WiFi cracker ESP8266(PBC)

This project using an ESP8266 to find the password of a WiFi access-point with PBC enabled.

Similar projects worth following
The basic idea of this project is based around a vulnerability in a WPS PBC enabled systems.
To revile the public key of the wifi hotspot or wifi access point.


  This is a feature of WiFi access-point which allows users to connect by simply pressing the button on the access-point.

But the problem with this method is that access-point does not have any control over which device gets the connection and 120 sec window makes it even worst.


  If we have a device which always keep looking for access-point to have a active WPS session and try to connect to it before the intended device does.


So we need a wifi device which should be small, cheep, low power, easy to get 

Am I describing the ESP8266?


IMAGINE!.. a ESP sticked underneath the table or chair with some chewing gum.

 We have a ESP8266 running on a coin cell which wake up from sleep and does it's work and sleep again for 100 sec. once we got the connection we can mail the SSID and PASSWORD to someone who needs it (may be YOU). and disconnect before any one gets to know about it. :)

PROBLEMS: ( for HACKADAY coin cell challenge)

The esp needs around 80mA when running and the coman  CR2032 (50mA max) can not provide that much ofcource there are other cells which can do that or just couple of CR2032 in parallel but then it violets the rules of "coin cell challenge"

my solution was to add a huge cap in circuit but no success ether

(all of this because i dint had other coin cell with me)


Great thing is the ESP supports the WPS PBC method but once you got connected there is currently no way to get the password out (at least i don't know)

good thing is that it should not be impossible because 'WINDOWS' can do that. so.......

                                     THIS IS ILLEGAL 

A little bit of Background: 
As many of you already know that wifi access-point have these feature called "wifi protected setup" or simply WPS.  The wps enabled system is 100% hack-able. 
But what i did't know that there is actually two types of WPS systems
so called WPS PIN method and WPS PBC  method which both of them work differently. Which i thought was same for quite a long time.
A couple of month back i was running 'wifite' on a mobile hotspot  and no luck no matter how many or how long i tried. which was weird because I have successfully run a pixie dust attack on the successor of that device. well normally this happens  the other way around.
And i tried WPA brute force also as most of time fail.

[at this time HACKADAY coin cell challenge was live]

Luckily one of my friend had this hotspot and i borowed it from him. and ofcourse i run the attack again, failed this time too

then i took a shortcut and tried to find WPS PIN in the settings page of that hotspot but i couldn't able to find the pin there obviously because there was no pin.

but the device itself had a button saying WPS, and which is also working. where is the pin then?

Then i realized that it is a WPS PBC not a WPS PIN.


As I'm moving to KiCad

x-kicad-schematic - 4.93 kB - 01/13/2019 at 07:09



Arduino code for esp8266 to connect to WiFi using WPS PBC

ino - 1.25 kB - 01/01/2018 at 13:51



schematics in eagle format

sch - 682.13 kB - 12/31/2017 at 17:38


  • 1 × ESP8266 WiFi microcontroller
  • 1 × CR2032 Batteries and Battery Accessories / Batteries
  • 3 × 10k Resistor resistor
  • 1 × 1000uf cap capacitor
  • 1 × Pin Header 7 pin pinheader

View all 6 components

  • 1
    No need to build

    For testing purposes you actually do not need to build one of these as it's just a esp8266 any dev board will work for testing and developing the software for it

  • 2
    When you need to build

    for building this project get the schematics first. It's just a basic connections for ESP. The important thing is a 1N4148 diode which work as a 5v to 3.3v level shiftier well if you have a 3.3v serial connection then you can skip the diode.

    And also   R1 and R3 it works fine but then when you will program the chip you have to take special care not to use these pins (gpio 15). i did not tried to skip R2.

  • 3

    It is a simple circuit you don't have to follow what i have did.

    But this is what i did 

    take a piece of perf board solder 7 headers to it then take some bare copper wire and make a ground pad on the solder side of perf board for coin cell where then you can solder a battery clip.  Take some more copper wire and solder it to the esp8266's  RESET,  VCC, GROUND, TX pins (4 separate wires). then pass these 4 wires through the perf board and solder on the solder side and make the connections to the header. REMEMBER the coin cell is also coming in so keep some room for it. 

    do the remaining connections with some thin wire like wire wrapping wire etc

View all 6 instructions

Enjoy this project?



harry98 wrote 04/22/2021 at 19:18 point

How does it can be done in ESP8266 NodeMCU board?

  Are you sure? yes | no

Sagar Naik wrote 01/13/2019 at 06:30 point

Anyone who wants to build this project should use ESP Arduino core "2.4.0-rc2" which is known to be working. The later versions did not

  Are you sure? yes | no


[this comment has been deleted]

Sagar Naik wrote 01/13/2019 at 06:16 point

In your schematic, is the 3.3V the same as BAT ?  ------> YES

is there a Voltage booster somewhere to get 3.3V ? ----->

No there is no boost converter.   yes the cr2032 is 3v but that's just 0.3v less than 3.3v so it should be fine as long as it can supply sufficient  current which cr2032 is not capable of  actually I just tried it with two AAA cells and it worked just fine :)

let me tell U something microcontrollers actually don't know what is 3.3v and 3v so.....

  Are you sure? yes | no

tarekstronghold wrote 11/20/2018 at 20:36 point

Can anyone explain by video way?

  Are you sure? yes | no

Sagar Naik wrote 01/13/2019 at 06:24 point

well yes I can but I won't :(

I can make video on connecting to WPS and using it, but no hacking stuff I don't want people to mes up

I'll put it here once I did that video or you can just subscribe to my YouTube

  Are you sure? yes | no

Sam Ofta wrote 11/12/2018 at 18:28 point

I can't see the problem for getting the password. You can just do "Serial.println(WiFi.psk());" in "if(wpsSuccess)".

  Are you sure? yes | no

Sagar Naik wrote 01/13/2019 at 06:19 point

No it doesn't work :(

did you got that working?

it just gives me blank when I try to do so...

  Are you sure? yes | no

bambie1234 wrote 01/23/2018 at 00:04 point

I dont quite understand how to use this tutorial. I put the code into nodemcu and on serial monitor all I see is “WPS config start”. I didnt touch the router.

  Are you sure? yes | no

Sagar Naik wrote 01/23/2018 at 10:32 point

This project is not completed yet, (I mean the hacking part) but it can make your ESP connect to your WPS PBC enabled router. You have to press the WPS button on router when ESP says "WPS config start". and ESP will connect to your router

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates