Exploit WiFi Protected Setup

Attack Wi-Fi Protected Setup (WPS) to recover PIN and crack WPA/WPA2-PSK via Pixie Dust or online brute-force

Legacy or consumer-grade AP WPS vulnerability assessment when offline Pixie Dust is available (quick PIN recovery).

• · Target BSSID with WPS enabled
• · Wi-Fi adapter in monitor mode for WPS exchange capture
• · Optional: chipset identification for Pixie Dust vulnerability likelihood

• · Recovered 8-digit WPS PIN
• · Extracted or brute-forced WPA/WPA2 PSK
• · Wi-Fi credentials usable for network access

• · reaver (WPS PIN cracking, online + Pixie Dust)
• · bully (alternative WPS attack tool)
• · pixiewps (offline PIN recovery from weak nonces)
• · wifi_bruteforce (optional, if online brute-force chosen)

• · Target AP has WPS enabled (check airodump-ng WPS column)
• · Adapter passes packet injection test
• · Chipset known vulnerable to Pixie Dust (Ralink, Realtek, Broadcom older firmware, MediaTek specific revs) — check prior research

• · WPS lockout (after 3-6 failed attempts) prevents further PIN guessing
• · Modern APs (>2015) resistant to Pixie Dust (improved nonce generation)
• · Online brute-force slow and noisy (30k PIN space, ~0.5-2 sec per attempt)
• · WPS disabled by administrator (no attack surface)
• · Client MAC randomization doesn't affect WPS but complicates re-authentication forcing

• · Pixie Dust attack documented with specific vulnerable chipsets (Ralink, Realtek, Broadcom, MediaTek revisions)
• · Online PIN brute-force as fallback when Pixie Dust fails
• · Lockout evasion techniques (timeout, reset commands) documented