1PIXIEWPS(1)               Offline WPS bruteforce tool              PIXIEWPS(1)
2
3
4

NAME

6       pixiewps - Offline Wi-Fi Protected Setup bruteforce tool
7

DESCRIPTION

9              Pixiewps  is  a tool written in C used to bruteforce offline the
10              WPS PIN method exploiting the low  or  non-existing  entropy  of
11              some Access Points, the so-called "pixie-dust attack".
12
13              It is meant for educational purposes only.
14

SYNOPSIS

16       pixiewps <arguments>
17

ARGUMENTS

19   REQUIRED ARGUMENTS
20       -e, --pke
21
22              Enrollee's DH public key, found in M1.
23
24       -r, --pkr
25
26              Registrar's  DH  public  key,  found in M2. It can be avoided by
27              specifying --dh-small in both Reaver and pixiewps.
28
29              pixiewps -e <pke> -s <e-hash1>  -z  <e-hash2>  -a  <authkey>  -n
30              <e-nonce> -S
31
32       -s, --e-hash1
33
34              Enrollee's  hash 1, found in M3. It's the hash of the first half
35              of the PIN.
36
37       -z, --e-hash2
38
39              Enrollee's hash 2, found in M3. It's the hash of the second half
40              of the PIN.
41
42       -a, --authkey
43
44              Authentication  session key. Although for this parameter a modi‐
45              fied version of Reaver or Bully is needed, it can be avoided  by
46              specifying small Diffie-Hellman keys in both Reaver and pixiewps
47              and supplying --e-nonce, --r-nonce and --e-bssid.
48
49              pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -S -n  <e-nonce>  -m
50              <r-nonce> -b <e-bssid>
51
52       -n, --e-nonce
53
54              Enrollee's nonce, found in M1.
55
56   OPTIONAL ARGUMENTS
57       -m, --r-nonce
58
59              Registrar's  nonce,  found  in M2. Used with other parameters to
60              compute the session keys.
61
62       -b, --e-bssid
63
64              Enrollee's BSSID. Used with other parameters to compute the ses‐
65              sion keys.
66
67       -S, --dh-small (deprecated)
68
69              Small  Diffie-Hellman keys. The same option must be specified in
70              Reaver too. Some Access Points seem to be buggy and don't behave
71              correctly with this option. Avoid using it with Reaver when pos‐
72              sible.
73
74       -v, --verbosity
75
76              Verbosity level 1-3, 1 is quietest, default is 3.
77
78       -h
79
80              Display a simple help usage screen.
81
82       --help
83
84              Display verbose help.
85
86       -V, --version
87
88              Display version and other information.
89
90       --mode N[,... N]
91
92              Select modes, comma separated (experimental modes are  not  used
93              unless specified):
94
95              1 - RT/MT/CL
96
97              2 - eCos simple
98
99              3 - RTL819x
100
101              4 - eCos simplest [Experimental]
102
103              5 - eCos Knuth    [Experimental]
104
105       --start [mm/]yyyy
106
107       --end [mm/]yyyy
108
109              Starting and ending dates for mode 3, they are interchangeable.
110
111              If  only one is specified, the current time will be used for the
112              other. The earliest possible date is 01/1970, corresponding to 0
113              (Unix  epoch  time),  the  latest  is  02/2038, corresponding to
114              0x7FFFFFFF.  If --force is used then pixiewps  will  start  from
115              the current time and go back all the way to 0.
116
117   MISCELLANEOUS ARGUMENTS
118       -7, --m7-enc
119
120              Encrypted  settings, found in M7. Recover Enrollee's WPA-PSK and
121              secret nonce 2. This feature only works on  some  Access  Points
122              vulnerable to mode 3.
123
124              pixiewps  -e  <pke>  -r  <pkr>  -n  <e-nonce>  -m  <r-nonce>  -b
125              <e-bssid> -7 <enc7> --mode 3
126
127       -5, --m5-enc
128
129              Encrypted settings, found in M5. Recover Enrollee's secret nonce
130              1.  This  option  must  be used in conjunction with --m7-enc. If
131              --e-hash1 and --e-hash2 are also specified, pixiewps  will  also
132              recover the WPS PIN.
133
134              pixiewps  -e  <pke>  -r  <pkr>  -n  <e-nonce>  -m  <r-nonce>  -b
135              <e-bssid> -7 <enc7> -5 <enc5> --mode 3
136
137              pixiewps  -e  <pke>  -r  <pkr>  -n  <e-nonce>  -m  <r-nonce>  -b
138              <e-bssid> -7 <enc7> -5 <enc5> --mode 3 -s <e-hash1> -z <e-hash2>
139

EXAMPLES

141       pixiewps  --pke  <pke>  --pkr  <pkr>  --e-hash1 <e-hash1> --e-hash2 <e-
142       hash2> --authkey <authkey> --e-nonce <e-nonce>
143
144       pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2>  -a  <authkey>  -n
145       <e-nonce>
146

AUTHOR

148       Pixiewps was developed by wiire.
149
150       This  manual page was written by Daniel Echeverry <epsilon77@gmail.com>
151       and Samuel Henrique <samueloph@gmail.com> for the Debian  project,  but
152       can be used by other projects as well.
153
154
155
156pixiewps                         November 2017                     PIXIEWPS(1)
Impressum