What is a pixie dust attack?

A Pixie Dust attack works by brute forcing the key for a protocol called WPS. WPS was intended to make accessing a router easier, and it did - for attackers.

A WPS Pin consists of 8 digits - two Pre-Shared-Keys or PSKs. Each PSK has half the pin. To understand how a Pixie Dust attack works, you'll need to understand how the requests to the AP work:

1. Computer sends - EAPOL Start

2. Router sends - EAP-Request for the Identity

3. Computer sends - Responds with the Identity

4. Router sends - EAP request

5. Computer sends - EAP response

...

And it loops these requests a few more times before the credentials are sent.

However, during this process, your computer has been given the following:

Diffie Hellman Public key of the Enrollee

Diffie Hellman Public key of the Registrar

Two hashes - of the WPS PIN

Enrolee nonce and a derived authkey

; Now in order to successfully bruteforce the previously mentioned PSKs, you'll need two more nonces - which are supposed to be randomly generated. And this is the most important part - since the random numbers are not really random but are derivations of the hashes (or are just zeroes) then we can bruteforce this key, even on a slow system! It will work if the implementation on the router is bad (which it is in most cases) and you should be able to find a list of vulnerable routers on the internet.

tl;dr: We bruteforce a badly generated key because of a flaw in how the random numbers are generated in many routers.