Bully is a neat program for wireless auditing: it allows to test WPS PINs against my router or access point so I can know if it is secure enough. Example:
$ sudo bully mon0 --bssid 11:22:33:44:55:66 -v 3 --bruteforce --pin 63370000
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'mon0' to channel '6'
[!] Using 'AA:BB:CC:DD:EE:FF' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '11:22:33:44:55:66' on channel '6'
[+] Got beacon for 'NoamChomsky' (11:22:33:44:55:66)
[+] Loading randomized pins from '/root/.bully/pins'
[+] Index of starting pin number is '6337228'
[+] Last State = 'NoAssoc' Next pin '85389380'
[+] Rx( M5 ) = 'Pin1Bad' Next pin '75329389'
[+] Rx( M5 ) = 'Pin1Bad' Next pin '99129385'
...
^C
Saved session to '/root/.bully/112233445566.run'
as you see (note the reference to "randomized pins"), PINs are checked calculating them according to the WPS specification (so they seem not have a logical ordering).
If I want to continue the test, there is no problem at all: the same command line automatically yields:
$ sudo bully mon0 --bssid 11:22:33:44:55:66 -v 3
[!] Restoring session from '/root/.bully/112233445566.run'
...
^C
But sometimes the interesting part is to not keeping the WPS specification for 8-digit PINs (something about checksums and so on), but test them all (also known as bruteforce mode).
Example (note the reference to "sequential mode") starting from PIN 63370000:
$ sudo bully mon0 --bssid 11:22:33:44:55:66 -v 3 --bruteforce --pin 63370000
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'mon0' to channel '6'
[!] Starting pin specified, defaulting to sequential mode
[!] Using 'AA:BB:CC:DD:EE:FF' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '11:22:33:44:55:66' on channel '6'
[+] Got beacon for 'NoamChomsky' (11:22:33:44:55:66)
[+] Index of starting pin number is '63370000'
[+] Last State = 'NoAssoc' Next pin '63370000'
[+] Rx( M7 ) = 'Pin2Bad' Next pin '63370001'
[+] Rx( M7 ) = 'Pin2Bad' Next pin '63370002'
^C
Saved session to '/root/.bully/8c0ca32a2751.run'
And here comes the problem, because if the test is aborted (or disconnected, or computer hangs... etc) and I desire to continue it later:
$ sudo bully mon0 --bssid 11:22:33:44:55:66 -v 3 --bruteforce --pin 63370000
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'mon0' to channel '6'
[!] Starting pin specified, defaulting to sequential mode
[!] Using 'AA:BB:CC:DD:EE:FF' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '11:22:33:44:55:66' on channel '6'
[+] Got beacon for 'NoamChomsky' (11:22:33:44:55:66)
[!] Restoring session from '/root/.bully/8c0ca32a2751.run'
[+] Index of starting pin number is '63370000'
[+] Last State = 'NoAssoc' Next pin '63370000'
[+] Rx( M7 ) = 'Pin2Bad' Next pin '63370001'
[+] Rx( M7 ) = 'Pin2Bad' Next pin '63370002'
It seems (note the sequence restarting from 63370000) the Restoring session from is not behaving as it should.
The odd part is that testing the full spectrum of numbers can easily last hours or even days, so restoring the task is an important matter here. What can I do to continue WPS PINs testing from the point where the program stopped last time?
