You are on page 1of 8

19/4/2014

MDK3 Secret Destruction Mode

User Name

Password

Log in

Help

Register

Remember Me?

What's New?

Forum

New Posts FAQ Calendar

Forum

Forum Actions

Kali Linux Forums

Advanced Search

Quick Links

Kali Linux General Use

MDK3 Secret Destruction Mode

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link
above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.
Results 1 to 10 of 118

Page 1 of 12 1 2 3 11 ...

Last

Thread: MDK3 Secret Destruction Mode


Thread Tools

Senior Member
Join Date:
Posts:

Jul 2013
175

Display

#1

12-07-2013, 12:52 AM

soxrok2212

Search Thread

How to Reset WPS Lockouts Using MDK3


Use at your own risk! Section 638:17 of the New
Hampshire House Bill 495 highlights United States
rules against wireless hacking. Attempting to and or
gaining access to a network that you do not own or
have permission to is STRICTLY forbidden. I am
NOT responsible for ANYTHING you do with this
information.
The purpose of this guide is to inform users about
how a router can be exploited to temporarily reset
WPS lockouts. This can be useful when using reaver
to crack a WPS pin. Keep in mind that this does not
work with every router. It largely depends on
hardware. This attack uses MDK3, a set of tools by
ASPj to overload the target AP with useless data,
thus causing it to freeze and reset. Here is how it
works. (Each of these commands are run in a
separate terminal window) and I think you can
figure out the variables here.

https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode

1/8

19/4/2014

MDK3 Secret Destruction Mode

Code:
mdk3 monX a -a xx:xx:xx:xx:xx:xx -m

This floods the target AP with fake clients.


Code:
mdk3 monX m -t xx:xx:xx:xx:xx:xx

This causes Michael failure, stopping all wireless


traffic. However, this only works if the target AP
supports TKIP. (Can be AES+TKIP)
Code:
mdk3 monX d -b blacklist -c X

This keeps a continuous deauth on the network. If


this attack does not start, make a blank text
document in your root folder named blacklist. Leave
it empty as MDK3 automatically populates the list.
Code:
mdk3 monX b -t xx:xx:xx:xx:xx:xx -c X

This floods a bunch of fake APs to any clients in


range (only effective to windows clients and maybe
some other devices, Macs are protected against
this).
You will know when the AP has reset either by
checking with
https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode

2/8

19/4/2014

MDK3 Secret Destruction Mode

Code:
wash -i monX -C

or if the target shows channel -1 and MB shows -1


in airodump.
Please do NOT use this on a network that is not
yours or that you do not have permission to. If the
owner finds out that it is you who is attacking their
network, you may end up in serious legal trouble.
Visit ASPj's site as mentioned above for more
information.
Preventing the attack
As of now, there is no way to prevent the attack
except by disabling wireless, buying a high end
router, or getting an AP that encrypts management
packets. Deauthentication packets are management
frames which are sent UNENCRYPTED unless you
purchase an AP that supports MFP. You can read
more about this here.

Last edited by soxrok2212; 04-09-2014 at 08:33 PM.


Reply With Quote

#2

12-07-2013, 11:28 AM

mmusket33
Senior Member
Join Date:
Posts:

Jul 2013
133

This is great!!! we have been looking for a way to reset WPS locked routers remotely and our
team will be happy to write a script for you however a few questions.
1. You are running the mdk3 a b d and m command lines in four different windows all at the same
time - is this correct?

https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode

3/8

19/4/2014

MDK3 Secret Destruction Mode

2. Your comment "You can also add -m to the end of this so it uses real mac addresses instead
of 00:00:00:00:00:00."
Does that deal with the "a" attack above OR the "d" attack below
This should be easy to write just airodump-ng and four Eterm terminal windows. We already have
a DDOS program written to use with pwnstar that runs the a and g and airodump-ng commands.
We will drop all our other projects with easy-cred and focus on this. However be aware that a
reset WPS router is only going to give you ten keys before it locks up. Anyway we will run some
tests and have something back to you in a few weeks. Anything this is better then trying to
brute force a long key.
Again THANKS!!!!!
Musket Team Alpha
Reply With Quote

#3

12-07-2013, 11:41 AM

soxrok2212
Senior Member
Join Date:
Posts:

Jul 2013
175

112345-

Yes, ultimately you should have a total of 5 windows open at the same time:
airodump
mdk3 a
mdk3 b
mdk3 d
mdk3 m

2- You can add -m after mdk3 a. This will authenticate real mac addresses instead of
00:00:00:00:00:00. HOWEVER, with my Alfa AWUS036H, airodump stops working unless I close
the teminal window and rerun the command.
*I updated the tutorial to hopefully solve future questions*
I could also do some testing with you after you guys push out this tool; I'm excited to see what
we can do!

Last edited by soxrok2212; 12-07-2013 at 01:48 PM.


https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode

4/8

19/4/2014

MDK3 Secret Destruction Mode

Reply With Quote

#4

12-09-2013, 07:21 PM

mmusket33
Senior Member
Join Date:
Posts:

Jul 2013
133

Reference your comment about airodump-ng we know there is an issue with airodump-ng in a
kali-linux install as airodump-ng will freeze randomly in all our computers occassionally. But the
issue is so random we do not know how to even approach the problem.
WE will send you a working copy so you can check the command lines and make suggestions. WE
ran some tests yesterday but they were inconclusive as it was against a CCMP encrypted router.
Reply With Quote

#5

12-09-2013, 07:30 PM

soxrok2212

If you would like to send me what you have now, I can run some tests against TKIP...

Senior Member
Join Date:
Posts:

Jul 2013
175
Last edited by soxrok2212; 12-09-2013 at 07:35 PM.
Reply With Quote

#6

12-10-2013, 02:41 AM

mmusket33
Senior Member
Join Date:
Posts:

We do not see a way to send you the script. We do not want to post an incompleted script for
general use.

Jul 2013
133

Reply With Quote

#7

12-10-2013, 12:28 PM

mmusket33
Senior Member
Join Date:

Jul 2013

To soxrok2212
The mdk3 part of the script is completed and ready for you to test and correct. We have run it
against CCMP WPS locked routers. We first turned on the WPS locking by requesting pins. After

https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode

5/8

19/4/2014

MDK3 Secret Destruction Mode

Posts:

133

ten pins recieved the router locked. We then gave the router a quad blast with mdk3 in four
Eterm windows as you suggested. It seems to freeze the router BUT if it reset, the WPS locking
did not reset with the router. We know that after a power failure all the WPS locking resets to
off in our area.
The airodump-ng problem seems to be related to computer speed. On the same computer using
HD install of kali-linux, airodump-ng would freeze within a minute or two. If reset it would run and
then eventually freeze again. With a 16gb usb persistent install of kali-linux airodump-ng froze
within seconds.
Your comments concerning the -r command may have merit BUT against the routers in our areas
of operation time between pin request and mac codes requesting these pins has no relationship
to the locking. The locking occurs after ten successful pin requests from any source.
The varmacreaver.sh program available for download in these forums was originally developed to
explore time between pin request versus mac codes requesting said pins. We explored this
approach extensively. However our targets are only one make of router. The program sat on the
shelf for six month until we discovered a use for it.
MTA/MTB
Reply With Quote

#8

12-10-2013, 06:23 PM

soxrok2212
Senior Member
Join Date:
Posts:

Jul 2013
175

Originally Posted by mmusket33

To soxrok2212
The mdk3 part of the script is completed and ready for you to test and correct. We have run it
against CCMP WPS locked routers. We first turned on the WPS locking by requesting pins. After ten
pins recieved the router locked. We then gave the router a quad blast with mdk3 in four Eterm
windows as you suggested. It seems to freeze the router BUT if it reset, the WPS locking did not
reset with the router. We know that after a power failure all the WPS locking resets to off in our
area.
The airodump-ng problem seems to be related to computer speed. On the same computer using
HD install of kali-linux, airodump-ng would freeze within a minute or two. If reset it would run and
then eventually freeze again. With a 16gb usb persistent install of kali-linux airodump-ng froze
within seconds.

https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode

6/8

19/4/2014

MDK3 Secret Destruction Mode

Your comments concerning the -r command may have merit BUT against the routers in our areas
of operation time between pin request and mac codes requesting these pins has no relationship to
the locking. The locking occurs after ten successful pin requests from any source.
The varmacreaver.sh program available for download in these forums was originally developed to
explore time between pin request versus mac codes requesting said pins. We explored this
approach extensively. However our targets are only one make of router. The program sat on the
shelf for six month until we discovered a use for it.
MTA/MTB

Ok, send me a private message sometime and I'll give you an email to send the beta to. Good
work by the way and I'll do some testing.
Reply With Quote

#9

12-11-2013, 01:09 AM

mmusket33
Senior Member
Join Date:
Posts:

Jul 2013
133

To soxrok2212
We have spent two hours trying to send you the link where you can access the file. We have
given up. We keep getting error messages. Maybe if you send me a message I can reply back to
you with the link.

Reply With Quote

#10

12-11-2013, 02:04 PM

soxrok2212
Senior Member
Join Date:
Posts:

Jul 2013
175

Originally Posted by mmusket33

To soxrok2212
We have spent two hours trying to send you the link where you can access the file. We have given
up. We keep getting error messages. Maybe if you send me a message I can reply back to you
with the link.

Heres my old e-mail: soxrok2212@gmail.com


You can send it there if you'd like.
https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode

7/8

19/4/2014

MDK3 Secret Destruction Mode

*I don't care if it gets spammed because I don't use it*

Last edited by soxrok2212; 12-11-2013 at 02:42 PM.


Reply With Quote

Page 1 of 12 1 2 3 11 ...
Quick Navigation

Kali Linux General Use

Last
Top

Previous Thread | Next Thread


Posting Permissions

You may not post new threads


You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
[VIDEO] code is On
HTML code is Off
Forum Rules

Contact Us Kali Linux Forums Archive Top

-- Default Style

All times are GMT. The time now is 06:00 AM.

https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode

8/8