Wireless Attackswpsbrute-forcewirelesspixiewpsmonitor-mode

Bully

Bully is a WPS brute force attack tool that exploits design flaws in the WPS specification to recover wireless network PINs. It supports monitor mode interfaces and offers improved performance over previous implementations.

Description

Bully is a high-performance implementation of the WPS brute force attack written in C. It targets the well-known design flaw in WPS implementations that allows PIN recovery through systematic brute force attempts. The tool supports both BSSID and ESSID targeting and works with wireless interfaces in monitor mode.

Key advantages over the original Reaver implementation include fewer dependencies, better memory and CPU efficiency, proper endianness handling, and a more robust option set. Bully is particularly effective against access points that have WPS enabled, even when locked, with configurable lockout delay handling.

Use cases include wireless penetration testing, WPS vulnerability assessment, and security auditing of wireless networks. The tool creates randomized PIN files and maintains state across sessions for efficient recovery.

How It Works

Bully exploits the WPS PIN brute force vulnerability by sending authentication messages (M1-M7) to the target access point in monitor mode. It systematically tries 8-digit WPS PINs, leveraging the reduced search space from the checksum algorithm (first 4 digits, then last 4). The tool handles WPS lockouts with configurable delays, supports pixiewps for offline PIN recovery using timing attacks, and maintains session state with pin index tracking. It uses radiotap headers and proper datalink type handling for packet transmission.

Installation

bash

sudo apt install bully

Flags

-b, --bssidMAC address of the target access point

-e, --essidExtended SSID for the access point

-c, --channelChannel number of AP, or list to hop [b/g]

-i, --indexStarting pin index (7 or 8 digits) [Auto]

-l, --lockwaitSeconds to wait if the AP locks WPS [43]

-o, --outfileOutput file for messages [stdout]

-p, --pinStarting pin number (7 or 8 digits) [Auto]

-s, --sourceSource (hardware) MAC address [Probe]

-u, --luaLua script file

-v, --verbosityVerbosity level 1-4, 1 is quietest [3]

-d, --pixiewpsAttempt to use pixiewps [No]

-r, --retriesResend packets N times when not acked [2]

-A, --noacksDisable ACK check for sent packets [No]

Examples

Attack the wireless ESSID '6F36E6' through the monitor mode interface wlan0mon

bully -e 6F36E6 wlan0mon

Show help and usage information for bully

bully -h

Attack using BSSID MAC address through monitor mode interface

bully -b 9c:d3:6d:b8:ff:56 wlan0mon

Attack ESSID on specific channel 8

bully -e 6F36E6 -c 8 wlan0mon

Start from specific PIN index 0000000

bully -e 6F36E6 -i 0000000 wlan0mon

Start from specific PIN number 54744431

bully -e 6F36E6 -p 54744431 wlan0mon

Enable pixiewps offline attack support

bully -e 6F36E6 -d wlan0mon

Set WPS lockout wait time to 60 seconds

bully -e 6F36E6 -l 60 wlan0mon

Updated 2026-04-16kali.org ↗