Nov 10, 2011

[Tutorial] Wireless Havoc With MDK3!! (III)

This is the third post of "wireless havoc with MDK3" series. If you havent already read the first two posts then please go here(i) and here(ii).

This one is probably going to be the most effective way of using mdk3 to create a real wireless havoc in the environment around you. Please enjoy...

1) First we will learn about "d", Deauthentication / Dissassociation Amok Mode. And after that we will learn the effect of "d" used with "b", ( I guess many of you have already known or guessed the result!! :D)

Ok, as the name suggests, this attack is used to deauthenticate/dissaossociate the connected clients from the taget AP. In simple language it just kicks/disconnects the clients from AP everytime they try to connect. As long as the attack runs, the target will never be able to connect to the AP unless he does some serious change to the AP or interface itself, but it still can be attacked again after changing the credentials. :D

Lets check the options of "d".

Not much options here, so easy and short to learn.. but still one of the most disastrous exploits. :D

First lets understand how it works,

you can see -w and -b options for whitelisted MACs and Blacklisted MACs respectively.

Create a file of any name, add the MAC address of AP or Clients that you dont want to attack, this will be your whitelist file. It is recommended to add MAC of your client and AP so that you dont get kicked out of your own AP by your own doings. :D
Similarly, create a file of any name, add MAC address of AP or Clients that you wish to attack, this will be your blacklist file.

Basic command is:
mdk3 mon0 d  

As you can see, this command disconnected each and every AP and Client it found in its range. Good for mass attack, but probably not that good if you want to save yourself and target some particulars. So, lets play witht the options.

* -w

mdk3 mon0 d -w whitelist_file

What this command does is, it disconnects everything it finds except for the MACs saved in the whitelist file.

I have added MAC of my wifi adapter connected to the AP with address 00:16:01:ED:2B:CB, it disconnected other clients except mine.


mdk3 mon0 d -b blacklist_file

Similarly, it searches and disconnects just the MACs saved in the blacklist file, good for attacking a single client.

I had hadded the MAC 00:26:B0:AE:8D:E5 in the blaclist_file, so no matter how many times he tries, he will never succeed in connecting to the AP.

Update: Specify the channel option too for better performance. chipset rt3070/2870 needs channel to deauthenticate, maybe other chips need it too. 
>>>mdk3 mon0 d -b blacklist_file -c channelofap<<<

Finally, how to use "b" with "d"?? Use "d" first and start the "b" with either no options or some essid's matching your target so that he gets disconnected each and every time, and when he scans the network he will find strange ESSIDs which will make him think that his wireless card has broken/damaged.

Another good use of mdk3 is, suppose you are in your school/office where there is wifi with good speed, but many people are connected to it and the speed has decreased dramatically, you desperately need/want all the bandwidth, now guess what you can do with "d"?? 
Though there is a better way of getting all the bandwidth from a network without kicking anyone out, which we will discuss in later posts.

Now final tutorial of "a" remains. We will cover it in next post. :)


  1. This is awesome...........b and d combination ;)

  2. Thank You For Reading And Commenting!!

  3. Hi Deathknight,
    I cant get this working :( I tried it with three different wlan cards (Atheros, Broadcom and Alfa).
    I use bt5r2 as a live cd, then started monitor mode, then tried at first "mdk3 mon0 d". My own connection didnt get kicked and I waited 30 minutes for "my turn". Afterthat, I tried "mdk3 mon0 d -b blacklist" with my own AP, yet I could happily use the internet with an other Laptop.
    What did I do wrong? :(

    I had a similar problem with "mdk3 mon0 a", even there it didnt disconnect me (and again I waited 30 minutes for my turn). I was using an alfa wlan adapter.

    Only "mdk3 mon a -a ab:cd:..:xy" worked :) Instantly I was unable to use the internet. But even here, once I activated the mac filter, this attack was once again useless :(
    This attack (mdk3 mon a -a ab:cd:..:xy) only works with my alfa card.

    Cheers :)

    1. Hello,
      mdk3 doesnt deauthenticate unless the device is sending/receiving data, i.e, if the device is connected but idle then it doesnt deauthenticate. Even my own computer was deauthenticated as soon as I tried to browse some pages. I am not sure what may have gone wrong with yours. It may sound silly, but is the blacklist file in the same directory? Have you tried with whitelist too?

      Yes, it seems that mdk3 authentication doesnt work if mac filter is enabled.
      If you want I will make some screenshots or a video of my own client being disconnected and also another laptop being disconnected.
      Can I suggest not to use Live CD, instead used it installed.

      If you keep following the blog then I have a plan to make two tutorials: 1st: WPS and 2nd: using mdk3 + some clever trick to crack WPA with WPS vulnerablity.

    2. Hello DK :),
      I did check it being in the same directory. I opened (in bt5v2) gedit and entered
      in the firstline my own mac adresse. I did double check (with ls) whether its really there. It was saved in the root directory. I ran from the root directory the mdk3 command, where the blacklist was. Yet no sucess.

      I will try with bt5r1, maybe it works there?

      Yes, I follow your blog :) Its very enlightening :) I learned a lot about security in a few hours ;) I will be looking forward to read your WPS tutorial.
      At the moment, I am just trying to understand, how I can take down my own access point :/?
      (with the macfilter, the a option is out. the d option, I cant get it running :(.
      Those are the two options?)
      How does an install make a difference to a live CD (Just for knowledge sake)?

      Are you using, by any chance, the alfa awus036nh?

      Cheers :)

    3. ah, awus036nh has rt73 chip i guess... Mine is rtl8187L. maybe it makes the difference, I cant be sure about it. But most of people prefer Awus036h, or lets say rtl8187 chipset. Mine is same as awus036h but manufactured by another company called wavion. So, if you can by any chance then it is better to get alfa awus036h, exchange with someone maybe?

      Not much difference between live and installed, except live consumes much of RAM than installed, i guess you already know that. :) But still I prefer installed (maybe psychology, :D)

      And THanks for the complements. :)

    4. Corrected: RT3070 chip in alfa awus036nh.
      Read the fifth post in this link, it gives difference between 036h and 036nh in a bit detailed way. Seems both have their pros and cons, so difficult to decide which is better. :)

    5. Hi DK :),
      Is it right, that I understand, with mdk3, you cannot take down every router?
      with the option "d" it wont work on every wifi card (not with the 036nh).
      Option "a" wont work with mac filter?
      And if you have a 036h card, you cannot take down 802.11g network?

      I would like to see me take down my router :) I mean, I want to not be able to connect to my router with any other phone laptop or any other device :)
      If mdk3 isnt the solution, is there some "ultra way" of taking down my router?

      Cheers :)

    6. well, what do you mean by taking down? crashing or just DoS? If you are hinting to crashing then i highly doubt that most of new routers will crash... even my old dlink did not crash out, just DoS took place.
      Apparantly it seems that 'a' doesnt work with macfilter, but let me test it again.

      if we have 036h card then with it we CAN take down 802.11g network.

      and for 036nh, rt3070, i have done a bit of googling and seems that it needs driver patch for packet injection. can you get injection working with this command: aireplay-ng -9 mon0 or can you deauthenticate clients with aireplay-ng -0 0 -a router_mac -c client_mac mon0?
      check it please. I have read in many places that rt3070 doent support paket injection by default. but lets make it sure.. :)

      Also, I think my friend has rt3070 chipset in Digicom adapter, let me make sure of it, and if he permits I will test it myself.

      airdrop-ng and aireplay-ng can deauthenticate the clients. But only if Packet Injection is supported...

    7. Ok, I got rt3070, and as you said, it says Disconnecting between ap and client, but it doesnt disconnects it. Let me play with some of its drivers. and if i had any success I will inform you. Y
      Also, you can contact me directly via email too, deathknight:at:hackcommunity:dot:com

    8. Hi DK:) ,
      packet injection is supported (bt5)
      Cheers! :)

    9. Hi DK:)
      I dont want to spoil my hardware :) I just want to see, whether I can sucessfully dos it without getting it toooo complicated.

      About packet injection, its supported (bt5/bt5r1 and r2).

      Cheers :)

    10. OK Brother, I found the solution to mdk3 deauthentication mode.
      put the -c option too. channel of the AP. and it will work.

  4. Hi DK :)
    Can I suggest a tutorial about airdrop-ng?
    Cheers :)

    1. I tried airdrop as soon as it was released, but found it confusing/hard to configure, in fact I didnt actually get how to create/configure the rules. So I opted to mdk3 or 'aireplay-ng 0' option. But if you really want airdrop, then give me some time. About a couple of weeks, as I am giving my semester exams right now... and believe me, exams are total shit... :D

    2. i totally believe :) I have the same problem :/

  5. Ok DK,

    I have read everyone of your posts and you are VERY good at replying back so hopefully you can help me. I know my way around BT5R2 pretty well but I can't for the life of me get the whitelist to work properly(not at all)
    SO this is what I have done.. I've successfully DoS'd everyone that I live with(bandwidth hogs) using mdk3 mon0 d.
    I've seen a couple other tutorials for mdk3 and basically the whitelist is in /pentest/wireless/mdk3 where its supposed to be correct? So when I try to make a white list with my MAC mdk3 doesn't know where to look even if I create that folder in the wireless directory and name it mdk3.. So what I'm wondering is where the hell is mdk3 installed to so I can finally enjoy the internet I pay for?

    1. By reading you comment, what I Have deduced is, you are doing one thing wrong. (I maybe wrong in understanding, if so then please correct me).

      Whitelist doesnt need to be in mdk3 can put whitelist anywherre you want provided that you give the path to whitelist when you execute mdk3. eg:
      suppose you whitelist is in /var/cache/www (just example, then ypur command would be:

      mdk3 mon0 d -w /var/cache/www/whitelist_file_name

      or just cd to /var/cache/www and run: mdk3 mon0 d -w whitelist_file_name.

      I hope it is clear, please try it and post the result, successful or unsuccessful.

  6. Hi DK! What format of whitelist, blacklist is (how to wright them)?

  7. Sorry, how to write them?

    1. its quite simple,
      just create a file, name it anything you want.
      and add the mac address there, eg:

      that's all, feel free to ask me if you did not understand. :)