization's devices handle BLE advertisement floods is a legitimate security exercise - and most environments have never been tested for it.
With Shiver mesh: BLESpam from multiple nodes covers more physical space. Each node hops back to the mesh during radio windows, so the mesh stays connected while nodes spam BLE packets in between.
10. Games
Because why not? The BLEShark Nano ships with Flappy Bird, Pong, Space Invaders, T-Rex Runner, Breakout, and Racer playable on the onboard OLED. They're exactly as addictive as you'd expect.
With Shiver mesh: multiplayer is coming. The mesh network supports game state sync between devices - low-latency enough for simple 2D games. Pong over ESP-NOW is about to be real.
And yes, there's an Emergency Mode - hold two buttons to instantly launch Flappy Bird from anywhere in the UI. For when someone walks up while you're in the middle of a deauth test.
Bonus: Auto OTA Updates
The feature that makes everything above a long-term investment. BLEShark Nano updates its own firmware over WiFi - new features, bug fixes, protocol support, all delivered automatically. Save multiple WiFi networks so updates happen seamlessly wherever you are. No cables, no manual flashing, no hunting for firmware files on GitHub.
So... What Can the BLEShark Nano Do?
One Nano is a complete pentesting tool in your pocket. Captive portals with credential capture, WPA2 handshake PCAPs, wireless HID injection with on-device script editing, WiFi and BLE scanning, deauth testing, IR control, AP spam, BLESpam, games, and auto OTA updates - all at $36.99+.
A Shiver mesh of Nanos is something else entirely. Five devices hidden across a building, all coordinating over an encrypted mesh network, all controllable from one device in your hand. Every feature multiplied across physical space. That's the kind of capability that used to require enterprise hardware and a five-figure budget. Now it fits in a jacket pocket.