bully
Exploit WPS vulnerabilities to recover WPA keys
TLDR
Crack the password
Display help
SYNOPSIS
bully <interface> [options] [target]
PARAMETERS
-b <bssid>
Specify the BSSID (MAC address) of the target access point.
-c <channel>
Set the specific channel of the target AP.
-e <essid>
Specify the ESSID (network name) of the target access point.
-F
Force reassociation after each failed PIN attempt (aggressive mode).
-p <pin>
Specify a particular 8-digit PIN to try.
-S <pin>
Start the brute-force attack from a specific PIN.
-v <level>
Set the verbosity level for output (0-4, higher for more details).
-d <delay>
Set the delay (in seconds) between each PIN attempt to avoid detection.
-r
Periodically reassociate with the target AP to maintain connection.
-N
Do not send NACK fragments (can help prevent some APs from locking up).
-W <version>
Specify the WPS version (1 or 2, default 1) to target.
--hash <pin>
Output the hash for a given PIN (primarily for debugging purposes).
--pin-file <file>
Load a list of PINs from a specified file for the attack.
--bruteforce
Explicitly enable brute-force mode (often implied by default usage).
--force-continue
Continue the attack even if certain errors or failures occur.
--crack
Attempt to crack the WPA/WPA2 passphrase using the recovered PIN.
--show-key
Display the WPA/WPA2 key if it is successfully recovered.
DESCRIPTION
Bully is an open-source command-line tool designed for performing brute-force attacks against Wi-Fi Protected Setup (WPS) enabled access points. Its primary goal is to recover the WPS PIN, which can subsequently be used to obtain the WPA/WPA2 passphrase of a wireless network. Written in C, Bully was developed as a more efficient and robust alternative to earlier WPS attack tools like Reaver, featuring improved performance and compatibility. It exploits a known design flaw in the WPS protocol where the 8-digit PIN can be validated in two separate halves, drastically reducing the number of attempts needed for a successful brute-force attack. The tool requires a wireless adapter capable of monitor mode and packet injection. By systematically trying various PIN combinations and analyzing the target AP's responses, Bully can often discover the correct PIN and reveal the network's security key.
CAVEATS
1. Legal and Ethical Use: Bully is a penetration testing tool. Using it on networks without explicit permission from the owner is illegal and unethical in most jurisdictions. Users are solely responsible for their actions.
2. Prerequisites: Requires a compatible wireless network adapter capable of monitor mode and packet injection. Root privileges (e.g., using `sudo`) are necessary to run the command.
3. Effectiveness: Many modern routers have implemented countermeasures such as WPS rate-limiting or lockout mechanisms, which can significantly reduce or even negate Bully's effectiveness.
4. Distribution: Bully is not a standard utility in most general-purpose Linux distributions; it is commonly found in specialized penetration testing distributions like Kali Linux or Parrot OS.
TARGET AUDIENCE
Bully is primarily used by cybersecurity professionals, ethical hackers, and security researchers for penetration testing and auditing wireless network security. Effective use requires a foundational understanding of wireless networking concepts, command-line operations, and ethical hacking principles.
WPS VULNERABILITY EXPLOITED
The tool exploits a fundamental design flaw in the Wi-Fi Protected Setup (WPS) protocol. The 8-digit PIN used for WPS is validated in two separate halves (the first 4 digits and the next 3 digits, with the last digit being a checksum). This allows an attacker to brute-force each half independently, dramatically reducing the number of possible PINs from 10^8 (100 million) to approximately 10^4 + 10^3 (around 11,000), making brute-forcing feasible within a reasonable timeframe.
HISTORY
Bully was developed by t6_x (Brian Wallace) and first released around 2012. It emerged as an improved alternative to the then-popular Reaver tool, aiming to offer a more robust and efficient mechanism for WPS brute-forcing. Written entirely in C, Bully quickly gained traction within the cybersecurity community for its speed and reliability in exploiting the inherent WPS vulnerability. Its development and widespread use further contributed to public awareness of the severe security weaknesses in the WPS protocol, prompting router manufacturers to implement stronger defenses or disable WPS by default in newer firmware versions.
SEE ALSO
aircrack-ng(8), reaver(1), wash(1), airodump-ng(8), airmon-ng(8)