I watched a video on YouTube about it, and the guy did not explain well how mdk3 and its deauth attack works. Can someone please explain me this? P.s: the guy used the tool aircrack-ng; This tool is from mdk3? If it is not what it is used for and how it works?
Asked
Active
Viewed 2,140 times
2 Answers
3
mdk3 is not included in aircrack-ng suite at the moment, but it seems they started to collaborate some time ago. Look at this: https://svn.mdk3.aircrack-ng.org/mdk3/docs/Documentation_incomplete.html
Maybe in the future could be integrated. In fact, the new MDK3 uses the osdep injection library from the www.aircrack-ng.org project.
The difference between aireplay-ng (included in aircrack-ng suite) and mdk3 is basically that mdk3 would be sending both disassociation and de-authentication packets, where aireplay-ng only sends de-authentication packets.
Regarding how it works... basically, mdk3 works by exploiting weaknesses in the IEEE 802.11 protocol.
It has a lot of TEST MODES:
b - Beacon Flood Mode
Sends beacon frames to show fake APs at clients. This can sometimes crash network scanners and even drivers!
a - Authentication DoS mode
Sends authentication frames to all APs found in range. Too much clients freeze or reset some APs.
p - Basic probing and ESSID Bruteforce mode
Probes AP and check for answer, useful for checking if SSID has been correctly decloaked or if AP is in your adaptors sending range SSID Brute-forcing is also possible with this test mode.
d - Deauthentication / Disassociation Amok Mode
Kicks everybody found from AP
m - Michael shutdown exploitation (TKIP)
Cancels all traffic continuously
x - 802.1X tests
w - WIDS/WIPS Confusion
Confuse/Abuse Intrusion Detection and Prevention Systems
f - MAC filter bruteforce mode
This test uses a list of known client MAC Adresses and tries to authenticate them to the given AP while dynamically changing its response timeout for best performance. It currently works only on APs who deny an open authentication request properly
g - WPA Downgrade test
Deauthenticates Stations and APs sending WPA encrypted packets. With this test you can check if the sysadmin will try setting his network to WEP or disable encryption.
A Proof of Concept about how to test it, here.
OscarAkaElvis
- 5,185
- 3
- 17
- 48
-
thanks for the answer. Must the Deauth attack need a file .txt (whitelist) as this videos shows? https://www.youtube.com/watch?v=K7S4UBnDiaU – d. fritoti Mar 04 '17 at 17:55
-
It can be done whitelisting, but ssually is the opposite. You make a file with macs for the blacklist and using -b you select that file. All that macs will be attacked. – OscarAkaElvis Mar 04 '17 at 19:49
-
I'll add that some APs just go ape and throw everyone off whitelisted or not. – user400344 Mar 04 '17 at 20:02
-
so the syntax would be: `mdk3 d -b
` ? -
oh sorry it's `mdk3
d -b – d. fritoti Mar 04 '17 at 21:52
2
md3 does not belong to the aircrack-ng suite but rather it is an autonomous tool for wireless pen-testing.
It supports several modes of operation (attacks) one of which is deauthentication (amok mode).
To unleash a simple deauthentication attack with md3 type:
mdk3 <wirless interface> d
This mode has several options.
By default if I remember correctly it will hop from channel to channel and generate a flood of deauthentication and disassociation messages.
dr.doom
- 151
- 2