Authorized use only. This tool is for recovering YOUR OWN forgotten passwords only. Unauthorized network access is illegal.
WiFi Password Recoverywifipassword.org
Hands-on / educational

WPS Reaver Attack Guide: Why the WPS PIN Is Dead

WPS, the Wi-Fi Protected Setup feature on the side of every home router built between 2007 and today, promised one thing: press a button, type 8 digits, and pair your printer without caring about WPA2 passphrase complexity. Fourteen years after the first public attack, the 8-digit PIN variant of WPS remains the single most exploited long-tail vulnerability on consumer Wi-Fi. This article walks through why the PIN is effectively 11 000 guesses instead of the 10 million you would expect, how Reaver, Bully and Pixie Dust exploit it in different ways, what a modern router's lockout logic looks like from the attacker side, and — most importantly — how to verify that your own access point has WPS disabled so you do not end up in a bot-net crawl statistic.

Legal boundary

Running Reaver, Bully or Pixie Dust against a router you do not own is unauthorized access under the Computer Fraud and Abuse Act in the United States, the Computer Misuse Act in the United Kingdom, and equivalent statutes in every EU member state. Every command in this article assumes the BSSID you target is a router you own or have documented written permission to audit. The tools are legal to install and read about; the usage is what determines whether a prosecutor gets involved. If in doubt, build a home lab with a second router bought specifically for practice — they are under $30 on the used market.

What WPS actually is

Wi-Fi Protected Setup is an optional IEEE standard added to the 802.11 ecosystem in 2007, after several years of customer-support departments at Netgear, Linksys and D-Link realising that average users could not reliably type a 63-character WPA2 pre-shared key into a Nintendo DS. The standard defines four registration methods: Push-Button Configuration (PBC), the 8-digit PIN, Near-Field Communication and USB flash drive. In practice, 99% of home deployments use only PBC and the PIN. Every Wi-Fi certified router sold before 2020 was required to implement the PIN method; certification rules relaxed that requirement around 2020 but most hardware already in the field still exposes it.

From the user's point of view, WPS means: hold a button on the router for two seconds, hold a button on the device for two seconds, done. Underneath the hood, both sides perform an EAP-based exchange that transfers the WPA2 pre-shared key from registrar (router) to enrollee (client). The PIN variant lets you skip the button press and type the 8-digit number printed on a sticker. That 8-digit number is the problem.

The split-half vulnerability

A naive analysis of an 8-digit PIN gives you 108 = 100 000 000 possibilities. The WPS specification spoils the first reduction: the last digit is a checksum over the first seven, so the attacker only needs to enumerate 107 = 10 million values. Ten million online guesses against a router that responds in roughly a second per attempt would take around 115 days — slow, but not infeasible. The actual vulnerability, discovered by Stefan Viehböck and independently by Craig Heffner in December 2011, is that the router validates the PIN in two halves and leaks the result of each half separately.

During the registration exchange, the enrollee sends M4 containing a hash of the first four digits of the PIN, and later M6 containing a hash of the last four digits (three unknown digits plus the checksum). If the first half is wrong, the router responds with a NACK after M4 and never processes M6. That lets the attacker treat each half as an independent brute force: 10 000 possibilities for the first half, 1 000 for the second (because the last digit is determined by the checksum), for a total worst case of 11 000 attempts and an average of 5 500. At one second per attempt that is a 90-minute attack. At ten seconds per attempt — slowed by a router that implements minor rate limiting — it is a 15-hour attack. Either way, a 9-digit-equivalent search collapses to a 4-digit-equivalent search.

Reaver, written by Craig Heffner in 2011, was the first public tool to automate this split-half brute force. Bully, released by Brian Purcell a few years later, is a re-implementation with better handling of flaky access points and more aggressive retry logic. The two are functionally interchangeable for an attacker; Bully tends to survive noisy RF environments slightly better, Reaver has more mature logging and checkpointing.

Pixie Dust — offline in seconds

In August 2014, Dominique Bongard announced an offline attack against the WPS handshake itself, nicknamed Pixie Dust. The attack does not brute-force the PIN by repeatedly asking the router; it captures a single failed exchange and, for vulnerable chipsets, derives the PIN from the cryptographic nonces used in the exchange. The root cause is weak random-number generation. The WPS registrar generates two nonces, E-S1 and E-S2, which are supposed to be unpredictable. Ralink (now MediaTek) chipsets up to a certain firmware version used a PRNG seeded with the boot time in seconds plus a few trivial inputs. Realtek and Broadcom had similar failures in different form. Given a captured exchange and the vulnerability, an attacker recovers the PIN in seconds, without any further interaction with the router.

Reaver's -K 1 flag enables the Pixie Dust mode (running against pixiewps). Every modern audit workflow starts with Pixie Dust first because it either succeeds in under ten seconds or it fails instantly, costing nothing. Only if Pixie Dust fails does the workflow fall back to the slower online PIN brute force.

Scanning for WPS with wash

The wash utility ships with Reaver and passively decodes beacon frames to list nearby access points that still advertise WPS. Crucially it prints a Lock column: routers that have already entered WPS lockout mode (because someone tried Reaver on them earlier, or because the user manually disabled it) show as locked and are effectively immune until the lockout expires or the router reboots.

# enable monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0
# scan for WPS-capable APs
sudo wash -i wlan0mon
# output columns: BSSID  Ch  dBm  WPS  Lock  Vendor  ESSID
# a "No" in the Lock column means the router will accept PIN attempts

Run wash for at least 30 seconds. Beacons go out once every 102.4 ms by default, so in 30 seconds you see approximately 300 beacons per access point, which is enough to pick up every WPS-capable neighbour within range. Make a list of the BSSIDs, channels and lock states of your own access points. If any of them show Lock = No, WPS is live.

Running Reaver with Pixie Dust

For a router you own, the fast path is to try Pixie Dust first. The entire attack — capture the first half of an exchange, hand it to pixiewps, print the PIN — runs in under ten seconds on a vulnerable chipset. Reaver automates the handoff with the -K flag.

sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -K 1 -vv
# -i   monitor interface
# -b   target BSSID (your own router)
# -c   channel from wash output
# -K 1 enable Pixie Dust offline attack
# -vv  verbose output

A vulnerable router returns both the WPS PIN and the WPA2 pre-shared key within seconds. If the chipset has been patched, you see the exchange complete normally but pixiewps prints "Pixie Dust attack failed" and Reaver falls through to the online PIN brute force. Exit with Ctrl+C and move on — do not leave Reaver running overnight against a patched router, it is wasted RF time and it triggers lockout.

Online PIN brute force

When Pixie Dust fails, the fallback is the original split-half brute force. Reaver is designed to run this automatically without the -K flag. Expect anywhere between one hour and several days depending on the target's rate limiting.

sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -vv \
    -d 15 -r 3:15 -N -L
# -d 15     delay 15 seconds between attempts (stay under rate limit)
# -r 3:15   after 3 attempts, sleep 15 seconds
# -N        do not send NACK on failure (some APs prefer silent fail)
# -L        ignore locked state reported by router (only for auditing)
# Reaver persists progress in /var/lib/reaver/<bssid>.wpc automatically

Reaver checkpoints progress every few attempts in /var/lib/reaver, so if the session dies you can re-launch the same command and it resumes from the last saved PIN prefix. Bully has an equivalent checkpoint file and produces similar throughput. Against a modern router that locks WPS after three failed PINs and only resets the lockout after a reboot, neither tool completes in practical time — the router wins by policy, not by math.

Lockout and mitigations

Good router behaviour

  • Lock WPS after 3-10 failed PIN attempts
  • Require manual unlock via admin panel
  • Ship with WPS PIN disabled, push-button only
  • Patched chipset blocks Pixie Dust

Bad router behaviour

  • Lockout resets automatically after 60 seconds
  • No lockout at all (old Broadcom firmware)
  • WPS PIN printed on an external sticker
  • Vulnerable Ralink/Realtek chipset, no firmware update

The single most effective defence is to turn WPS off. Every router made in the last decade has a checkbox for it in the admin panel. Flip it to off, save, reboot, and re-run wash to confirm the access point no longer advertises WPS in its beacons. If your ISP router does not offer a way to disable WPS, request a newer unit or put your own router behind it with WPS disabled there.

How the WPS attack relates to WPA2 handshake cracking

WPS PIN brute force and WPA2 handshake cracking are two completely different attack surfaces, and a router can be vulnerable to either, both, or neither. A strong 20-character WPA2 pre-shared key defends against handshake cracking perfectly but is irrelevant if WPS is on — an attacker bypasses the PSK entirely and asks the router to hand it over via WPS. A router with WPS off but a weak 8-character password is safe from Reaver but falls to handshake capture plus a dictionary attack in minutes. The two defences are additive; you need both. For the handshake side of the equation see our explainer on the WPA handshake and the aircrack-ng tutorial.

Frequently asked questions

Is WPS still enabled on modern routers?

Many ISP-supplied routers ship with WPS enabled by default in 2026, typically in the push-button variant. Some still expose the 8-digit PIN variant for legacy onboarding, which is what Reaver and Pixie Dust target. Consumer-grade access points from TP-Link, D-Link, Netgear, Belkin and several OEM ODMs have historically shipped vulnerable firmware. Audit your own devices before assuming the default is safe.

Why is the 8-digit PIN only 11 000 guesses instead of 10 million?

The 8-digit PIN has one checksum digit, reducing it to 10^7 = 10 million possibilities. The WPS protocol validates the first half (4 digits) and the second half (3 digits plus checksum) independently, telling the attacker which half is wrong. That collapses the brute force to 10 000 + 1 000 = 11 000 attempts in the worst case.

What exactly is Pixie Dust?

Pixie Dust is an offline attack that derives the PIN from a single failed exchange by exploiting weak nonces generated by vulnerable chipsets. When the chipset is vulnerable it succeeds in seconds; when patched it fails instantly. It does not trigger lockout because no PIN attempts are sent.

Will my router lock me out?

Modern routers lock WPS after N failed PIN attempts (typically 3 to 10) and only reset on reboot or manual unlock. Reaver includes delay flags to try to stay under thresholds but a patched router can outlast any realistic session. Lockout is the most effective defence short of disabling WPS.

Is WPS push-button (PBC) also insecure?

Push-button mode does not expose a persistent PIN to guess, so it is not vulnerable to Reaver. The two-minute window during which any nearby device can pair is an operational concern in dense environments but is not the same class of issue.

Have a .cap or .pcapng handshake from your own network?

Submit it for GPU dictionary recovery. Pay only if found.

Submit Handshake