1PIXIEWPS(1) Offline WPS bruteforce tool PIXIEWPS(1)
2
6 pixiewps - Offline Wi-Fi Protected Setup bruteforce tool
7
9 Pixiewps is a tool written in C used to bruteforce offline the
10 WPS PIN method exploiting the low or non-existing entropy of
11 some Access Points, the so-called "pixie-dust attack".
12 It is meant for educational purposes only.
14
16 pixiewps <arguments>
17
19 REQUIRED ARGUMENTS
20 -e, --pke
21 Enrollee's DH public key, found in M1.
23 -r, --pkr
25 Registrar's DH public key, found in M2. It can be avoided by
27 specifying --dh-small in both Reaver and pixiewps.
28 pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -a <authkey> -n
30 <e-nonce> -S
31 -s, --e-hash1
33 Enrollee's hash 1, found in M3. It's the hash of the first half
35 of the PIN.
36 -z, --e-hash2
38 Enrollee's hash 2, found in M3. It's the hash of the second half
40 of the PIN.
41 -a, --authkey
43 Authentication session key. Although for this parameter a modi‐
45 fied version of Reaver or Bully is needed, it can be avoided by
46 specifying small Diffie-Hellman keys in both Reaver and pixiewps
47 and supplying --e-nonce, --r-nonce and --e-bssid.
48 pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -S -n <e-nonce> -m
50 <r-nonce> -b <e-bssid>
51 -n, --e-nonce
53 Enrollee's nonce, found in M1.
55 OPTIONAL ARGUMENTS
57 -m, --r-nonce
58 Registrar's nonce, found in M2. Used with other parameters to
60 compute the session keys.
61 -b, --e-bssid
63 Enrollee's BSSID. Used with other parameters to compute the ses‐
65 sion keys.
66 -S, --dh-small (deprecated)
68 Small Diffie-Hellman keys. The same option must be specified in
70 Reaver too. Some Access Points seem to be buggy and don't behave
71 correctly with this option. Avoid using it with Reaver when pos‐
72 sible.
73 -v, --verbosity
75 Verbosity level 1-3, 1 is quietest, default is 3.
77 -h
79 Display a simple help usage screen.
81 --help
83 Display verbose help.
85 -V, --version
87 Display version and other information.
89 --mode N[,... N]
91 Select modes, comma separated (experimental modes are not used
93 unless specified):
94 1 - RT/MT/CL
96 2 - eCos simple
98 3 - RTL819x
100 4 - eCos simplest [Experimental]
102 5 - eCos Knuth [Experimental]
104 --start [mm/]yyyy
106 --end [mm/]yyyy
108 Starting and ending dates for mode 3, they are interchangeable.
110 If only one is specified, the current time will be used for the
112 other. The earliest possible date is 01/1970, corresponding to 0
113 (Unix epoch time), the latest is 02/2038, corresponding to
114 0x7FFFFFFF. If --force is used then pixiewps will start from
115 the current time and go back all the way to 0.
116 MISCELLANEOUS ARGUMENTS
118 -7, --m7-enc
119 Encrypted settings, found in M7. Recover Enrollee's WPA-PSK and
121 secret nonce 2. This feature only works on some Access Points
122 vulnerable to mode 3.
123 pixiewps -e <pke> -r <pkr> -n <e-nonce> -m <r-nonce> -b
125 <e-bssid> -7 <enc7> --mode 3
126 -5, --m5-enc
128 Encrypted settings, found in M5. Recover Enrollee's secret nonce
130 1. This option must be used in conjunction with --m7-enc. If
131 --e-hash1 and --e-hash2 are also specified, pixiewps will also
132 recover the WPS PIN.
133 pixiewps -e <pke> -r <pkr> -n <e-nonce> -m <r-nonce> -b
135 <e-bssid> -7 <enc7> -5 <enc5> --mode 3
136 pixiewps -e <pke> -r <pkr> -n <e-nonce> -m <r-nonce> -b
138 <e-bssid> -7 <enc7> -5 <enc5> --mode 3 -s <e-hash1> -z <e-hash2>
139
141 pixiewps --pke <pke> --pkr <pkr> --e-hash1 <e-hash1> --e-hash2 <e-
142 hash2> --authkey <authkey> --e-nonce <e-nonce>
143 pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n
145 <e-nonce>
146
148 Pixiewps was developed by wiire.
149 This manual page was written by Daniel Echeverry <epsilon77@gmail.com>
151 and Samuel Henrique <samueloph@gmail.com> for the Debian project, but
152 can be used by other projects as well.
153pixiewps November 2017 PIXIEWPS(1)