WPS PIN Attacks

WPS converts an 8-digit PIN into the network PSK via the M3/M4 message exchange. The PIN is split into 4-digit + 3-digit halves (the 8th digit is a checksum), giving only 11,000 effective combinations — and on vulnerable chipsets, the offline Pixie Dust attack recovers the PIN in seconds without ever sending an online attempt.

Quick Workflow

1. Detect WPS-enabled APs (look for the WPS IE in beacons)
2. Try Pixie Dust first — offline, undetectable, instantaneous when it works
3. If chipset isn't vulnerable, check whether online brute is feasible (lockout policy)
4. Online brute as last resort, slow and detectable

Detection

# wash — dedicated WPS scanner
sudo wash -i wlan0mon