Updated FAQ (markdown)

FAQ.md

@@ -1,4 +1,4 @@
-- What's **WPS**? Why is needed if we have WPA?
+- What is **WPS**? Why is it needed if we have WPA?
 
 WPA is the protocol used to secure wireless traffic between the wireless base station and clients. WPS is a sort of key management protocol. It's used to send the network configuration, including the WPA passphrase, to the clients, and vice-versa, it's used to configure an existing network from a client. In case of in-band communication (i.e. wireless), this is done with message 7 and 8 of the protocol, respectively.
 
@@ -8,25 +8,25 @@ The purpose of WPS is to encourage users to use strong WPA passwords while makin
 
 WPS stands for Wireless Protected Setup and it's the original name, WSC for Wireless Simple Configuration and it's the name of the protocol since version 2. On Windows it's implemented under the Windows Connect Now (WCN) method.
 
-- Whats **pixiewps** for?
+- What is **pixiewps** for?
 
 It's for cracking the Wi-Fi Protected Setup PIN method(s) offline. It implements the so-called WPS "pixie-dust attack", discovered by Dominique Bongard in summer 2014. This method exploits low entropy pseudo-random number generators (PRNG) in some software implementations, and works only on some known vulnerable devices.
 
 This process can reduce the time of finding the correct PIN from hours to a few minutes or seconds. The PIN can later be used to recover the WPA-PSK from the Access Point using a tool like _Reaver_, _Bully_ or join directly the wireless network using _wpa_cli_ and other programs.
 
-- What's the difference between **online** and **offline** attacks?
+- What is the difference between **online** and **offline** attacks?
 
 _Online_ is used to refer to the process of supplying random PINs to the Access Point until the right one is guessed. This process is what traditional tools such as Reaver and Bully were built to do, and can take up to several hours, or not be feasible if strong mitigations are in place.
 
 The _offline_ method involves trying only one random PIN and collect some information during the process. This data can later be used to attempt the pixie-dust attack.
 
-- How's possible?
+- How is it possible?
 
-It has to do how the proof-of-possession of the PIN works. Both the Enrollee and the Registrar must take turn to prove the knowledge of the PIN. To do so, the PIN is split in two halves and the Enrollee on message 3 sends the Registrar two hashes of these halves, each one "protected" by a 128 bit random number, called Enrollee Secret Nonce 1 (E-S1) and Enrollee Secret Nonce 2 (E-S2) respectively.
+It has to do how the _proof-of-possession_ of the PIN works. Both the Enrollee and the Registrar must take turn to prove the knowledge of the PIN. To do so, the PIN is split in two halves and the Enrollee sends the Registrar two hashes of these halves, in **message 3** of the protocol, each one "protected" by a 128 bit "random number", called Enrollee Secret Nonce 1 (**E-S1**) and Enrollee Secret Nonce 2 (**E-S2**) respectively.
 
-These "secret" numbers will be later sent on message 5 and 7 giving the possibility to verify that indeed the device knew about the PIN halves before the Registrar sent its halves (on message 4 and 6).
+These "secret numbers" will be later sent on message 5 and 7 giving the possibility to verify that indeed the device knew about the PIN halves **before** the Registrar sent its halves (in message 4 and 6).
 
-The pixie-dust attack exploits the fact that on some devices these secret numbers are generated using insecure pseudo-random number generators which have 32 bits of state and no external entropy and that each half takes at most 10^4 guesses.
+The pixie-dust attack exploits the fact that on some devices these "secret numbers" are generated using insecure pseudo-random number generators which have 32 bits of state and no external entropy and that each half of the PIN takes at most 10^4 guesses.
 
 - Enrollee, Registrar?
 
@@ -42,13 +42,12 @@ The last digit in pre-configured PINs (printed on the sticker of the device) is
 
 Both are supported since the very first version of pixiewps.
 
-- What is the **authentication session key** (--authkey)?
+- What is the **authentication session key** (`--authkey`)?
 
 It's one of the session keys derived from from the Diffie-Hellman shared secret. It's used as key in the HMAC-SHA-256 functions. Since the protocol is executed between the attacker (e.g. Reaver) and the Access Point, third party tools like pixiewps need, in most cases, this session key in order to be able to carry on the attack.
 
-- Version **1.4** seems to be slower than **1.3**?
+- Version Y is slower than version X?
 
-No it's not. Version 1.4 can be 4x faster than 1.3 even on single thread (`-j 1`). In older versions some assumptions were made about static keys, nonces and other parameters that turned out not to be true. Recent versions have to do more work in order to work in all instances, more so if no `--mode` is specified.
+The most recent version of pixiewps must be considered the most "correct" and "general". It may be slower or faster compared to older versions but that doesn't matter. Pixiewps tries to do as little work as possible to recover the correct PIN, but you have to keep in mind that it only sees numbers in input, and it may not always be possible for it to take the "shortest path". Because of that, some versions may have to do more work in order to work in all instances, more so if no `--mode` is specified.
 
 It should be up to the user or the higher-level tool to detect the right vendor and supply the correct mode to pixiewps. This is fairly easy to do with a tool which uses monitor mode and can grab the vendor OUI tag from a beacon frame. When monitor mode is not an option, the user or tool can resort to the usual WPS fields like model, serial etc.
-