.TH MDK3 "1" "August 2018" "mdk3 6.0" "wireless attack tool for IEEE 802.11 networks"
.SH NAME
\fBmdk3\fR \- wireless attack tool for IEEE 802.11 networks
.SH SYNOPSIS
.B mdk3 <interface> <test_mode> [test_options]
.SH DESCRIPTION
MDK is a proof\-of\-concept tool to exploit common IEEE 802.11 protocol weaknesses.
.PP
.SH OPTIONS
\fB\-\-fullhelp\fR
.IP
Show all test options.
.PP
\fB\-\-help\fR <test_mode>
.IP
Show test options about <test_mode>.
.PP
.SS TEST MODES
\fBb\fR   \- Beacon Flood Mode
.IP
Sends beacon frames to show fake APs at clients.
.IP
This can sometimes crash network scanners and even drivers!
.PP
\fBa\fR   \- Authentication DoS mode
.IP
Sends authentication frames to all APs found in range.
.IP
Too much clients can freeze or reset some APs.
.PP
\fBp\fR   \- Basic probing and ESSID Bruteforce mode
.IP
Probes AP and check for answer, useful for checking if SSID has
been correctly decloaked or if AP is within your Wi-Fi interface's sending range.
.IP
SSID Bruteforcing is also possible with this test mode.
.PP
\fBd\fR   \- Deauthentication / Disassociation Amok Mode
.IP
Kicks out everybody found from AP.
.PP
\fBm\fR   \- Michael shutdown exploitation (TKIP)
.IP
Cancels all traffic continuously.
.PP
\fBx\fR   \- 802.1X tests.
.PP
\fBw\fR   \- WIDS/WIPS Confusion.
.IP
Confuse/Abuse Intrusion Detection and Prevention Systems.
.PP
\fBf\fR   \- MAC filter bruteforce mode
.IP
Uses a list of known client MAC Addresses and tries to
authenticate them to the given AP while dynamically changing
its response timeout for best performance. It currently works only
on APs who deny an open authentication request properly.
.PP
\fBg\fR   \- WPA Downgrade test
.IP
Deauthenticates Stations and APs sending WPA encrypted packets.
.IP
All the unencrypted and WEP networks will still work.
.PP
.SS TEST MODES OPTIONS
.B b   \- Beacon Flood Mode
.IP
Sends beacon frames to show fake APs at clients.
.IP
This can sometimes crash network scanners and even drivers!
.PP
.RS
\fB\-n\fR <ssid>
.IP
Use SSID <ssid> instead of randomly generated ones.
.PP
\fB\-f\fR <filename>
.IP
Read SSIDs from file.
.PP
\fB\-v\fR <filename>
.IP
Read MACs and SSIDs from file. See example file at /usr/share/doc/mdk3/fakeap-example.txt.
.PP
\fB\-d\fR
.IP
Fake Ad\-Hoc stations.
.PP
\fB\-w\fR
.IP
Fake WEP encrypted stations.
.PP
\fB\-g\fR
.IP
Fake 802.11b stations (54 Mbit/s).
.PP
\fB\-t\fR
.IP
Fake WPA TKIP encrypted stations.
.PP
\fB\-a\fR
.IP
Fake WPA AES encrypted stations.
.PP
\fB\-m\fR
.IP
Use valid accesspoint MAC from OUI database.
.PP
\fB\-h\fR
.IP
Hop to channel where AP is spoofed.
.IP
This makes the test more effective against some devices/drivers
but it reduces packet rate due to channel hopping.
.PP
\fB\-c\fR <chan>
.IP
Fake an AP on channel <chan>. If you want your card to hop on
this channel, you have to set \fB\-h\fR option, too!
.PP
\fB\-s\fR <pps>
.IP
Set speed in packets per second (default: 50).
.PP
.RE
\fBa\fR   \- Authentication DoS mode
.IP
Sends authentication frames to all APs found in range.
.IP
Too much clients can freeze or reset some APs.
.PP
.RS
\fB\-a\fR <ap_mac>
.IP
Test only the specified AP <ap_mac>.
.PP
\fB\-m\fR
.IP
Use a valid client MAC from OUI database.
.PP
\fB\-c\fR
.IP
Do NOT check if the authentication succeeded.
.PP
\fB\-i\fR <ap_mac>
.IP
Perform intelligent test on AP (\fB\-a\fR and \fB\-c\fR will be ignored).
.IP
This test connects clients to the AP and reinjects sniffed data to keep them alive.
.PP
\fB\-s\fR <pps>
.IP
Set speed in packets per second (default: unlimited).
.PP
.RE
\fBp\fR   \- Basic probing and ESSID Bruteforce mode
.IP
Probes AP and check for answer, useful for checking if SSID has
been correctly decloaked or if AP is within your Wi-Fi interface's sending range.
.IP
Use \fB\-f\fR and \fB\-t\fR option to enable SSID Bruteforcing.
.PP
.RS
\fB\-e\fR <ssid>
.IP
Set the target SSID.
.PP
\fB\-f\fR <filename>
.IP
Read SSIDs from file, useful to bruteforce hidden networks.
.PP
\fB\-t\fR <bssid>
.IP
Set MAC address of target AP.
.PP
\fB\-s\fR <pps>
.IP
Set speed (default: unlimited; in Bruteforce mode: 300).
.PP
\fB\-b\fR <character set>
.IP
Use full Bruteforce mode (recommended for short SSIDs only!).
.PP
.RE
\fBd\fR   \- Deauthentication / Disassociation Amok Mode
.IP
Kicks out everybody found from AP.
.PP
.RS
\fB\-w\fR <filename>
.IP
Read file containing MACs not to care about (Whitelist Mode).
.PP
\fB\-b\fR <filename>
.IP
Read file containing MACs to run tests on (Blacklist Mode).
.PP
\fB\-s\fR <pps>
.IP
Set speed in packets per second (default: unlimited).
.PP
\fB\-c\fR [chan,chan,chan,...]
.IP
Enable channel hopping.
.IP
Without providing any channels, mdk3 will hop an all
14 b/g channels. Channel will be changed every 5 seconds.
.PP
.RE
\fBm\fR   \- Michael shutdown exploitation (TKIP)
.IP
Cancels all traffic continuously.
.PP
.RS
\fB\-t\fR <bssid>
.IP
Set MAC address of target AP.
.PP
\fB\-w\fR <seconds>
.IP
Seconds between bursts (default: 10).
.PP
\fB\-n\fR <ppb>
.IP
Set packets per burst (default: 70).
.PP
\fB\-j\fR
.IP
Use the new TKIP QoS\-Exploit.
.IP
Needs just a few packets to shut AP down!
.PP
\fB\-s\fR <pps>
.IP
Set speed (default: 400).
.PP
.RE
\fBx\fR   \- 802.1X tests.
.PP
.RS
\fB0\fR \- EAPOL Start packet flooding
.PP
.RS
\fB\-n\fR <ssid>
.IP
Set the target SSID.
.PP
\fB\-t\fR <bssid>
.IP
Set MAC address of target AP.
.PP
\fB\-w\fR <WPA type>
.IP
Set WPA type (1: WPA, 2: WPA2/RSN; default: WPA).
.PP
\fB\-u\fR <unicast cipher>
.IP
Set unicast cipher type (1: TKIP, 2: CCMP; default: TKIP).
.PP
\fB\-m\fR <multicast cipher>
.IP
Set multicast cipher type (1: TKIP, 2: CCMP; default: TKIP).
.PP
\fB\-s\fR <pps>
.IP
Set speed (default: 400).
.PP
.RE
\fR1\fB \- EAPOL Logoff test
.PP
.RS
\fB\-t\fR <bssid>
.IP
Set MAC address of target AP.
.PP
\fB\-c\fR <bssid>
.IP
Set MAC address of target STA.
.PP
\fB\-s\fR <pps>
.IP
Set speed (default: 400).
.PP
.RE
.RE
\fBw\fR   \- WIDS/WIPS/WDS Confusion
.IP
Confuses a WDS with multi\-authenticated clients which messes up routing tables.
.PP
.RS
\fB\-e\fR <SSID>
.IP
Set SSID of target WDS network.
.PP
\fB\-c\fR [chan,chan,chan...]
.IP
Use channel hopping.
.PP
\fB\-z\fR
.IP
Activate Zero_Chaos' WIDS exploit (authenticates clients from a WDS to foreign APs to make WIDS go nuts).
.PP
\fBf\fR   \- MAC filter bruteforce mode
.IP
Uses a list of known client MAC Addresses and tries to
authenticate them to the given AP while dynamically changing
its response timeout for best performance.
.IP
It currently works only
on APs who deny an open authentication request properly.
.PP
\fB\-t\fR <bssid>
.IP
Set MAC address of target AP.
.PP
\fB\-m\fR <mac>
.IP
Set the MAC address range to use (3 bytes, i.e. 00:12:34).
.IP
Without \fB\-m\fR, the internal database will be used.
.PP
\fB\-f\fR <mac>
.IP
Set the MAC address to begin bruteforcing with
(you can't use \fB\-f\fR and \fB\-m\fR at the same time).
.PP
.RE
\fBg\fR   \- WPA Downgrade test
.IP
Deauthenticates Stations and APs sending WPA encrypted packets.
.IP
All the unencrypted and WEP networks will still work.
.PP
.RS
\fB\-t\fR <bssid>
.IP
Set MAC address of target AP.
.PP
.RE
.SH FILES
\fI/usr/share/doc/mdk3/common-ssids.txt.gz\fR
.RS
Common SSIDs.
.RE
.PP
\fI/usr/share/doc/mdk3/fakeap-example.txt\fR
.RS
Fake AP examples for the \fBBeacon Flood Mode (b)\fR.
.RE
.PP
\fI/usr/share/doc/mdk3/less-common-ssids.txt.gz\fR
.RS
Not-so-common SSIDs.
.RE
.PP
\fI/usr/share/doc/mdk3/useful2.gz\fR
.RS
Extra SSIDs.
.RE
.PP
.SH AUTHOR
MDK3 was developed by Pedro Larbig "ASPj" <pedrolarbig@compuserve.de>,
with code taken from: aircrack-ng (by Christophe Devine) and kismet (by Mike Kershaw), all with contributions from various authors.
.PP
This manual page was written by Samuel Henrique <samueloph@debian.org> for the Debian project, it was based on \fBmdk3 --fullhelp\fR output and can be used by other projects as well.
.SH SEE ALSO
.B aircrack-ng(1)