WPA2 + WPS

Wi-Fi Protected Setup (WPS) was published by the Wi-Fi Alliance in 2006 to let non-technical users join a network without typing the WPA passphrase. The external-registrar method asks the user for an eight-digit PIN printed on the router, and the access point hands back the real WPA2 passphrase once the PIN checks out. Underneath, the AP still runs ordinary WPA2-Personal (AES-CCMP) with a four-way handshake; WPS is a separate enrollment protocol bolted on beside it.

The fatal flaw is in how the PIN is validated. The eighth digit is a checksum, leaving seven secret digits, and the registration exchange checks those seven digits in two independent halves. The AP confirms the first four digits before the second half is ever sent, so a guesser learns whether the first half is right on its own. That turns one 10,000,000-guess search into a 10,000-guess search for the first half plus a 1,000-guess search for the second (the last secret digit being a checksum), about 11,000 attempts total. A protocol meant to be friendly became the weakest authenticator on the network.

The protocol-specific control for WPS is the Pixie-Dust Downgrade toggle, which the Topology section reveals only for this protocol, off by default. Left off, the AP behaves like a patched modern router: its WPS registrar nonces are unpredictable, Pixie Dust fails, and the only way in is the slower online PIN brute force. Turned on, the AP emits predictable E-S1 and E-S2 secret nonces, so the offline Pixie Dust attack recovers the PIN in seconds. Flip it on to teach Pixie Dust; leave it off to show why a patched AP forces the online attack instead. Either way, every WPS network ships a recoverable registrar AP PIN and never locks out, so the online brute force always has a live target.

For the full New-Network walkthrough, see Networks.

Online PIN brute force (reaver / bully)

This is the attack the lab target is built for. wash surveys for WPS-enabled APs, then reaver (or bully) walks the two PIN halves and, on success, prints both the PIN and the recovered WPA passphrase:

wash -i wlan0mon
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

Judgment: reliable but slow; ~11,000 guesses run in minutes to hours because the lab AP never locks out, which is exactly why a real router enforcing lockout defeats this.

Pixie Dust offline attack (pixiewps)

Pixie Dust skips guessing entirely by exploiting weak randomness in the AP's E-S1/E-S2 nonces. Capture one exchange with reaver's Pixie Dust mode, which feeds the values to pixiewps:

reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K 1 -vv

Judgment: instant when it works, but only against weak-RNG hardware; on the lab this needs Pixie-Dust Downgrade enabled, otherwise the strong nonces leave you nothing to solve. The Pixie Dust technique was published in 2014 and never received a single umbrella CVE; affected products were tracked under separate per-vendor identifiers, so treat it as a class of weak-entropy implementation bugs rather than one numbered flaw.

PBC race condition

The push-button method opens a roughly two-minute window in which any enrollee in range can complete pairing. An attacker who activates PBC at the same moment as the legitimate user can race onto the network.

bully wlan0mon -b AA:BB:CC:DD:EE:FF -W 1

Judgment: situational and noisy; it depends on catching the human in the act, so it teaches the PBC design gap more than it provides a dependable path.

WPS is the soft underbelly of otherwise sound WPA2 deployments. A network can have a long, random, uncrackable passphrase and still fall in an afternoon because WPS hands that passphrase to anyone who guesses the PIN. In surveys you will see consumer and small-business routers with WPS left on by default, and plenty of devices ship a PIN that is fixed, vendor-default, or derived from the MAC or serial number, so it is guessable without any brute force at all. Pixie Dust is largely a legacy story now: chipsets from before roughly 2014 (common Ralink, Broadcom, and Realtek-based units) used weak RNG and fall instantly, while patched and newer firmware resists it and forces the slower online attack, which is precisely the contrast the Pixie-Dust Downgrade toggle lets you stage on demand.

The clean answer is to disable WPS entirely; the external-registrar PIN method has no safe configuration, and a strong WPA2 or WPA3 passphrase gives you everything WPS was meant to make easy without the attack surface. If WPS cannot be removed, AP-side lockout after a small number of failed PIN attempts is what neuters the online brute force in practice (the lab deliberately sets ap_setup_locked=0 so it does not lock, which is why the attack always works here). Prefer push-button (PBC) over the PIN method where a device truly needs WPS, accept the short race window as the lesser risk, and replace pre-2014 hardware whose weak nonces make Pixie Dust trivial. Above all, treat WPS as enrollment convenience, never as security: the strength of the network still lives in the passphrase, not the PIN.

• IEEE Std 802.11-2020 - base WLAN standard (RSN, the four-way handshake, and AES-CCMP that WPS provisions)
• RFC 3748 - Extensible Authentication Protocol (EAP) - the EAP framework that the WPS registration exchange (the EAP-WSC method) is carried over
• CVE-2011-5053 - WPS external-registrar PIN brute force enabled by half-by-half PIN validation
• CERT/CC VU#723755 - the CERT/CC vulnerability note for the WPS PIN brute force, including the 10^8 to ~11,000 attempt reduction and the lockout gap
• Pixie Dust (offline PIN recovery, 2014) was tracked under per-vendor CVEs for weak WPS nonce entropy rather than one canonical identifier; see the affected vendors' own security advisories