Penetration Testing Tools

You are here: Home » Wireless Attacks » mdk4

mdk4
Updated on October 13, 2018 By KaliTools Comments Off

Pass Cisco CCNA Security Exa

in First Attempt – Guaranteed
Ad 100% Real Exam Questions, Accu
VeriCed Answers.
PrepAway.com

Learn more

SPONSORED SEARCHES

PC Mac WiFi Wireless

WiFi Connect WiFi Network Installation

mdk4 Description

MDK is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses.

MDK4 is a new version of MDK3.

MDK4 is a Wi-Fi testing tool from E7mer of 360PegasusTeam, ASPj of k2wrlz, it uses the

osdep library from the aircrack-ng project to inject frames on several operating systems.

Features

Supports two WiFi card (one for receiving data, another for injecting data).

Supports block the specified ESSID/BSSID/Station MAC in command option.

 Supports both 2.4 to 5GHz (Linux).

Supports IDS Evasion (Ghosting, Fragmenting, Does not fully work with every driver).

Supports packet fuzz testing.

Homepage: https://github.com/aircrack-ng/mdk4

Author: E7mer

License: GPLv3

mdk4 Help
MDK USAGE:

1 mdk4 <interface> <attack_mode> [attack_options]

2 mdk4 <interface in> <interface out> <attack_mode> [attack_options]

There are 9 attack modules, they are denoted by a single letter.

ATTACK MODE b: Beacon Flooding

Sends beacon frames to show fake APs at clients. This can sometimes crash network

scanners and even drivers!

ATTACK MODE a: Authentication Denial-Of-Service

Sends authentication frames to all APs found in range. Too many clients can freeze or

reset several APs.

ATTACK MODE p: SSID Probing and Bruteforcing

Probes APs and checks for answer, useful for checking if SSID has been correctly

decloaked and if AP is in your sending range. Bruteforcing of hidden SSIDs with or

 without a wordlist is also available.

ATTACK MODE d: Deauthentication and Disassociation

Sends deauthentication and disassociation packets to stations based on data traffic to

disconnect all clients from an AP.

ATTACK MODE m: Michael Countermeasures Exploitation

Sends random packets or re-injects duplicates on another QoS queue to provoke

Michael Countermeasures on TKIP APs. AP will then shutdown for a whole minute,

making this an effective DoS.

ATTACK MODE e: EAPOL Start and Logoff Packet Injection

Floods an AP with EAPOL Start frames to keep it busy with fake sessions and thus

disables it to handle any legitimate clients. Or logs off clients by injecting fake EAPOL

Logoff messages.

ATTACK MODE s: Attacks for IEEE 802.11s mesh networks

Various attacks on link management and routing in mesh networks. Flood neighbors

and routes, create black holes and divert traffic!

ATTACK MODE w: WIDS Confusion

Confuse/Abuse Intrusion Detection and Prevention Systems by cross-connecting

clients to multiple WDS nodes or fake rogue APs.

ATTACK MODE f: Packet Fuzzer

A simple packet fuzzer with multiple packet sources and a nice set of modifiers. Be

careful!

FULL OPTIONS:

1 ATTACK MODE b: Beacon Flooding

2 Sends beacon frames to generate fake APs at clients.
 3 This can sometimes crash network scanners and drivers!
4 -n <ssid>
5 Use SSID <ssid> instead of randomly generated ones
6 -a
7 Use also non-printable caracters in generated SSIDs
8 and create SSIDs that break the 32-byte limit
9 -f <filename>
10 Read SSIDs from file
11 -v <filename>
12 Read MACs and SSIDs from file. See example file!
13 -t <adhoc>
14 -t 1 = Create only Ad-Hoc network
15 -t 0 = Create only Managed (AP) networks
16 without this option, both types are generated
17 -w <encryptions>
18 Select which type of encryption the fake networks shall have
19 Valid options: n = No Encryption, w = WEP, t = TKIP (WPA), a = AES (WPA
20 You can select multiple types, i.e. "-w wta" will only create WEP and W
21 -b <bitrate>
22 Select if 11 Mbit (b) or 54 MBit (g) networks are created
23 Without this option, both types will be used.
24 -m
25 Use valid accesspoint MAC from built-in OUI database
26 -h
27 Hop to channel where network is spoofed
28 This is more effective with some devices/drivers
29 But it reduces packet rate due to channel hopping.
30 -c <chan>
31 Create fake networks on channel <chan>. If you want your card to
32 hop on this channel, you have to set -h option, too.
33 -i <HEX>
34 Add user-defined IE(s) in hexadecimal at the end of the tagged paramete
35 -s <pps>
36 Set speed in packets per second (Default: 50)
37
38 ATTACK MODE a: Authentication Denial-Of-Service
39 Sends authentication frames to all APs found in range.
40 Too many clients can freeze or reset several APs.
41 -a <ap_mac>
42 Only test the specified AP
43 -m
44 Use valid client MAC from built-in OUI database
45 -i <ap_mac>
46 Perform intelligent test on AP
47 This test connects clients to the AP and reinjects sniffed data to keep
48 -s <pps>
49 Set speed in packets per second (Default: unlimited)
50
51 ATTACK MODE p: SSID Probing and Bruteforcing
52 Probes APs and checks for answer, useful for checking if SSID has
53 been correctly decloaked and if AP is in your sending range.
54 Bruteforcing of hidden SSIDs with or without a wordlist is also available.
55 -e <ssid>
56 SSID to probe for
57 -f <filename>
58 Read SSIDs from file for bruteforcing hidden SSIDs
59 -t <bssid>
60 Set MAC address of target AP
61 -s <pps>
62 Set speed (Default: 400)
63 -b <character sets>
64 Use full Bruteforce mode (recommended for short SSIDs only!)
65 You can select multiple character sets at once:
66 * n (Numbers: 0-9)
67 * u (Uppercase: A-Z)
68 * l (Lowercase: a-z)
69 * s (Symbols: ASCII)
70 -p <word>
71 Continue bruteforcing, starting at <word>.
 72 -r <channel>
73 Probe request tests (mod-musket)
74
75 ATTACK MODE d: Deauthentication and Disassociation
76 Sends deauthentication and disassociation packets to stations
77 based on data traffic to disconnect all clients from an AP.
78 -w <filename>
79 Read file containing MACs not to care about (Whitelist mode)
80 -b <filename>
81 Read file containing MACs to run test on (Blacklist Mode)
82 -s <pps>
83 Set speed in packets per second (Default: unlimited)
84 -x
85 Enable full IDS stealth by matching all Sequence Numbers
86 Packets will only be sent with clients' addresses
87 -c [chan,chan,...,chan[:speed]]
88 Enable channel hopping. When -c h is given, mdk4 will hop an all
89 14 b/g channels. Channel will be changed every 3 seconds,
90 if speed is not specified. Speed value is in milliseconds!
91 -E <AP ESSID>
92 Specify an AP ESSID to attack.
93 -B <AP BSSID>
94 Specify an AP BSSID to attack.
95 -S <Station MAC address>
96 Specify a station MAC address to attack.
97
98 ATTACK MODE m: Michael Countermeasures Exploitation
99 Sends random packets or re-injects duplicates on another QoS queue
100 to provoke Michael Countermeasures on TKIP APs.
101 AP will then shutdown for a whole minute, making this an effective DoS.
102 -t <bssid>
103 Set target AP, that runs TKIP encryption
104 -j
105 Use the new QoS exploit which only needs to reinject a few packets inst
106 of the random packet injection, which is unreliable but works without Q
107 -s <pps>
108 Set speed in packets per second (Default: 400)
109 -w <seconds>
110 Wait <seconds> between each random packet burst (Default: 10)
111 -n <count>
112 Send <count> random packets per burst (Default: 70)
113
114 ATTACK MODE e: EAPOL Start and Logoff Packet Injection
115 Floods an AP with EAPOL Start frames to keep it busy with fake sessions
116 and thus disables it to handle any legitimate clients.
117 Or logs off clients by injecting fake EAPOL Logoff messages.
118 -t <bssid>
119 Set target WPA AP
120 -s <pps>
121 Set speed in packets per second (Default: 400)
122 -l
123 Use Logoff messages to kick clients
124
125 ATTACK MODE s: Attacks for IEEE 802.11s mesh networks
126 Various attacks on link management and routing in mesh networks.
127 Flood neighbors and routes, create black holes and divert traffic!
128 -f <type>
129 Basic fuzzing tests. Picks up Action and Beacon frames from the air, mo
130 The following modification types are implemented:
131 1: Replay identical frame until new one arrives (duplicate flooding)
132 2: Change Source and BSSID (possibly resulting in Neighbor Flooding)
133 3: Cut packet short, leave 802.11 header intact (find buffer errors)
134 4: Shotgun mode, randomly overwriting bytes after header (find bugs)
135 5: Skript-kid's automated attack trying all of the above randomly <img
136 -b <impersonated_meshpoint>
137 Create a Blackhole, using the impersonated_meshpoint's MAC address
138 mdk4 will answer every incoming Route Request with a perfect route over
139 -p <impersonated_meshpoint>
140 Path Request Flooding using the impersonated_meshpoint's address
141 Adjust the speed switch (-s) for maximum profit!
142 -l
143 Just create loops on every route found by modifying Path Replies
144 -s <pps>
145 Set speed in packets per second (Default: 100)
146 -n <meshID>
147 Target this mesh network
148
149 ATTACK MODE w: WIDS Confusion
150 Confuse/Abuse Intrusion Detection and Prevention Systems by
151 cross-connecting clients to multiple WDS nodes or fake rogue APs.
152 Confuses a WDS with multi-authenticated clients which messes up routing tables
153 -e <SSID>
154 SSID of target WDS network
155 -c [chan,chan,...,chan[:speed]]
156 Enable channel hopping. When -c h is given, mdk4 will hop an all
157 14 b/g channels. Channel will be changed every 3 seconds,
158 if speed is not specified. Speed value is in milliseconds!
159 -z
160 activate Zero_Chaos' WIDS exploit
161 (authenticates clients from a WDS to foreign APs to make WIDS go nuts)
162 -s <pps>
163 Set speed in packets per second (Default: 100)
164
165 ATTACK MODE f: Packet Fuzzer
166 A simple packet fuzzer with multiple packet sources
167 and a nice set of modifiers. Be careful!
168 mdk4 randomly selects the given sources and one or multiple modifiers.
169 -s <sources>
170 Specify one or more of the following packet sources:
171 a - Sniff packets from the air
172 b - Create valid beacon frames with random SSIDs and properties
173 c - Create CTS frames to broadcast (you can also use this for a CTS DoS
174 p - Create broadcast probe requests
175 -m <modifiers>
176 Select at least one of the modifiers here:
177 n - No modifier, do not modify packets
178 b - Set destination address to broadcast
179 m - Set source address to broadcast
180 s - Shotgun: randomly overwrites a couple of bytes
181 t - append random bytes (creates broken tagged parameters in beacons/pr
182 c - Cut packets short, preferably somewhere in headers or tags
183 d - Insert random values in Duration and Flags fields
184 -c [chan,chan,...,chan[:speed]]
185 Enable channel hopping. When -c h is given, mdk4 will hop an all
186 14 b/g channels. Channel will be changed every 3 seconds,
187 if speed is not specified. Speed value is in milliseconds!
188 -p <pps>
189 Set speed in packets per second (Default: 250)

This version supports IDS Evasion (Ghosting). Just append –ghost <period>,<max_rate>,

<min_txpower> after your attack mode identifier to enable ghosting!

1 <period> : How often (in ms) to switch rate/power

2 <max_rate> : Maximum Bitrate to use in MBit
3 <min_txpower> : Minimum TX power in dBm to use

NOTE: Does not fully work with every driver, YMMV…

This version supports IDS Evasion (Fragmenting). Just append –frag <min_frags>,

<max_frags>,<percent> after your attack mode identifier to fragment all outgoing packets,
 possibly avoiding lots of IDS!

1 <min_frags> : Minimum fragments to split packets into

2 <max_frags> : Maximum amount of fragments to create
3 <percent> : Percantage of packets to fragment

NOTE: May not fully work with every driver, YMMV…

HINT: Set max_frags to 0 to enable standard compliance

Solving the problem with an error

«ioctl(SIOCSIWMODE) failed: Device or resource busy»
If you received a message when launching an attack:

Over 4.5 Million Members. Find

Your Muslim Life Partner. Join
Free Now.
Ad Muslima.com

Learn more

1 ioctl(SIOCSIWMODE) failed: Device or resource busy

2 ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
3 ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
4 sure RFMON is enabled: run 'airmon-ng start wlo1 <#>'
5 Sysfs injection support was not found either.
6 open interface wlo1 failed.
7 Starting OSDEP failed

This means that you need to stop programs that can use the wireless interface, and also

put your wireless adapter into monitor mode.

To stop interfering processes:

1 sudo systemctl stop NetworkManager.service

2 sudo airmon-ng check kill

To switch to monitor mode, use the following commands:

1 sudo ip link set <INTERFACE> down

2 sudo iw <INTERFACE> set monitor control
3 sudo ip link set <INTERFACE> up
 For example, to put the wlo1 interface into monitor mode:

1 sudo ip link set wlo1 down

2 sudo iw wlo1 set monitor control
3 sudo ip link set wlo1 up

mdk4 Usage Example

The ‘Beacon Flooding’ attack (b) (creates the appearance of the presence of many fake

access points) on the wireless interface (wlo1), while also using non-printable characters in

the generated SSID and creating SSIDs that break the 32-byte limit (-a) with valid MAC

access points from the embedded OUI database (-m) and send packets at a speed of 500

packets per second (-s 500):

1 sudo mdk4 wlo1 b -a -m -s 500

How to install mdk4

Installation on Kali Linux

1 sudo apt install mdk4

Installation on BlackArch

1 sudo pacman -S pkg-config libnl libpcap

2 git clone https://github.com/aircrack-ng/mdk4
3 cd mdk4/
4 make
5 sudo make install

Installation on Linux (Debian, Mint, Ubuntu)

1 sudo apt install pkg-config libnl-3-dev libnl-genl-3-dev libpcap-dev

2 git clone https://github.com/aircrack-ng/mdk4
3 cd mdk4/
4 make
5 sudo make install

mdk4 Screenshots

The result of the b attack:

mdk4 Tutorials
For more information about how attacks work, see the mdk3 help.

SPONSORED SEARCHES

wifi wireless wifi connect

wifi network installation tool testing

 No. 1 VPN for Malaysia

Hide Your Internet Activity With ExpressVPN, Browse Anonymously

on Any Device

Related tools
mdk3 (89.5%)

wifijammer (72%)

LANs.py (61.5%)

Aircrack-ng (Tool) (58.7%)

Router Scan (58.7%)

WiFite (RANDOM - 55.6%)

Also recommended:
Parallels Desktop for Fluxion Create Your Avatar WiFite
Mac

Ad parallels.com kali.tools Ad Second Life kali.tools

airgeddon Fern Wifi Cracker Sn1per infernal-twin

kali.tools kali.tools kali.tools kali.tools

Ad airasia.com

Tags: Brute-force attack DoS enumeration mdk3 social engineering stresstesting wireless WPA / WPA2

You May Also Like

hcxtools hcxdumptool
 Search form !

ALSO RECOMMENDED:

Pass CCNA Security

Exam Easy

Ad prepaway.com

No. 1 VPN for Malaysia

Ad expressvpn.com

Fluxion

kali.tools

Meet Muslim Singles

Ad muslima.com

WiFite
kali.tools

airgeddon

kali.tools

Fern Wifi Cracker

kali.tools

Sn1per

kali.tools

infernal-twin

kali.tools

Medusa

kali.tools

LANs.py

kali.tools

Besside-ng

kali.tools

WPA2-HalfHandshake-
Crack

kali.tools
 RECENT POSTS

Pupy

mdk4

hcxtools

hcxdumptool

WiFi-autopwner

ARCHIVES

May 2019

October 2018

August 2018

April 2018

February 2018

December 2017

August 2017

July 2017

March 2017

January 2017

December 2016

September 2016

August 2016
May 2016

February 2016

CATEGORIES

Anonymity

Exploitation Tools

Hardware Hacking

Information Gathering

Maintaining Access

Password Attacks

Sniffing & Spoofing

Stress Testing

Vulnerability Analysis

Web Applications

Wireless Attacks

GUIDES AND ARTICLES

Looking for a job!
Source: Ethical hacking and penetration testing | Published on 2019-05-19

How to manage computers via backdoor

Source: Ethical hacking and penetration testing | Published on 2019-05-18

Pupy manual: how to create a backdoor

Source: Ethical hacking and penetration testing | Published on 2019-05-15

How to install Pupy

Source: Ethical hacking and penetration testing | Published on 2019-05-14

How to install Social Mapper in Kali Linux

Source: Ethical hacking and penetration testing | Published on 2019-05-12

CCNA RM 1650 Promo - CCNP RS RM 2000/module

OPEN
IOU, GNS3&hardware based labs, Pearson test center, books provided, intro to cloud tech
nexpertsacademy.com

© 2019 Penetration Testing Tools. All Rights Reserved.

Wiles Theme. Powered by WordPress.