Bully is a new implementation of the WPS (Wifi Protected Setup) brute force attack. It’s almost identical as other already existing WPS brute force attack tools, but Bully represents an improved version of Reaver and includes a few advantages.
WPS (Wifi Protected Setup)
In the Wireless Security Protocols: WEP, WPA, WPA2 and WPA3, you can learn all about Wireless Attacks including WPS Attack.
WPS Brute Force Attack With Bully
Bully is developed to run on Linux, especially to embedded Linux systems, such as OpenWrt, etc. It also supports offline Pixie Dust attack. Unlike other tools with the same purpose of WPS attacks, Bully has several advantages including:
- improved memory and cpu performance, fewer dependencies, correct handling of endianness, detecting and handling improvements, a more robust set of options, etc.
First you’ll need to install the requirements:
$ apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps
Clone the repo using
$ git clone https://github.com/aanarchyy/bully
$ wget https://github.com/aanarchyy/bully/archive/master.zip && unzip master.zip
To build, run the following:
$ cd bully*/ $ cd src/ $ make
And finally, you can run the install script:
$ sudo make install
-h to list all available options:
usage: bully <options> interface Required arguments: interface : Wireless interface in monitor mode (root required) -b, --bssid macaddr : MAC address of the target access point Or -e, --essid string : Extended SSID for the access point Optional arguments: -c, --channel N[,N...] : Channel number of AP, or list to hop [b/g] -i, --index N : Starting pin index (7 or 8 digits) [Auto] -l, --lockwait N : Seconds to wait if the AP locks WPS  -o, --outfile file : Output file for messages [stdout] -p, --pin N : Starting pin number (7 or 8 digits) [Auto] -s, --source macaddr : Source (hardware) MAC address [Probe] -v, --verbosity N : Verbosity level 1-4, 1 is quietest  -w, --workdir path : Location of pin/session files [~/.bully/] -5, --5ghz : Hop on 5GHz a/n default channel list [No] -B, --bruteforce : Bruteforce the WPS pin checksum digit [No] -F, --force : Force continue in spite of warnings [No] -S, --sequential : Sequential pins (do not randomize) [No] -T, --test : Test mode (do not inject any packets) [No] Advanced arguments: -d, --pixiewps : Attempt to use pixiewps [No] -a, --acktime N : Deprecated/ignored [Auto] -r, --retries N : Resend packets N times when not acked  -m, --m13time N : Deprecated/ignored [Auto] -t, --timeout N : Deprecated/ignored [Auto] -1, --pin1delay M,N : Delay M seconds every Nth nack at M5 [0,1] -2, --pin2delay M,N : Delay M seconds every Nth nack at M7 [5,1] -A, --noacks : Disable ACK check for sent packets [No] -C, --nocheck : Skip CRC/FCS validation (performance) [No] -D, --detectlock : Detect WPS lockouts unreported by AP [No] -E, --eapfail : EAP Failure terminate every exchange [No] -L, --lockignore : Ignore WPS locks reported by the AP [No] -M, --m57nack : M5/M7 timeouts treated as WSC_NACK's [No] -N, --nofcs : Packets don't contain the FCS field [Auto] -P, --probe : Use probe request for nonbeaconing AP [No] -R, --radiotap : Assume radiotap headers are present [Auto] -W, --windows7 : Masquerade as a Windows 7 registrar [No] -Z, --suppress : Suppress packet throttling algorithm [No] -V, --version : Print version info and exit -h, --help : Display this help information
-d // --pixiewps: performs an offline Pixie Dust attack, by automatically passing the PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey.
pixiewpswill then try to attack Ralink, Broadcom and Realtek chipsets.
-v // --verbosity: specifies the verbosity of bully.
-v 4now prints all the collected hashes and outputs the
pixiewpscommand run. Default runlevel is 3.