There are two main cracking attacks you can launch to exploit weaknesses in the implementation of Wi-Fi Protected Setup (WPS), an attempt to streamline the processes of setting up a secure Wi-Fi network and enrolling devices in the network. The most prominent attack involves brute-forcing the 8-digit PIN that clients can use to enroll their devices without knowing a WPA/WPA2 PSK. WPS only checks each half of the PIN at a time, reducing the number of guesses from a maximum of 100,000,000 to only 11,000. This is trivial for most modern computers to crack, assuming the WAP doesn't have a lockout after a certain number of failures. Even if it does, the attack may take a couple weeks instead of a couple hours—still a short enough time to be feasible for the attacker to carry out. Likewise, the lockout mechanism may only trigger based on the client's MAC, so if you spoof your MAC, you may be able get around this defense. Some simpler WAPs are even incapable of handling a brute force attack and may suffer a DoS condition as a result.

Online brute forcing is not your only option, however. An offline brute force attack called Pixie Dust enables you to recover the WPS PIN within mere minutes. In the WPS process, several values (including each half of the PIN) are used to create two hashes that the AP uses to prove to the client that it knows the PIN. The hash values and some of the values that go into creating them are broadcast by the AP and can be obtained by an attacker. Other than the two halves of the PIN, there are two other values that go into computing the hashes that are not broadcast—nonces E-S1 and E-S2. The problem is that some AP manufacturers have used weak and easily predicted nonce values by default. Some manufacturers don't even provide values for the nonces. If you have the hashes and the nonce values, you can run all 11,000 possible values with the nonces and the other broadcast values through the relevant hash function until you get matching hashes. A matching value reveals the PIN.

You can use a Kali Linux tool called Reaver to launch a Pixie Dust attack:

reaver -i wlan0 -b <AP MAC address> -c <AP channel> -K 1

The -K 1 flag runs the attack by incorporating known nonce values or algorithms from Ralink, Broadcom, and Realtek APs.

Reaver now also has a new feature in which you can set the PIN to null. It provides the PIN but no password. After you update Reaver, you could also set the no nacks (-N) parameter. Example:

reaver -i wlanmon0 -b 00:90:4C:C1:AB:CD -p "" -N -vv

Another Kali tool you can use is Bully. It sometimes works when Reaver does not. Example:

bully wlanmon0 -b 00:90:12:34:AB:CD -e linksys -c 11

If you need to update Kali (and thus the tools), use these commands:

apt-get update
apt-get dist-upgrade

Note: For more information, see,

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in
Bully is a new implementation of the WPS brute force attack, written in C. It is conceptually identical to other programs, in that it exploits the (now well known) design flaw in the WPS specification.