HOW TO Hack WPA & WPA2 Wi-Fi Passwords with a Pixie-Dust Attack Using Airgeddon

Design flaws in many routers can allow hackers to steal Wi-Fi credentials, even if WPA or WPA2 encryption is used with a strong password. While this tactic used to take up to 8 hours, the newer WPS Pixie-Dust attack can crack networks in seconds. To do this, a modern wireless attack framework called Airgeddon is used to find vulnerable networks, and then Bully is used to crack them.When attacking a Wi-Fi network, the first and most obvious place for a hacker to look is the type of network encryption. While WEP networks are easy to crack, most easy techniques to crack WPA and WPA2 encrypted Wi-Fi rely on the password being bad or having the processing power to churn through enough results to make brute-forcing a practical approach.In some cases, an access point’s encryption is not the weakest point of the network, so it’s good to think outside of the box, or, in this case … focus on the box. Since the source of the Wi-Fi signal is being broadcast from the router’s hardware, the device itself would be a great target to attack instead of the encryption. And one weakness many access points have is a feature called Wi-Fi Protected Setup, which we will learn how to exploit in this guide.

If you forget the password to your access point, Wi-Fi Protected Setup, better known simply as WPS, lets you connect to the network using an 8-digit number printed on the bottom of the router. This is somewhat more convenient than just resetting the router with the button on the back, but also a massive security hole because of the way many routers deal with implementing this feature.

A WPS PIN on the bottom of a router can be seen here.

WPS PINs have been attacked by two successive generations of attacks, starting with the most basic brute-forcing methods targeting the way some routers split the PIN into two separate halves before checking them. Years later, another attack emerged that remains effective against many routers and greatly reduces the amount of time needed to attack a target.

Reaver: Now Obsolete Against Most Modern Routers

The Reaver brute-force attack was a radical new weapon for Wi-Fi hacking when it was presented in 2011. One of the first practical attacks against WPA- and WPA2-encrypted networks, it totally ignored the type of encryption a network used, exploiting poor design choices in the WPS protocol.

Reaver allowed a hacker to sit within range of a network and brute-force the WPS PIN, spilling all the credentials for the router. Worse, the 8-digit-long PIN could be guessed in two separate halves, allowing for the attack to take significantly shorter than working against the full length of the PIN.

While it did require a hacker to be within range of the target Wi-Fi network, it was able to penetrate even WPA and WPA2 networks with strong passwords using an online attack. This is opposed to an offline attack, such as WPA handshake brute-forcing, which does not require you to be connected to the network to succeed. While this was a limitation, the benefit is that there is typically no sign of this kind of attack to the average user.

The Reaver attack proved extremely popular, and since 2011, many routers now have protections to detect and shut down a Reaver-type attack. In particular, these attacks have been greatly slowed by rate-limiting, which forces a hacker to wait several seconds before each PIN attack. Many routers will now “lock” the WPS setting in response to too many failed PIN attempts. This has led the Reaver attack to be considered deprecated against most modern routers.

WPS Pixie-Dust Attack: The Better Attack Method

While routers updated some settings to prevent routers from being attacked via brute-force, serious flaws still existed in the way many routers implement encryption. In programming, it’s difficult to create truly random numbers, which is required to produce strong encryption. To do this, we use a function that starts with a number called a “seed,” which, after being passed into the function, produces a pseudo-random number.

If you use a long or varying “seed” number, you can get the same result as a number that’s actually random, but if you use an easily guessed “seed,” or even worse … the same one repeatedly, you create weak encryption that is easy to break. This is exactly what router manufacturers did, giving rise to Pixie-Dust, the second generation of WPS PIN attacks.

Since many routers with WPS enabled use known functions to produce random numbers with seed values like “0” or the time stamp of the beginning of the WPS transaction, the WPS key exchange has fatal flaws in the way it encrypts messages. This allows the WPS PIN to be cracked in a matter of seconds.

What You’ll Need for This Hack

Our tool of choice for demonstrating a WPS Pixie-Dust attack will be a wireless attack framework called Airgeddon. Integrating many wireless attack tools into a suite well suited for beginners, Airgeddon will allow you to select and configure your wireless card, find and load targeting data from nearby networks, and attack targeted networks — all from the same tool.

The main menu for the Airgeddon Wi-Fi attack framework.

A WPS Pixie-Dust attack in progress.

There are some trade-offs to using Airgeddon, as the way it passes data between reconnaissance and attack modules requires you to be able to open multiple terminal windows in a GUI desktop environment. If you are using SSH to access your Kali device, you may need to target vulnerable networks using the wash command included in the Reaver tool and pass the data manually to the Bully tool instead.

Since different wireless network cards work better or worse with Reaver or Bully, Airgeddon lets you pass target data between the two scripts and find the sweet spot for your wireless card, the attack module you are using, and the target you are attacking.

To use the Bully module of Airgeddon, you’ll need to be running Kali Linux or another supported distro. Make sure your Kali Linux is fully updated before you begin, as you’ll need several packages installed for this tool to work.

You’ll also need a wireless network adapter capable of packet injection and wireless monitor mode. We recommend the Panda PAU09, or you can check out our guide linked below to see other popular wireless network adapters.

Finally, make sure you have permission from the owner of the network you’re testing this tool on before you start. This tool can work very quickly, and if the network is monitored, you will leave evidence in the logs.

Step 1Download Airgeddon

First, you’ll need to install Airgeddon by cloning the git repository. Open a terminal window, and type the following to clone the repo, change directory to the new folder, and run “” as a bash script.

git clone
cd airgeddon
sudo bash ./

If it works, you should see an alien loading screen. Don’t get too spooked, the script will start soon.

19 thoughts on “HOW TO Hack WPA & WPA2 Wi-Fi Passwords with a Pixie-Dust Attack Using Airgeddon”

  1. Ferne Bellefeuille says:

    On the other hand, if you need to be able to connect your router to a number of computers in the same room or office, a mesh WiFi router with additional capabilities is a better option. The most advanced models will allow you to connect to a wired Ethernet network, but some have the added bonus of wireless LAN access.

  2. Glayds Grae says:

    Pretty! This was a really wonderful post. Many thanks for supplyingthis info.

  3. Travisral says:

    no prescription viagra viagra without a doctor prescription cvs viagra

  4. JamesAvemo says:

    30 day cialis trial offer buy tadalafil buy cialis online canadian

  5. Guy Woehrle says:

    Another advantage of using a wireless router for long distance usage is that you can access it anywhere. With a wired connection, you have to be close enough to the router to use it, and you have to be way away to use a wireless connection. This can be a problem if you live in an apartment building.

  6. Health says:

    Somebody essentially help to make seriously posts I would state. This is the very first time I frequented your web page and thus far? I surprised with the research you made to make this particular publish extraordinary. Excellent job!

  7. Free Samples says:

    One other issue is when you are in a scenario where you will not have a cosigner then you may really need to try to exhaust all of your school funding options. You could find many grants and other scholarships or grants that will supply you with money to help with school expenses. Thanks for the post.

  8. Jenny Wolbert says:

    Thankfulness to my father who told me regarding this weblog, this web site is genuinely awesome.|

  9. Alphonso Terstage says:

    You’ve made some good points there. I looked on the web for additional information about the issue and found most people will go along with your views on this web site.|

Leave a Reply