What is a pixie dust attack?

A Pixie Dust attack works by brute forcing the key for a protocol called WPS. WPS was intended to make accessing a router easier, and it did - for attackers. A WPS Pin consists of 8 digits - two Pre-Shared-Keys or PSKs. Each PSK has half the pin. To understand how a Pixie Dust attack works, you'll need to understand how the requests to the AP work:

• 1. Computer sends - EAPOL Start
  
• 2. Router sends - EAP-Request for the Identity
  
• 3. Computer sends - Responds with the Identity
  
• 4. Router sends - EAP request
  
• 5. Computer sends - EAP response

And it loops these requests a few more times before the credentials are sent.

However, during this process, your computer has been given the following:

Diffie Hellman Public key of the Enrollee

Diffie Hellman Public key of the Registrar

Two hashes - of the WPS PIN

Enrolee nonce and a derived authkey ; Now in order to successfully bruteforce the previously mentioned PSKs, you'll need two more nonces - which are supposed to be randomly generated. And this is the most important part - since the random numbers are not really random but are derivations of the hashes (or are just zeroes) then we can bruteforce this key, even on a slow system! It will work if the implementation on the router is bad (which it is in most cases) and you should be able to find a list of vulnerable routers on the internet. tl;dr: We bruteforce a badly generated key because of a flaw in how the random numbers are generated in many routers.