Bully: WPS Brute Force Attack

Last Release: 02/09/2016    

Bully: WPS Brute Force Attack


Bully is a new implementation of the WPS (Wifi Protected Setup) brute force attack. It’s almost identical as other already existing WPS brute force attack tools, but Bully represents an improved version of Reaver and includes a few advantages. You can take a look at Brute Force Attack Against WPS – Reaver, to see its features and compare them to the Bully.

WPS (Wifi Protected Setup)

WPS was introduced in 2006, and the goal of the protocol is to allow home users who know little of wireless security to set up Wi-Fi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases. In December 2011 a flaw was revealed that affects wireless routers with the WPS feature. That flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the network’s WPA/WPA2 pre-shared key

In the Wireless Security Protocols: WEP, WPA, WPA2 and WPA3, you can learn all about Wireless Attacks including WPS Attack.

WPS Brute Force Attack With Bully

Bully is developed to run on Linux, especially to embedded Linux systems, such as OpenWrt, etc. It also supports offline Pixie Dust attack. Unlike other tools with the same purpose of WPS attacks, Bully has several advantages including:

  • improved memory and cpu performance, fewer dependencies, correct handling of endianness, detecting and handling improvements, a more robust set of options, etc.
Pixie Dust attack is an offline attack which exploits a WPS vulnerability. The tool, Pixiewps, is written in C and works with a modified version of Reaver. In case when a wireless router is vulnerable for this attack, you’ll be able to retrieve the passphrase in a few seconds.


Note: In order to perform Pixie Dust attack, you need to have Wiire’s Pixiewps installed.


First you’ll need to install the requirements:

$ apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps

Clone the repo using git:

$ git clone https://github.com/aanarchyy/bully 

or download:

$ wget https://github.com/aanarchyy/bully/archive/master.zip && unzip master.zip 

To build, run the following:

$ cd bully*/ 
$ cd src/
$ make

And finally, you can run the install script:

$ sudo make install

Basic Usage

Use -h to list all available options:

usage: bully <options> interface

  Required arguments:

      interface      : Wireless interface in monitor mode (root required)

      -b, --bssid macaddr    : MAC address of the target access point
      -e, --essid string     : Extended SSID for the access point

  Optional arguments:

      -c, --channel N[,N...] : Channel number of AP, or list to hop [b/g]
      -i, --index N          : Starting pin index (7 or 8 digits)  [Auto]
      -l, --lockwait N       : Seconds to wait if the AP locks WPS   [43]
      -o, --outfile file     : Output file for messages          [stdout]
      -p, --pin N            : Starting pin number (7 or 8 digits) [Auto]
      -s, --source macaddr   : Source (hardware) MAC address      [Probe]
      -v, --verbosity N      : Verbosity level 1-4, 1 is quietest     [3]
      -w, --workdir path     : Location of pin/session files  [~/.bully/]
      -5, --5ghz             : Hop on 5GHz a/n default channel list  [No]
      -B, --bruteforce       : Bruteforce the WPS pin checksum digit [No]
      -F, --force            : Force continue in spite of warnings   [No]
      -S, --sequential       : Sequential pins (do not randomize)    [No]
      -T, --test             : Test mode (do not inject any packets) [No]

  Advanced arguments:

      -d, --pixiewps         : Attempt to use pixiewps               [No]
      -a, --acktime N        : Deprecated/ignored                  [Auto]
      -r, --retries N        : Resend packets N times when not acked  [2]
      -m, --m13time N        : Deprecated/ignored                  [Auto]
      -t, --timeout N        : Deprecated/ignored                  [Auto]
      -1, --pin1delay M,N    : Delay M seconds every Nth nack at M5 [0,1]
      -2, --pin2delay M,N    : Delay M seconds every Nth nack at M7 [5,1]
      -A, --noacks           : Disable ACK check for sent packets    [No]
      -C, --nocheck          : Skip CRC/FCS validation (performance) [No]
      -D, --detectlock       : Detect WPS lockouts unreported by AP  [No]
      -E, --eapfail          : EAP Failure terminate every exchange  [No]
      -L, --lockignore       : Ignore WPS locks reported by the AP   [No]
      -M, --m57nack          : M5/M7 timeouts treated as WSC_NACK's  [No]
      -N, --nofcs            : Packets don't contain the FCS field [Auto]
      -P, --probe            : Use probe request for nonbeaconing AP [No]
      -R, --radiotap         : Assume radiotap headers are present [Auto]
      -W, --windows7         : Masquerade as a Windows 7 registrar   [No]
      -Z, --suppress         : Suppress packet throttling algorithm  [No]
      -V, --version          : Print version info and exit
      -h, --help             : Display this help information


  • -d // --pixiewps : performs an offline Pixie Dust attack, by automatically passing the PKE, PKR, E-Hash1, E-Hash2, E-Nonce and Authkey. pixiewps will then try to attack Ralink, Broadcom and Realtek chipsets.
  • -v // --verbosity : specifies the verbosity of bully. -v 4 now prints all the collected hashes and outputs the pixiewps command run. Default runlevel is 3.
Download Box