Wi-Fi Protected Setup (WPS) was introduced in 2006 by Cisco for home users who wanted to connect their home network without the trouble of remembering hard passwords for the WiFi. It used an eight digit PIN to authenticate a client to the network (by PIN/Push Button/USB/Near-field communication Method).
Now a pixie dust attack is a way of brute force the eight digit PIN. This attack allowed the recovery of the PIN. Pixie dust attack is so powerful that it can crack the recovery of the PIN within minutes if the router is vulnerable to pixie dust.
A list of vulnerable routers on which pixie dust attack will work can be found here. Our target wireless network must be WPS enabled. Otherwise pixie dust attack will not work.
Requirements
- Vulnerable network adapter [list].
- A wireless adapter that supports monitor mode and packet injection [list].
Pixie Dust Attack
As we told we need a WiFi adapter that supports monitor mode. The first thing we need to do put our interface in the monitor mode. We can check the list of interfaces by using following command:
We can see that our external WiFi adapter's mode is managed and the interface is wlan1.
Then our monitor mode interface will be started.
We can run iwconfig again to see the name of our monitor mode interface.
In the following screenshot we can see that our network interface is wlan1mon and the mode is monitor.
We have successfully turned on monitor mode on our external WiFi adapter, and our interface is wlan1mon.
Now we search for WiFi networks around us by using following command:
Then we can see the WiFi signals around us and some mode details like BSSID,Channel and WPS status.
In the above screenshot we can see some details about the network. So now we try to perform pixie dust attack by using reaver.
We need to use the command as this sudo reaver -i <monitor-mode-interface> -b <target-BSSID> -d 7 -c <No. of channel> -K 1 --mac -vv
So in our case the command will be following:
Here we have used wlan1mon that is our monitor mode interface -i flag is used to select the interface. we have used the BSSID of the target AP. -d flag is used for delay between pin attempts (we have set it to 7), -c flag is used to set channel in our case our target's AP's channel is 6. -K flag is used to use pixie dust attack.
We also used --mac flag to set mac address of host system. -v flag is used to set verbose mode.
Here is the screenshot of the used command:
Our router is not vulnerable to pixie dust attack. We just showing an example that how the attack works. If everything works perfectly we can easily get the WPS PIN. We should note it, because when we try to retrieve WPS key we need this PIN.
After collecting the pin we can easily get the WPS key by simply removing -K flag and using -p flag following the noted PIN.
An example command will be like following:
Here we assume that 1966619 is our noted pin.
This method is very very effective if the target still using old WiFi router. This attack goes back to early 2010s and most of the vendors have already patched this issue.
This vulnerability can be patched by turning off WPS feature. The router vendors then uses mac blocking for too much WPS requests. So, it doesn't mean that we can get WPS PIN of every WPS enabled routers.
Check this list again to know which router model is vulnerable.
If the router isn't vulnerable and we tried to do pixie dust attack on it then it might show some errors.
That's it for today. On many corporate environment still they are using old model routers even lots of home uses also. So this attack is still working.
This attack is more easy with automated tools like Airgeddon.
Need more articles and article updates? Make sure to follow us to get all our articles directly on notification. We are also available on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Whatsapp Channel & Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.