You are here: Home » Wireless Attacks » PixieWPS


Pixiewps Description

Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some Access Points, the so-called "pixie dust attack" discovered by Dominique Bongard in summer 2014. It is meant for educational purposes only.

As opposed to the traditional online bruteforce attack, implemented in tools like Reaver or Bully which aim to recover the pin in a few hours, this method can get the pin in only a matter of milliseconds to minutes, depending on the target, if vulnerable.


Author: wiire

License: GPLv3

Pixiewps Help


pixiewps <arguments>
 Required Arguments:

   -e, --pke         : Enrollee public key
   -r, --pkr         : Registrar public key
   -s, --e-hash1     : Enrollee hash-1
   -z, --e-hash2     : Enrollee hash-2
   -a, --authkey     : Authentication session key
   -n, --e-nonce     : Enrollee nonce

 Optional Arguments:

   -m, --r-nonce     : Registrar nonce
   -b, --e-bssid     : Enrollee BSSID
   -S, --dh-small    : Small Diffie-Hellman keys (PKr not needed)  [No]
   -v, --verbosity   : Verbosity level 1-3, 1 is quietest           [3]

   -h                : Display this usage screen
   --help            : Verbose help and more usage examples
   -V, --version     : Displays version

   --mode N[,... N]  : Mode selection, comma separated           [Auto]
   --start [mm/]yyyy : Starting date (only mode 3)       [Current time]
   --end   [mm/]yyyy : Ending date   (only mode 3)            [-3 days]


 pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>

Description of Pixiewps arguments:

 -e, --pke

Enrollee DH public key, found in M1.

-r, --pkr

Registrar DH public key, found in M2. It can be avoided by specifying --dh-small in both Reaver and Pixiewps.

[?] pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce> -S

-s, --e-hash1

Enrollee hash-1, found in M3.

-z, --e-hash2

Enrollee hash-2, found in M3.

-a, --authkey

Authentication session key. Although for this parameter a modified version of Reaver or Bully is needed, it can be avoided by specifying small Diffie-Hellman keys in both Reaver and Pixiewps and supplying --e-nonce, --r-nonce and --e-bssid.

[?] pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -S -n <e-nonce> -m <r-nonce> -b <e-bssid>

-n, --e-nonce

Enrollee's nonce, found in M1.

-m, --r-nonce

Registrar's nonce, found in M2.

-b, --e-bssid

Enrollee's BSSID.

-S, --dh-small

Small Diffie-Hellman keys. The same option MUST be specified in Reaver (1.3 or later versions) too. This option DOES NOT WORK (currently) with mode 3.

--mode N[,… N]

Select modes, comma separated (experimental modes are not used unless specified):

      1 (RT/MT)
      2 (eCos simple)
      3 (RTL819x)
      4 (eCos simplest) [Experimental]
      5 (eCos Knuth)    [Experimental]

 --start [mm/]yyyy

 --end   [mm/]yyyy

Starting and ending dates for mode 3. They are interchangeable. If only one is specified, the machine current time will be used for the other. The earliest possible date is 01/1970 corresponding to 0 (Epoch time).

Pixiewps Usage Example

root@kali:~# pixiewps \
>    -a 7f:de:11:b9:69:1c:de:26:4a:21:a4:6f:eb:3d:b8:aa:aa:d7:30:09:09:32:b8:24:43:9b:e0:91:78:e7:6f:2c \
>    -e d4:38:91:0d:4e:6e:15:fe:70:f0:97:a8:70:2a:b8:94:f5:75:74:bf:64:19:9f:92:82:9b:e0:2c:c0:a3:75:48:08:8f:63:0a:82:37:0c:b7:95:42:cf:55:ca:a5:f0:f7:6c:b2:c7:5f:0e:23:18:44:f4:2d:00:f1:da:d4:94:23:56:c7:2c:b0:f6:87:c7:77:d0:cc:11:35:cf:b7:4f:bc:44:8d:ca:35:8a:78:3d:99:7f:2b:cf:44:21:d8:e2:0f:3c:7d:a4:72:c8:03:6f:77:2a:e9:fa:c1:e9:a8:2c:74:65:99:5a:e0:a5:26:d9:23:5e:4e:ec:5a:07:07:ab:80:db:3f:5f:18:7f:fa:fa:f1:57:74:b2:8d:a9:97:a6:c6:0a:a5:e0:ec:93:09:23:67:f6:3e:ec:1f:55:32:a4:5d:73:8f:ab:91:74:cf:1d:79:85:12:c1:81:f5:ea:a6:68:9d:8e:c7:c6:be:01:dc:d9:f8:68:80:11:55:d7:44:6a \
>    -r bc:ad:54:2f:88:44:7c:12:69:ef:34:31:4a:17:1c:92:b1:d7:06:4c:73:be:9f:d3:ed:87:63:74:10:46:0f:46:8c:36:b5:d4:a0:ba:af:85:9c:b2:30:42:d7:59:43:75:5a:d7:79:96:fb:ee:7b:66:db:b7:a8:f9:22:9c:a5:d3:b8:e7:c0:c4:5c:58:34:1f:56:a8:1a:41:a8:d2:e8:f6:3e:c9:3a:93:d9:9b:59:5c:a8:e0:78:84:6c:fc:05:e8:76:a3:e6:3b:33:94:4a:a9:ff:50:fb:60:fa:97:3b:6d:cc:04:f1:5e:36:24:a9:06:7a:f8:6b:00:e9:71:9d:89:be:9c:b2:9c:1f:ca:6d:d6:4d:ab:46:3d:b3:11:1f:8d:40:f7:c8:a4:39:48:c5:ca:1b:f6:30:95:7d:d9:68:41:ef:0a:37:b2:4a:37:e4:a4:b0:dd:7e:c1:af:3e:66:ea:bf:16:0a:7a:8a:05:00:01:a4:29:77:a9:d4:81:d4:0e \
>    -s 90:5f:f5:7d:93:e5:c4:3c:62:0d:26:65:dd:59:57:d5:ba:ba:f1:b7:30:91:72:7c:54:94:38:08:1e:13:35:38 \
>    -z b0:2b:07:50:28:e7:6e:5f:fa:27:1b:31:92:85:43:cb:c5:6a:ec:73:e2:27:c3:b9:80:ec:5b:ed:88:f0:1e:ec

 [*] ES-1: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
 [*] ES-2: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
 [*] PSK1: d4:eb:0c:2a:38:15:e1:a0:3d:70:db:74:31:eb:53:a3
 [*] PSK2: d3:b7:e6:23:f3:1d:22:0a:23:ea:07:bb:7f:76:65:8b
 [+] WPS pin: 04847533

 [*] Time taken: 0 s


How to install Pixiewps

The program is pre-installed on Kali Linux.

Installation on Linux (Debian, Mint, Ubuntu)

sudo apt-get install libssl-dev
git clone
cd pixiewps/src
sudo make install

Pixiewps Screenshots

Pixiewps Tutorials

Related tools