PixieWPS is a tool written in C that you can use to bruteforce the WPS PIN.

It uses the so-called "pixie-dust attack" which works by exploiting the low or non-existing entropy of software implementations. Unlike traditional bruteforce attacks, this attack can get the PIN in only a matter of seconds or minutes, depending on the target.

This tool can also recover the WPA-PSK from a complete passive capture (M1 through M7) for some devices.

apt-get -y install build-essential

OpenSSL has also been re-introduced as optional to achieve better speeds.

SETUP

Download:

git clone https://github.com/wiire/pixiewps

or

wget https://github.com/wiire/pixiewps/archive/master.zip && unzip master.zip

Build:

cd pixiewps*/
 make
 

Optionally, you can run make OPENSSL=1 to use faster OpenSSL SHA-256 functions.

Install:

sudo make install

USAGE

Usage: pixiewps <arguments>
 
 Required arguments:
   -e, --pke         : Enrollee public key
   -r, --pkr         : Registrar public key
   -s, --e-hash1     : Enrollee hash 1
   -z, --e-hash2     : Enrollee hash 2
   -a, --authkey     : Authentication session key
   -n, --e-nonce     : Enrollee nonce
 
 Optional arguments:
   -m, --r-nonce     : Registrar nonce
   -b, --e-bssid     : Enrollee BSSID
   -v, --verbosity   : Verbosity level 1-3, 1 is quietest           [3]
   -o, --output      : Write output to file
 
   -j, --jobs        : Number of parallel threads to use         [Auto]
 
   -h                : Display this usage screen
   --help            : Verbose help and more usage examples
   -V, --version     : Display version
 
   --mode N[,... N]  : Mode selection, comma separated           [Auto]
   --start [mm/]yyyy : Starting date             (only mode 3) [+1 day]
   --end   [mm/]yyyy : Ending date               (only mode 3) [-1 day]
   -f, --force       : Bruteforce full range     (only mode 3)
 
 Miscellaneous arguments:
   -7, --m7-enc      : Recover encrypted settings from M7 (only mode 3)
   -5, --m5-enc      : Recover secret nonce from M5       (only mode 3)