MDK3 Secret Destruction Mode

19/4/2014
MDK3 Secret Destruction Mode
User Name
Password
Log in
Help
Register
Remember Me?
What's New?
Forum
New Posts FAQ Calendar
Forum
Forum Actions
Kali Linux Forums
Advanced Search
Quick Links
Kali Linux General Use
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link
above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.
Results 1 to 10 of 118
Page 1 of 12 1 2 3 11 ...
Last
Thread: MDK3 Secret Destruction Mode

Thread Tools
Senior Member
Join Date:
Posts:
Jul 2013
175
Display
#1
12-07-2013, 12:52 AM
soxrok2212
Search Thread
How to Reset WPS Lockouts Using MDK3

Use at your own risk! Section 638:17 of the New
Hampshire House Bill 495 highlights United States
rules against wireless hacking. Attempting to and or
gaining access to a network that you do not own or
have permission to is STRICTLY forbidden. I am
NOT responsible for ANYTHING you do with this
information.
The purpose of this guide is to inform users about
how a router can be exploited to temporarily reset
WPS lockouts. This can be useful when using reaver
to crack a WPS pin. Keep in mind that this does not
work with every router. It largely depends on
hardware. This attack uses MDK3, a set of tools by
ASPj to overload the target AP with useless data,
thus causing it to freeze and reset. Here is how it
works. (Each of these commands are run in a
separate terminal window) and I think you can
figure out the variables here.
https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode
1/8
19/4/2014
Code:
mdk3 monX a -a xx:xx:xx:xx:xx:xx -m
This floods the target AP with fake clients.

Code:
mdk3 monX m -t xx:xx:xx:xx:xx:xx
This causes Michael failure, stopping all wireless

traffic. However, this only works if the target AP
supports TKIP. (Can be AES+TKIP)
Code:
mdk3 monX d -b blacklist -c X
This keeps a continuous deauth on the network. If

this attack does not start, make a blank text
document in your root folder named blacklist. Leave
it empty as MDK3 automatically populates the list.
Code:
mdk3 monX b -t xx:xx:xx:xx:xx:xx -c X
This floods a bunch of fake APs to any clients in

range (only effective to windows clients and maybe
some other devices, Macs are protected against
this).
You will know when the AP has reset either by
checking with
2/8
19/4/2014
Code:
wash -i monX -C
or if the target shows channel -1 and MB shows -1

in airodump.
Please do NOT use this on a network that is not
yours or that you do not have permission to. If the
owner finds out that it is you who is attacking their
network, you may end up in serious legal trouble.
Visit ASPj's site as mentioned above for more
information.
Preventing the attack
As of now, there is no way to prevent the attack
except by disabling wireless, buying a high end
router, or getting an AP that encrypts management
packets. Deauthentication packets are management
frames which are sent UNENCRYPTED unless you
purchase an AP that supports MFP. You can read
more about this here.
Last edited by soxrok2212; 04-09-2014 at 08:33 PM.

Reply With Quote
#2
12-07-2013, 11:28 AM
mmusket33
Senior Member
Join Date:
Posts:
Jul 2013
133
This is great!!! we have been looking for a way to reset WPS locked routers remotely and our
team will be happy to write a script for you however a few questions.
1. You are running the mdk3 a b d and m command lines in four different windows all at the same
time - is this correct?
3/8
19/4/2014
2. Your comment "You can also add -m to the end of this so it uses real mac addresses instead
of 00:00:00:00:00:00."
Does that deal with the "a" attack above OR the "d" attack below
This should be easy to write just airodump-ng and four Eterm terminal windows. We already have
a DDOS program written to use with pwnstar that runs the a and g and airodump-ng commands.
We will drop all our other projects with easy-cred and focus on this. However be aware that a
reset WPS router is only going to give you ten keys before it locks up. Anyway we will run some
tests and have something back to you in a few weeks. Anything this is better then trying to
brute force a long key.
Again THANKS!!!!!
Musket Team Alpha
Reply With Quote
#3
12-07-2013, 11:41 AM
soxrok2212
Senior Member
Join Date:
Posts:
Jul 2013
175
112345-
Yes, ultimately you should have a total of 5 windows open at the same time:
airodump
mdk3 a
mdk3 b
mdk3 d
mdk3 m
2- You can add -m after mdk3 a. This will authenticate real mac addresses instead of
00:00:00:00:00:00. HOWEVER, with my Alfa AWUS036H, airodump stops working unless I close
the teminal window and rerun the command.
*I updated the tutorial to hopefully solve future questions*
I could also do some testing with you after you guys push out this tool; I'm excited to see what
we can do!

4/8
19/4/2014
Reply With Quote
#4
12-09-2013, 07:21 PM
mmusket33
Senior Member
Join Date:
Posts:
Jul 2013
133
Reference your comment about airodump-ng we know there is an issue with airodump-ng in a
kali-linux install as airodump-ng will freeze randomly in all our computers occassionally. But the
issue is so random we do not know how to even approach the problem.
WE will send you a working copy so you can check the command lines and make suggestions. WE
ran some tests yesterday but they were inconclusive as it was against a CCMP encrypted router.
Reply With Quote
#5
12-09-2013, 07:30 PM
soxrok2212
If you would like to send me what you have now, I can run some tests against TKIP...
Senior Member
Join Date:
Posts:
Jul 2013
175
Reply With Quote
#6
12-10-2013, 02:41 AM
mmusket33
Senior Member
Join Date:
Posts:
We do not see a way to send you the script. We do not want to post an incompleted script for
general use.
Jul 2013
133
Reply With Quote
#7
12-10-2013, 12:28 PM
mmusket33
Senior Member
Join Date:
Jul 2013
To soxrok2212
The mdk3 part of the script is completed and ready for you to test and correct. We have run it
against CCMP WPS locked routers. We first turned on the WPS locking by requesting pins. After
5/8
19/4/2014
Posts:
133
ten pins recieved the router locked. We then gave the router a quad blast with mdk3 in four
Eterm windows as you suggested. It seems to freeze the router BUT if it reset, the WPS locking
did not reset with the router. We know that after a power failure all the WPS locking resets to
off in our area.
The airodump-ng problem seems to be related to computer speed. On the same computer using
HD install of kali-linux, airodump-ng would freeze within a minute or two. If reset it would run and
then eventually freeze again. With a 16gb usb persistent install of kali-linux airodump-ng froze
within seconds.
Your comments concerning the -r command may have merit BUT against the routers in our areas
of operation time between pin request and mac codes requesting these pins has no relationship
to the locking. The locking occurs after ten successful pin requests from any source.
The varmacreaver.sh program available for download in these forums was originally developed to
explore time between pin request versus mac codes requesting said pins. We explored this
approach extensively. However our targets are only one make of router. The program sat on the
shelf for six month until we discovered a use for it.
MTA/MTB
Reply With Quote
#8
12-10-2013, 06:23 PM
soxrok2212
Senior Member
Join Date:
Posts:
Jul 2013
175
Originally Posted by mmusket33
To soxrok2212
The mdk3 part of the script is completed and ready for you to test and correct. We have run it
against CCMP WPS locked routers. We first turned on the WPS locking by requesting pins. After ten
pins recieved the router locked. We then gave the router a quad blast with mdk3 in four Eterm
windows as you suggested. It seems to freeze the router BUT if it reset, the WPS locking did not
reset with the router. We know that after a power failure all the WPS locking resets to off in our
area.
The airodump-ng problem seems to be related to computer speed. On the same computer using
HD install of kali-linux, airodump-ng would freeze within a minute or two. If reset it would run and
then eventually freeze again. With a 16gb usb persistent install of kali-linux airodump-ng froze
within seconds.
6/8
19/4/2014
Your comments concerning the -r command may have merit BUT against the routers in our areas
of operation time between pin request and mac codes requesting these pins has no relationship to
the locking. The locking occurs after ten successful pin requests from any source.
The varmacreaver.sh program available for download in these forums was originally developed to
explore time between pin request versus mac codes requesting said pins. We explored this
approach extensively. However our targets are only one make of router. The program sat on the
shelf for six month until we discovered a use for it.
MTA/MTB
Ok, send me a private message sometime and I'll give you an email to send the beta to. Good
work by the way and I'll do some testing.
Reply With Quote
#9
12-11-2013, 01:09 AM
mmusket33
Senior Member
Join Date:
Posts:
Jul 2013
133
To soxrok2212
We have spent two hours trying to send you the link where you can access the file. We have
given up. We keep getting error messages. Maybe if you send me a message I can reply back to
you with the link.
Reply With Quote
#10
12-11-2013, 02:04 PM
soxrok2212
Senior Member
Join Date:
Posts:
Jul 2013
175
Originally Posted by mmusket33
To soxrok2212
We have spent two hours trying to send you the link where you can access the file. We have given
up. We keep getting error messages. Maybe if you send me a message I can reply back to you
with the link.
Heres my old e-mail: soxrok2212@gmail.com

You can send it there if you'd like.
7/8
19/4/2014
*I don't care if it gets spammed because I don't use it*

Reply With Quote
Page 1 of 12 1 2 3 11 ...
Quick Navigation
Kali Linux General Use
Last
Top
Previous Thread | Next Thread

Posting Permissions
You may not post new threads

You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
[VIDEO] code is On
HTML code is Off
Forum Rules
Contact Us Kali Linux Forums Archive Top
-- Default Style
All times are GMT. The time now is 06:00 AM.
8/8

MDK3 Secret Destruction Mode

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MDK3 Secret Destruction Mode

Uploaded by

Copyright:

Available Formats

19/4/2014