Pixiewps - Bruteforce Offline the WPS Pin (Pixie Dust Attack)



Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). It is meant for educational purposes only. All credits for the research go to Dominique Bongard.


DEPENDENCIES
Pixiewps requires libssl. To install it:
    sudo apt-get install libssl-dev

INSTALLATION
Pixiewps can be built and installed by running:
    ~/pixiewps$ cd src
~/pixiewps/src$ make
~/pixiewps/src$ sudo make install

USAGE
 Usage: pixiewps 

Required Arguments:

-e, --pke : Enrollee public key
-r, --pkr : Registrar public key
-s, --e-hash1 : Enrollee Hash1
-z, --e-hash2 : Enrollee Hash2
-a, --authkey : Authentication session key

Optional Arguments:

-n, --e-nonce : Enrollee nonce
-m, --r-nonce : Registrar nonce
-b, --e-bssid : Enrollee BSSID
-S, --dh-small : Small Diffie-Hellman keys (PKr not needed) [No]
-f, --force : Bruteforce the whole keyspace [No]
-v, --verbosity : Verbosity level 1-3, 1 is quietest [3]

-h, --help : Display this usage screen


USAGE EXAMPLE
A common usage example is:
    pixiewps --pke  --pkr  --e-hash1  --e-hash2  --authkey  --e-nonce 
which requires a modified version of Reaver or Bully which prints AuthKey. The recommended version is reaver-wps-fork-t6x.
If the following message is shown:
[!] The AP /might be/ vulnerable. Try again with --force or with another (newer) set of data.
then the AP might be vulnerable and Pixiewps should be run again with the same set of data along with the option --force or alternatively with a newer set of data.

DESCRIPTION OF ARGUMENTS
    -e, --pke

Enrollee's DH public key, found in M1.

-r, --pkr

Registrar's DH public key, found in M2 or can be avoided by specifying
--dh-small in both Reaver and Pixiewps.

-s, --e-hash1

Enrollee Hash-1, found in M3.

-z, --e-hash2

Enrollee Hash-2, found in M3.

-a, --authkey

Registration Protocol authentication session key. Although for this parameter a
modified version of Reaver or Bully is needed, it can be avoided by specifying
small Diffie-Hellman keys in both Reaver and Pixiewps and supplying --e-nonce,
--r-nonce and --e-bssid.

-n, --e-nonce

Enrollee's nonce, found in M1.

-m, --r-nonce

Registrar's nonce, found in M2.

-b, --e-bssid

Enrollee's BSSID.

-S, --dh-small

Small Diffie-Hellman keys. The same option MUST be specified in Reaver
(1.3 or later versions) too. This option should be avoided when possible.

-f, --force

Force Pixiewps to bruteforce the whole keyspace (only for one type of PRNG).
It could take up to several minutes to complete.

-v, --verbosity

Verbosity level (1-3). Level 3 displays the most information.

-h, --help

Display usage screen.