Pixie Dust Attack -- Crack Wireless Routers [Easy Guide]

Wi-Fi Protected Setup (WPS) was introduced in 2006 by Cisco for home users who wanted to connect their home network without the trouble of remembering hard passwords for the WiFi. It used an eight digit PIN to authenticate a client to the network (by PIN/Push Button/USB/Near-field communication Method).

Now a pixie dust attack is a way of brute force the eight digit PIN. This attack allowed the recovery of the PIN. Pixie dust attack is so powerful that it can crack the recovery of the PIN within minutes if the router is vulnerable to pixie dust.

pixie dust attack kali linux
If we capture the handshake and try to brute-force the password, it depends on the complexity of the password. If the password is enough strong then it might take years to cracks. In this guide we are going to learn how to perform pixie dust attack to crack wireless networks in some seconds on Kali Linux system.

A list of vulnerable routers on which pixie dust attack will work can be found here. Our target wireless network must be WPS enabled. Otherwise pixie dust attack will not work.


  1. Vulnerable network adapter [list].
  2. A wireless adapter that supports monitor mode and packet injection [list].

Pixie Dust Attack

As we told we need a WiFi adapter that supports monitor mode. The first thing we need to do put our interface in the monitor mode. We can check the list of interfaces by using following command:


We can see that our external WiFi adapter's mode is managed and the interface is wlan1.

checking wireless interfaces using iwconfig
We can see that wlan1 have managed mode. We need to turn it's monitor mode by using following command:
sudo airmon-ng start wlan1

Then our monitor mode interface will be started.

starting monitor mode

We can run iwconfig again to see the name of our monitor mode interface.


In the following screenshot we can see that our network interface is wlan1mon and the mode is monitor.

monitor mode interface name

We have successfully turned on monitor mode on our external WiFi adapter, and our interface is wlan1mon.

Now we search for WiFi networks around us by using following command:

sudo wash -i wlan1mon -s

Then we can see the WiFi signals around us and some mode details like BSSID,Channel and WPS status.

Searching for networks

In the above screenshot we can see some details about the network. So now we try to perform pixie dust attack by using reaver.

We need to use the command as this sudo reaver -i <monitor-mode-interface> -b <target-BSSID> -d 7 -c <No. of channel> -K 1 --mac -vv

So in our case the command will be following:

sudo reaver -i wlan1mon -b 40:C8:CB:05:4D:19 -d 7 -c 6 -K 1 --mac -vv

Here we have used wlan1mon that is our monitor mode interface -i flag is used to select the interface. we have used the BSSID of the target AP. -d flag is used for delay between pin attempts (we have set it to 7), -c flag is used to set channel in our case our target's AP's channel is 6. -K flag is used to use pixie dust attack.

We also used --mac flag to set mac address of host system. -v flag is used to set verbose mode.

Here is the screenshot of the used command:

pixie dust attack

Our router is not vulnerable to pixie dust attack. We just showing an example that how the attack works. If everything works perfectly we can easily get the WPS PIN. We should note it, because when we try to retrieve WPS key we need this PIN.

After collecting the pin we can easily get the WPS key by simply removing -K flag and using -p flag following the noted PIN.

An example command will be like following:

sudo reaver -i wlan1mon -b 40:C8:CB:05:4D:19 -vvNwL -c 1 -p 19666197

Here we assume that 1966619 is our noted pin.

This method is very very effective if the target still using old WiFi router. This attack goes back to early 2010s and most of the vendors have already patched this issue.

This vulnerability can be patched by turning off WPS feature. The router vendors then uses mac blocking for too much WPS requests. So, it doesn't mean that we can get WPS PIN of every WPS enabled routers.

Check this list again to know which router model is vulnerable.

If the router isn't vulnerable and we tried to do pixie dust attack on it then it might show some errors.

ha ha

That's it for today. On many corporate environment still they are using old model routers even lots of home uses also. So this attack is still working.

This attack is more easy with automated tools like Airgeddon.

Hope you liked this article. Please subscribe our e-mail subscription for free, to get our articles directly on inbox. We also updates articles on our GitHub and Twitter account, make sure to follow us there.

We have a Telegram Community where we discuss about lots of things related to cybersecurity.

For any problem or query please comment down in the comments section. We always reply.

Kali Linux


Post a Comment
  • racerx photo
    racerxMarch 13, 2021 at 10:10 PM

    does anybody even use WPS anymore?

    Delete Comment
  • Termu-Rafi photo
    Termu-RafiMarch 17, 2021 at 2:44 AM

    Can u give maskphish latest version link and how i can setup that version in my termux?

    Delete Comment
    • Kali Linux photo
      Kali LinuxMarch 17, 2021 at 6:41 PM

      the is same. We just updated the tool in same link https://github.com/jaykali/maskphish
      You just need to use following commands one after another:

      rm -rf maskphish
      git clone https://github.com/jaykali/maskphish
      cd maskphish

      Delete Comment
    • Termu-Rafi photo
      Termu-RafiMarch 17, 2021 at 7:16 PM

      Thanxz man

      Delete Comment
      • Unknown photo
        UnknownMarch 18, 2021 at 12:24 PM

        hi sir.... Lockphish is not generating url

        Delete Comment