MDK3 Secret Destruction Mode

19/4/2014 MDK3 Secret Destruction Mode

https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode 1/8

Forum Kali Linux Forums Kali Linux General Use MDK3 Secret Destruction Mode

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register linkabove to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Thread: MDK3 Secret Destruction Mode

User Name Password Log in

Remember Me?

RegisterHelp

What's New?

New Posts FAQ Calendar Forum Actions Quick Links Advanced Search

Results 1 to 10 of 118 Page 1 of 12 1 2 3 11 ... Last

Thread Tools Search Thread Display

12-07-2013, 12:52 AM

How to Reset WPS Lockouts Using MDK3

Use at your own risk! Section 638:17 of the NewHampshire House Bill 495 highlights United Statesrules against wireless hacking. Attempting to and orgaining access to a network that you do not own orhave permission to is STRICTLY forbidden. I amNOT responsible for ANYTHING you do with thisinformation.

The purpose of this guide is to inform users abouthow a router can be exploited to temporarily resetWPS lockouts. This can be useful when using reaverto crack a WPS pin. Keep in mind that this does notwork with every router. It largely depends onhardware. This attack uses MDK3, a set of tools byASPj to overload the target AP with useless data,thus causing it to freeze and reset. Here is how itworks. (Each of these commands are run in aseparate terminal window) and I think you canfigure out the variables here.

#1

Join Date:

Posts:

Jul 2013

175

soxrok2212

Senior Member

Forum



Code:

mdk3 monX a -a xx:xx:xx:xx:xx:xx -m

This floods the target AP with fake clients.

Code:

mdk3 monX m -t xx:xx:xx:xx:xx:xx

This causes Michael failure, stopping all wirelesstraffic. However, this only works if the target APsupports TKIP. (Can be AES+TKIP)

Code:

mdk3 monX d -b blacklist -c X

This keeps a continuous deauth on the network. Ifthis attack does not start, make a blank textdocument in your root folder named blacklist. Leaveit empty as MDK3 automatically populates the list.

Code:

mdk3 monX b -t xx:xx:xx:xx:xx:xx -c X

This floods a bunch of fake APs to any clients inrange (only effective to windows clients and maybesome other devices, Macs are protected againstthis).

You will know when the AP has reset either bychecking with



Code:

wash -i monX -C

or if the target shows channel -1 and MB shows -1in airodump.

Please do NOT use this on a network that is notyours or that you do not have permission to. If theowner finds out that it is you who is attacking theirnetwork, you may end up in serious legal trouble.

Visit ASPj's site as mentioned above for moreinformation.

Preventing the attack

As of now, there is no way to prevent the attackexcept by disabling wireless, buying a high endrouter, or getting an AP that encrypts managementpackets. Deauthentication packets are managementframes which are sent UNENCRYPTED unless youpurchase an AP that supports MFP. You can readmore about this here.

Last edited by soxrok2212; 04-09-2014 at 08:33 PM.

Reply With Quote

12-07-2013, 11:28 AM

This is great!!! we have been looking for a way to reset WPS locked routers remotely and ourteam will be happy to write a script for you however a few questions.

1. You are running the mdk3 a b d and m command lines in four different windows all at the sametime - is this correct?

#2

Join Date:

Posts:

Jul 2013

133

mmusket33

Senior Member



2. Your comment "You can also add -m to the end of this so it uses real mac addresses insteadof 00:00:00:00:00:00."

Does that deal with the "a" attack above OR the "d" attack below

This should be easy to write just airodump-ng and four Eterm terminal windows. We already havea DDOS program written to use with pwnstar that runs the a and g and airodump-ng commands.We will drop all our other projects with easy-cred and focus on this. However be aware that areset WPS router is only going to give you ten keys before it locks up. Anyway we will run sometests and have something back to you in a few weeks. Anything this is better then trying tobrute force a long key.

Again THANKS!!!!!

Musket Team Alpha

Reply With Quote

12-07-2013, 11:41 AM

1- Yes, ultimately you should have a total of 5 windows open at the same time: 1- airodump2- mdk3 a3- mdk3 b4- mdk3 d5- mdk3 m

2- You can add -m after mdk3 a. This will authenticate real mac addresses instead of00:00:00:00:00:00. HOWEVER, with my Alfa AWUS036H, airodump stops working unless I closethe teminal window and rerun the command.

*I updated the tutorial to hopefully solve future questions*

I could also do some testing with you after you guys push out this tool; I'm excited to see whatwe can do!

#3

Join Date:

Posts:

Jul 2013

175

soxrok2212

Senior Member




Reply With Quote

12-09-2013, 07:21 PM

Reference your comment about airodump-ng we know there is an issue with airodump-ng in akali-linux install as airodump-ng will freeze randomly in all our computers occassionally. But theissue is so random we do not know how to even approach the problem.

WE will send you a working copy so you can check the command lines and make suggestions. WEran some tests yesterday but they were inconclusive as it was against a CCMP encrypted router.

#4

Join Date:

Posts:

Jul 2013

133

mmusket33

Senior Member

Reply With Quote

12-09-2013, 07:30 PM

If you would like to send me what you have now, I can run some tests against TKIP...

#5

Join Date:

Posts:

Jul 2013

175

soxrok2212

Senior Member


Reply With Quote

12-10-2013, 02:41 AM

We do not see a way to send you the script. We do not want to post an incompleted script forgeneral use.

#6

Join Date:

Posts:

Jul 2013

133

mmusket33

Senior Member

Reply With Quote

12-10-2013, 12:28 PM

To soxrok2212

The mdk3 part of the script is completed and ready for you to test and correct. We have run itagainst CCMP WPS locked routers. We first turned on the WPS locking by requesting pins. After

#7

Join Date: Jul 2013

mmusket33

Senior Member



ten pins recieved the router locked. We then gave the router a quad blast with mdk3 in fourEterm windows as you suggested. It seems to freeze the router BUT if it reset, the WPS lockingdid not reset with the router. We know that after a power failure all the WPS locking resets tooff in our area.

The airodump-ng problem seems to be related to computer speed. On the same computer usingHD install of kali-linux, airodump-ng would freeze within a minute or two. If reset it would run andthen eventually freeze again. With a 16gb usb persistent install of kali-linux airodump-ng frozewithin seconds.

Your comments concerning the -r command may have merit BUT against the routers in our areasof operation time between pin request and mac codes requesting these pins has no relationshipto the locking. The locking occurs after ten successful pin requests from any source.

The varmacreaver.sh program available for download in these forums was originally developed toexplore time between pin request versus mac codes requesting said pins. We explored thisapproach extensively. However our targets are only one make of router. The program sat on theshelf for six month until we discovered a use for it.

MTA/MTB

Posts: 133

Reply With Quote

12-10-2013, 06:23 PM #8

Join Date:

Posts:

Jul 2013

175

soxrok2212

Senior Member

Originally Posted by mmusket33

To soxrok2212

The mdk3 part of the script is completed and ready for you to test and correct. We have run itagainst CCMP WPS locked routers. We first turned on the WPS locking by requesting pins. After tenpins recieved the router locked. We then gave the router a quad blast with mdk3 in four Etermwindows as you suggested. It seems to freeze the router BUT if it reset, the WPS locking did notreset with the router. We know that after a power failure all the WPS locking resets to off in ourarea.

The airodump-ng problem seems to be related to computer speed. On the same computer usingHD install of kali-linux, airodump-ng would freeze within a minute or two. If reset it would run andthen eventually freeze again. With a 16gb usb persistent install of kali-linux airodump-ng frozewithin seconds.



Ok, send me a private message sometime and I'll give you an email to send the beta to. Goodwork by the way and I'll do some testing.

Your comments concerning the -r command may have merit BUT against the routers in our areasof operation time between pin request and mac codes requesting these pins has no relationship tothe locking. The locking occurs after ten successful pin requests from any source.

The varmacreaver.sh program available for download in these forums was originally developed toexplore time between pin request versus mac codes requesting said pins. We explored thisapproach extensively. However our targets are only one make of router. The program sat on theshelf for six month until we discovered a use for it.

MTA/MTB

Reply With Quote

12-11-2013, 01:09 AM

To soxrok2212We have spent two hours trying to send you the link where you can access the file. We havegiven up. We keep getting error messages. Maybe if you send me a message I can reply back toyou with the link.

#9

Join Date:

Posts:

Jul 2013

133

mmusket33

Senior Member

Reply With Quote

12-11-2013, 02:04 PM

Heres my old e-mail: [email protected]

You can send it there if you'd like.

#10

Join Date:

Posts:

Jul 2013

175

soxrok2212

Senior Member

Originally Posted by mmusket33

To soxrok2212We have spent two hours trying to send you the link where you can access the file. We have givenup. We keep getting error messages. Maybe if you send me a message I can reply back to youwith the link.



-- Default Style

Previous Thread | Next Thread

Contact Us Kali Linux Forums Archive Top

All times are GMT. The time now is 06:00 AM.

*I don't care if it gets spammed because I don't use it*


Reply With Quote

Page 1 of 12 1 2 3 11 ... Last

Quick Navigation Kali Linux General Use Top

You may not post new threads

You may not post replies

You may not post attachments

You may not edit your posts

Posting Permissions

BB code is On

Smilies are On

[IMG] code is On

[VIDEO] code is On

HTML code is Off

Forum Rules

MDK3 Secret Destruction Mode

Documents

Transcript of MDK3 Secret Destruction Mode