Many of us heard about DDoS attacks ( Distributed Denial-of-service attack ), MDK3 is just that, DoS attack tool, but it is focused on 802.11 service denial.
MDK3 stands for Murder Death Kill 3. And it’s a tool that definitely lives up to its name. Because it’s designed specifically for WLAN environments, MDK3 does a marvelous job at crushing wireless network access by sending floods of traffic all at once. The flood of traffic prevents others from being able to connect.
Imagine you are a CEO of a small business. You’re traveling for work, and connected to the hotel’s WiFi connection. It’s vital that you get some information send out tonight. But what happens when your competitor is sitting in the room next door, and he’s slamming your laptop with mdk3 packets? You won’t be able to get anything done, that’s what. You may lose important contracts as a result. Your business may suffer. So now you see just how dangerous denial of service attacks can be. They don’t destroy data or steal it, but they are perfect tools for reputation assassination.
As a prerequisite, make sure your wireless adapter is in packet injecting mode, otherwise this won’t work right at all.
To put the wifi adapter into packet injecting mode, look at the link above or use the syntax below to get an idea:
airmon-ng start <wireless interface>
Let’mdk3 usages test our wireless AP, named “WiFi hacking” against wireless DoS attacks. MDK3 is installed by default in the latest versions of Back Track and Kali Linux. To access the tool from Back Track 5 R3, go to Applications -> Back Track -> Stress Testing -> WLAN Stress Testing. Select MDK3 from the list. To access it from Kali Linux,
MDK3 should launch with the help menu already printed on the screen.
Be sure to go through the list of test modes one by one. Don’t be a shitty security professional, be a damn good one. KNOW how this stuff works. Because while MDK3 is an awesome proof-of-concept tool, it does not have a man page and the help options are somewhat limited. You’re pretty much on your own with this tool. But embrace it and learn this tool the old fashioned way, by trial and error.
More verbose help is available by running: mdk3 –fullhelp
SSID Flooding with MDK3
One neat trick that MDK3 can do is SSID flooding, or beacon flooding. What this means is that MDK3 can broadcast hundreds or even thousands of fake access points. Others that are in the area will see all of these fake access points when they go to search for WiFi access points to connect to. As you can probably see, SSID flooding is not denial of service. However, this is still a pretty cool trick. Potentially, you could set up a dedicated computer with a wireless access point and have MDK3 running in SSID flooding mode at all times. You could, in effect, hide your legitimate wireless access point in a sea of fake access points. A sort of security through obscurity to prevent WiFi hacking attacks.
Here is the syntax to enable simple SSID flooding (MDK3 will generate random fake access point names:
mdk3 <interface> b -c 1
Just replace <interface> with the name of your wireless interface. Remember, usually it’smon0.
The b option tells MDK3 to use beacon/SSID flooding mode.
-c1 tells MDK3 to broadcast all the fake access points on channel 1. (To better hide the fact these are all fake access points, you can try running multiple instances of MDK3 and specify a different channel each time.
So we did a few example runs, using 2 beacon flood commands, both gave us great results:
mdk3 mon0 b
mdk3 mon0 b -n HaCoder
Authentication Flooding with MDK3
Moving on to MDK3’s actual DOS options, you will first look at authentication flooding, then conclude with deauthentication flooding. The idea behind authentication flooding is simple. Too many authentication requests at one time may cause the wireless access point to freeze up and perhaps stop working entirely ( until someone reboots the thing, that is ).
I will warn you that in my experience, authentication flooding doesn’t always work. Most wireless access points are robust enough to handle an authentication flood from one instance of MDK3. (However, if you had multiple laptops running authentication floods this may work.)
Deauthentication flooding works MUCH better ( that’s why I am saving it for last ) and it doesn’t require the resources that authentication flooding does. So let’s look at authentication flooding. A simple command to do authentication flooding is:
mdk3 <interface> a -a <ap_mac address>
All you need is the AP’s MAC address as you can see above.
Deauthentication Flooding with MDK3
The DoS WiFi hacking technique that works best uses deauthenticate requests rather than faking authentication requests.
mdk3 <interface> d -b blacklist_file
Again, the only thing you need is the target access point’s MAC address. Save that MAC address in a text file and specify it after the -b option. This will sent deauth packets to any and all clients connected to the access point specified in the file. ( You can add more MAC addresses to deauth if you are evaluating multiple APs in range. )