v2.0 Latest Release · Termux / Android

WiFuX

WPS Security Testing Framework

An advanced WPS vulnerability scanner built for Termux on Android. Pixie Dust, bruteforce, MAC spoofing, session resume — all in one tool.

Get Started →See Output Demo

// one-line install

$curl -sLo installer.sh https://raw.githubusercontent.com/msrofficial/WiFuX/main/installer.sh && bash installer.sh

scroll to explore

Overview

What is WiFuX?

WiFuX is a WPS security testing framework for Termux on Android. WPS allows connecting via an 8-digit PIN — many routers have vulnerable implementations that WiFuX exploits through Pixie Dust or brute force.

// how WPS vulnerabilities work

WPS uses an 8-digit PIN for authentication. Pixie Dust exploits weak nonce generation to extract the PIN offline in seconds. On routers without this weakness, smart bruteforce systematically tries all 11,000 possible PIN combinations with session saving so you can pause and resume at any point.

Fast

Pixie Dust Attack

Extracts the WPS PIN offline in seconds using nonce correlation. Works against millions of routers worldwide.

Thorough

Smart Bruteforce

Intelligent PIN ordering with full session persistence. Resume exactly where you left off — no progress lost.

New

One-Pass Area Scan

Surveys every visible WPS network once. Remembers attacked BSSIDs and skips them on return visits.

Stealth

MAC Spoofing

Rotates the MAC address on every attempt, cutting through rate limits and bypassing router lockout.

Recon

Signal Analysis

Multi-scan signal profiling across 5 passes — gives you average, min and max signal before attacking.

Output

Multi-format Reports

Export credentials as HTML, TXT, CSV or JSON. Per-session outputs and a full timestamped activity log.

Documentation

Browse the Docs

Tutorial

Step-by-step setup and first attack — start here.

view docs →

Arguments

Every flag explained with search and category filter.

view docs →

Commands

wifux, wifux help, wifux fix — all short commands.

view docs →

Examples

Every combination grouped by use case with copy buttons.

view docs →

Output Demo

Animated terminal for every possible attack scenario.

view docs →

Full Reference

All Capabilities

Every attack mode, stealth option, recon tool, and output format — expand each section to explore.

Pixie Dust (-K)Offline PIN extraction from WPS handshake nonces. Works in seconds on vulnerable routers. Most effective first-line attack.

Pixie Force (-F)Extended nonce range for partially patched routers. Use when standard Pixie Dust fails.

Smart Bruteforce (-B)Tries all ~11,000 WPS PIN combinations. Session auto-saved — resume anytime without losing progress.

One-Pass Area Scan (--auto)Attacks every visible WPS network once per pass. Skips already-attacked BSSIDs on subsequent runs.

Push Button Connect (--pbc)Authenticates when the WPS button on the router is pressed physically.

MAC Rotation (-M)Changes the device MAC address on every attempt. Bypasses rate limiting and router lockout counters.

Custom Delays (-d)Set seconds between attempts. Reduces lockout risk on locked-down routers.

Recurring Delay (--recurring-delay)Pause N seconds every X attempts. Format: 10:5 = pause 5s every 10 tries.

Ignore Locks (-L)Continue attacking even when router reports WPS locked. Combined with delays for stubborn APs.

Lock Delay (--lock-delay)Wait a configurable amount of time after WPS lockout before retrying.

Signal Analysis (--signal-analysis)5-scan profiling before attacking. Shows average, min, max signal per AP.

Vulnerability Check (--check-vuln)Full vulnerability report for the target before any attack starts.

Weak Chipset Detection (--detect-weak-algo)Highlights Realtek, Broadcom, Atheros, MediaTek chipsets known to be vulnerable.

Pixie Vulnerable List (--pixie-list)Prints all router models in the Pixie Dust vulnerability database.

Router Model DB (--list-all-models)Lists all vendor and model entries in the full router database.

HTML Reports (--html-report)Generate a formatted HTML report after the session. Use --report-format to change to txt, csv, or json.

JSON Output (--json-output)Append cracked credentials to a JSON file automatically.

CSV Output (--csv-output)Append cracked credentials to a CSV file — spreadsheet-ready.

Activity Log (--log-file)Write all session activity to a log file throughout the attack.

Detailed Report (--detailed-report)Includes signal strength, channel, and source in the report.

Auto Session SaveBruteforce sessions are saved automatically. No manual action needed.

List Sessions (--list-sessions)Shows all saved sessions with BSSID and current progress mask.

Resume Session (--resume-session)Continue from the exact PIN mask where the last session stopped.

Auto Mode History (--auto-reset)Clear the area scan attack history to re-try all networks fresh.

Legal DisclaimerWiFuX is for educational purposes and authorized security testing only. Attacking any network without explicit written permission is illegal in most jurisdictions. The author is not responsible for misuse.