File: README.md

package info (click to toggle)
mdk4 4.1-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 1,112 kB
  • sloc: ansic: 13,603; makefile: 141
file content (272 lines) | stat: -rw-r--r-- 11,491 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
# MDK4

MDK is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses.


# About MDK4

MDK4 is a new version of MDK3.

MDK4 is a Wi-Fi testing tool from E7mer of 360PegasusTeam, ASPj of k2wrlz, it uses the osdep library from the aircrack-ng project to inject frames on several operating systems.
Many parts of it have been contributed by the great aircrack-ng community: Antragon, moongray, Ace, Zero_Chaos, Hirte, thefkboss, ducttape, telek0miker, Le_Vert, sorbo, Andy Green, bahathir, Dawid Gajownik and Ruslan Nabioullin. THANK YOU!

MDK4 is licenced under the GPLv2 or later.


# Installation
		apt-get install pkg-config libnl-3-dev libnl-genl-3-dev libpcap-dev 

		git clone https://github.com/aircrack-ng/mdk4
		cd mdk4
		make
		sudo make install


# Features

- Supports two WiFi card (one for receiving data, another for injecting data).
- Supports block the specified ESSID/BSSID/Station MAC in command option.
- Supports both 2.4 to 5GHz (Linux).
- supports IDS Evasion (Ghosting, Fragmenting, Does not fully work with every driver).
- supports packet fuzz testing.


# ATTACK MODE

		ATTACK MODE b: Beacon Flooding
		  Sends beacon frames to show fake APs at clients.
		  This can sometimes crash network scanners and even drivers!
		ATTACK MODE a: Authentication Denial-Of-Service
		  Sends authentication frames to all APs found in range.
		  Too many clients can freeze or reset several APs.
		ATTACK MODE p: SSID Probing and Bruteforcing
		  Probes APs and checks for answer, useful for checking if SSID has
		  been correctly decloaked and if AP is in your sending range.
		  Bruteforcing of hidden SSIDs with or without a wordlist is also available.
		ATTACK MODE d: Deauthentication and Disassociation
		  Sends deauthentication and disassociation packets to stations
		  based on data traffic to disconnect all clients from an AP.
		ATTACK MODE m: Michael Countermeasures Exploitation
		  Sends random packets or re-injects duplicates on another QoS queue
		  to provoke Michael Countermeasures on TKIP APs.
		  AP will then shutdown for a whole minute, making this an effective DoS.
		ATTACK MODE e: EAPOL Start and Logoff Packet Injection
		  Floods an AP with EAPOL Start frames to keep it busy with fake sessions
		  and thus disables it to handle any legitimate clients.
		  Or logs off clients by injecting fake EAPOL Logoff messages.
		ATTACK MODE s: Attacks for IEEE 802.11s mesh networks
		  Various attacks on link management and routing in mesh networks.
		  Flood neighbors and routes, create black holes and divert traffic!
		ATTACK MODE w: WIDS Confusion
		  Confuse/Abuse Intrusion Detection and Prevention Systems by
		  cross-connecting clients to multiple WDS nodes or fake rogue APs.
		ATTACK MODE f: Packet Fuzzer
		  A simple packet fuzzer with multiple packet sources
		  and a nice set of modifiers. Be careful!

# Usage

		mdk4 <interface> <attack_mode> [attack_options]
		mdk4 <interface in> <interface out> <attack_mode> [attack_options]

		Try mdk4 --fullhelp for all attack options
		Try mdk4 --help <attack_mode> for info about one attack only


FULL OPTIONS:

		ATTACK MODE b: Beacon Flooding
		  Sends beacon frames to generate fake APs at clients.
		  This can sometimes crash network scanners and drivers!
		      -n <ssid>
			 Use SSID <ssid> instead of randomly generated ones
		      -a
			 Use also non-printable caracters in generated SSIDs
			 and create SSIDs that break the 32-byte limit
		      -f <filename>
			 Read SSIDs from file
		      -v <filename>
			 Read MACs and SSIDs from file. See example file!
		      -t <adhoc>
			 -t 1 = Create only Ad-Hoc network
			 -t 0 = Create only Managed (AP) networks
			 without this option, both types are generated
		      -w <encryptions>
			 Select which type of encryption the fake networks shall have
			 Valid options: n = No Encryption, w = WEP, t = TKIP (WPA), a = AES (WPA2)
			 You can select multiple types, i.e. "-w wta" will only create WEP and WPA networks
		      -b <bitrate>
			 Select if 11 Mbit (b) or 54 MBit (g) networks are created
			 Without this option, both types will be used.
		      -m
			 Use valid accesspoint MAC from built-in OUI database
		      -h
			 Hop to channel where network is spoofed
			 This is more effective with some devices/drivers
			 But it reduces packet rate due to channel hopping.
		      -c <chan>
			 Create fake networks on channel <chan>. If you want your card to
			 hop on this channel, you have to set -h option, too.
		      -i <HEX>
			 Add user-defined IE(s) in hexadecimal at the end of the tagged parameters
		      -s <pps>
			 Set speed in packets per second (Default: 50)

		ATTACK MODE a: Authentication Denial-Of-Service
		  Sends authentication frames to all APs found in range.
		  Too many clients can freeze or reset several APs.
		      -a <ap_mac>
			 Only test the specified AP
		      -m
			 Use valid client MAC from built-in OUI database
		      -i <ap_mac>
			 Perform intelligent test on AP
			 This test connects clients to the AP and reinjects sniffed data to keep them alive.
		      -s <pps>
			 Set speed in packets per second (Default: unlimited)

		ATTACK MODE p: SSID Probing and Bruteforcing
		  Probes APs and checks for answer, useful for checking if SSID has
		  been correctly decloaked and if AP is in your sending range.
		  Bruteforcing of hidden SSIDs with or without a wordlist is also available.
		      -e <ssid>
			 SSID to probe for
		      -f <filename>
			 Read SSIDs from file for bruteforcing hidden SSIDs
		      -t <bssid>
			 Set MAC address of target AP
		      -s <pps>
			 Set speed (Default: 400)
		      -b <character sets>
			 Use full Bruteforce mode (recommended for short SSIDs only!)
			 You can select multiple character sets at once:
			 * n (Numbers:   0-9)
			 * u (Uppercase: A-Z)
			 * l (Lowercase: a-z)
			 * s (Symbols: ASCII)
		      -p <word>
			 Continue bruteforcing, starting at <word>.
		      -r <channel>
			 Probe request tests (mod-musket)

		ATTACK MODE d: Deauthentication and Disassociation
		  Sends deauthentication and disassociation packets to stations
		  based on data traffic to disconnect all clients from an AP.
		      -w <filename>
			 Read file containing MACs not to care about (Whitelist mode)
		      -b <filename>
			 Read file containing MACs to run test on (Blacklist Mode)
		      -s <pps>
			 Set speed in packets per second (Default: unlimited)
		      -x
			 Enable full IDS stealth by matching all Sequence Numbers
			 Packets will only be sent with clients' addresses
		      -c [chan,chan,...,chan[:speed]]
			 Enable channel hopping. When -c h is given, mdk4 will hop an all
			 14 b/g channels. Channel will be changed every 3 seconds,
			 if speed is not specified. Speed value is in milliseconds!
		      -E <AP ESSID>
			 Specify an AP ESSID to attack.
		      -B <AP BSSID>
			 Specify an AP BSSID to attack.
		      -S <Station MAC address>
			 Specify a station MAC address to attack.
			  -W <Whitelist Station MAC address>
			 Specify a whitelist station MAC.

		ATTACK MODE m: Michael Countermeasures Exploitation
		  Sends random packets or re-injects duplicates on another QoS queue
		  to provoke Michael Countermeasures on TKIP APs.
		  AP will then shutdown for a whole minute, making this an effective DoS.
		      -t <bssid>
			 Set target AP, that runs TKIP encryption
		      -j
			 Use the new QoS exploit which only needs to reinject a few packets instead
			 of the random packet injection, which is unreliable but works without QoS.
		      -s <pps>
			 Set speed in packets per second (Default: 400)
		      -w <seconds>
			 Wait <seconds> between each random packet burst (Default: 10)
		      -n <count>
			 Send <count> random packets per burst (Default: 70)

		ATTACK MODE e: EAPOL Start and Logoff Packet Injection
		  Floods an AP with EAPOL Start frames to keep it busy with fake sessions
		  and thus disables it to handle any legitimate clients.
		  Or logs off clients by injecting fake EAPOL Logoff messages.
		      -t <bssid>
			 Set target WPA AP
		      -s <pps>
			 Set speed in packets per second (Default: 400)
		      -l
			 Use Logoff messages to kick clients

		ATTACK MODE s: Attacks for IEEE 802.11s mesh networks
		  Various attacks on link management and routing in mesh networks.
		  Flood neighbors and routes, create black holes and divert traffic!
		      -f <type>
			 Basic fuzzing tests. Picks up Action and Beacon frames from the air, modifies and replays them:
			 The following modification types are implemented:
			 1: Replay identical frame until new one arrives (duplicate flooding)
			 2: Change Source and BSSID (possibly resulting in Neighbor Flooding)
			 3: Cut packet short, leave 802.11 header intact (find buffer errors)
			 4: Shotgun mode, randomly overwriting bytes after header (find bugs)
			 5: Skript-kid's automated attack trying all of the above randomly :)
		      -b <impersonated_meshpoint>
			 Create a Blackhole, using the impersonated_meshpoint's MAC address
			 mdk4 will answer every incoming Route Request with a perfect route over the impersonated node.
		      -p <impersonated_meshpoint>
			 Path Request Flooding using the impersonated_meshpoint's address
			 Adjust the speed switch (-s) for maximum profit!
		      -l
			 Just create loops on every route found by modifying Path Replies
		      -s <pps>
			 Set speed in packets per second (Default: 100)
		      -n <meshID>
			 Target this mesh network

		ATTACK MODE w: WIDS Confusion
		  Confuse/Abuse Intrusion Detection and Prevention Systems by
		  cross-connecting clients to multiple WDS nodes or fake rogue APs.
		  Confuses a WDS with multi-authenticated clients which messes up routing tables
		      -e <SSID>
			 SSID of target WDS network
		      -c [chan,chan,...,chan[:speed]]
			 Enable channel hopping. When -c h is given, mdk4 will hop an all
			 14 b/g channels. Channel will be changed every 3 seconds,
			 if speed is not specified. Speed value is in milliseconds!
		      -z
			 activate Zero_Chaos' WIDS exploit
			 (authenticates clients from a WDS to foreign APs to make WIDS go nuts)
		      -s <pps>
			 Set speed in packets per second (Default: 100)

		ATTACK MODE f: Packet Fuzzer
		  A simple packet fuzzer with multiple packet sources
		  and a nice set of modifiers. Be careful!
		  mdk4 randomly selects the given sources and one or multiple modifiers.
		      -s <sources>
			 Specify one or more of the following packet sources:
			 a - Sniff packets from the air
			 b - Create valid beacon frames with random SSIDs and properties
			 c - Create CTS frames to broadcast (you can also use this for a CTS DoS)
			 p - Create broadcast probe requests
		      -m <modifiers>
			 Select at least one of the modifiers here:
			 n - No modifier, do not modify packets
			 b - Set destination address to broadcast
			 m - Set source address to broadcast
			 s - Shotgun: randomly overwrites a couple of bytes
			 t - append random bytes (creates broken tagged parameters in beacons/probes)
			 c - Cut packets short, preferably somewhere in headers or tags
			 d - Insert random values in Duration and Flags fields
		      -c [chan,chan,...,chan[:speed]]
			 Enable channel hopping. When -c h is given, mdk4 will hop an all
			 14 b/g channels. Channel will be changed every 3 seconds,
			 if speed is not specified. Speed value is in milliseconds!
		      -p <pps>
			 Set speed in packets per second (Default: 250)