PixieWPS - An Offline WPS Brute-force Utility

PixieWPS - An Offline WPS Brute-force Utility

PixieWPS is a tool written in C that you can use to bruteforce the WPS PIN.

It uses the so-called "pixie-dust attack" which works by exploiting the low or non-existing entropy of software implementations. Unlike traditional bruteforce attacks, this attack can get the PIN in only a matter of seconds or minutes, depending on the target.

This tool can also recover the WPA-PSK from a complete passive capture (M1 through M7) for some devices.


apt-get -y install build-essential
  • Prior versions of 1.2 require libssl-dev
  • Versions 1.4 and later make use of multi-threading and require libpthread
OpenSSL has also been re-introduced as optional to achieve better speeds.


git clone https://github.com/wiire/pixiewps
wget https://github.com/wiire/pixiewps/archive/master.zip && unzip master.zip

cd pixiewps*/
Optionally, you can run make OPENSSL=1 to use faster OpenSSL SHA-256 functions.

sudo make install


Usage: pixiewps <arguments>

Required arguments:
  -e, --pke         : Enrollee public key
  -r, --pkr         : Registrar public key
  -s, --e-hash1     : Enrollee hash 1
  -z, --e-hash2     : Enrollee hash 2
  -a, --authkey     : Authentication session key
  -n, --e-nonce     : Enrollee nonce

Optional arguments:
  -m, --r-nonce     : Registrar nonce
  -b, --e-bssid     : Enrollee BSSID
  -v, --verbosity   : Verbosity level 1-3, 1 is quietest           [3]
  -o, --output      : Write output to file

  -j, --jobs        : Number of parallel threads to use         [Auto]

  -h                : Display this usage screen
  --help            : Verbose help and more usage examples
  -V, --version     : Display version

  --mode N[,... N]  : Mode selection, comma separated           [Auto]
  --start [mm/]yyyy : Starting date             (only mode 3) [+1 day]
  --end   [mm/]yyyy : Ending date               (only mode 3) [-1 day]
  -f, --force       : Bruteforce full range     (only mode 3)

Miscellaneous arguments:
  -7, --m7-enc      : Recover encrypted settings from M7 (only mode 3)
  -5, --m5-enc      : Recover secret nonce from M5       (only mode 3)

No comments

Powered by Blogger.