Beacons Beacons Everywhere: Using MDK3 for SSID Flood
MDK3 is a wireless tool which comes packaged in Backtrack and Kali distros. It doesn't seem to be available via package managers in other distros but the tarball can be downloaded here. For the purposes of this tutorial we will be assuming you are working with the Kali distro. Some of these commands would require sudo under other distros as in Kali you run as root, we'll include the sudo command where it would be necessary.
The program is very versatile and contains a great many options which take advantage of various weaknesses in the 802.11 protocol. It should be considered a proof of concept exploit tool and should not be run without the permission of the network owner. However, when working with a home lab setup it is very useful in developing an understanding of how wifi works and how vulnerable wifi networks can be. With the increasing adoption of wifi within business, attacks which gain entry over wifi are becoming more common and wifi penetration testing is now a skill in demand. Over a series of blog posts we'll look at wifi and tools used to test it, but for now back to MDK3.
As I've said MDK3 has a variety of options, amongst its uses include options to perform a DoS attack by sending multiple authentication packets; sending deauthentication packets which kick computers off a network and an option to try a variety of known MAC addresses to authenticate to a network while dynamically changing the timeout period.
MDK3 does not have a man page and info won't help either. It's basic options can be listed simply by typing:
Fuller help is found via:
The general format of MDK3 commands run:
mdk3 <interface to use> <mode to use> <options specific to mode>
Wifi Basics and Commands to Interact with the Network Card
Let's run through a fun example. You can use MDK3 to send out packets, known in wifi terminology as "frames", which imitate a wifi router's SSID. Standing for Service Set Identifier, the SSID is the public name of a wifi network, the name you see when your computer connects to a network. The routers in wifi terminology are known as APs- Access Points. MDK3's beacon mode sends out a frame with the name of your choice, not only that but it can cycle through a list of SSIDs stored in a text file.
The first thing you will need to do is create a text file. Name it whatever you like, ending in .txt, and list the names of the fake APs you want to see on each line. A SSID cannot be longer than 32 characters and can be alphanumeric. Once you have the file you'll need to check what the name of your wireless interface is. This is most likely to be wlan0 however this is a good time to get to know the ifconfig command. Issuing ifconfig from the terminal brings up a list of what is known as your network interfaces. If you have a ethernet port you will most likely see eth0 for example, your wifi interface will most likely be named wlan0 or similar. If you are currently connected to the internet via wifi you will see a lot of useful information via ifconfig like the ip address your computer has been assigned. You can also turn off and turn on your wifi card with the commands:
sudo ifconfig wlan0 down or sudo ifconfig wlan0 up.
Ifconfig is not the only way to manage your network interfaces, it is worth learning the iwconfig and nmcli commands as well.
Next we are going to put our wifi card into monitor mode. There are six different modes that a wifi card can be put into and they deserve a blog post all of their own. Most people are only familiar, or indeed interested, in managed (also known as infrastructure) mode. This is the mode which connects a single computer to a wifi network. The mode that we need here is monitor (also known as promiscuous) mode. Monitor mode allows you to monitor the traffic on the network that you are connected to, known as packet sniffing. It is also the mode that MDK3 requires you to be in so as to send out fake AP SSIDs
Here you have two choices... you can simply disconnect from your current network, set your card into monitor mode and use MDK3 or you can use the Airmon script from the Aircrack tools to change to monitor mode and rename the interface to avoid confusion.
Method One- Engage Monitor Mode Manually
To disconnect from you current network let's use nmcli:
nmcli dev disconnect iface wlan0
If you use ifconfig now you'll see that your wlan0 is still up it is just not connected to the network. Next take your wifi card down using:
Next lets change the mode of the wifi card with iwconfig:
sudo iwconfig wlan0 mode monitor
Now let's bring the interface back up:
And we're done! You can check with the iwconfig command and you should see the mode listed as monitor
Method Two- Using Airmon to Engage Monitor Mode
Airmon is part of the Aircrack suite of tools, another incredibly powerful set of tools to work with wifi networks. More of this in another post. For now it's best to know that if you are serious about learning to manipulate wifi and are not using Backtrack or Kali you'll want to visit the Aircrack site and sudo apt-get install aircrack-ng.
Using Airmon to engage monitor mode is really simple:
sudo airmon-ng start wlan0
If everything has worked after a few lines of output you should be able to use iwconfig to see that your wlan0 has been turned into mon0, monitor mode is enabled and the interface is up. Airmon has some other useful options like being able to specify which wifi channel you are using and to run a check to make sure that there are no other processes running which would interfere with engaging mon0. Being able to specify the wifi channel is very useful later on when attacking, spoofing or otherwise investigating a specific network
After all of this actually running mdk3 is quite simple. Make sure you are in the directory with your text file then if you have used Method One issue:
If you used Method Two then it would be:
Assuming that everything is working properly the output should look something like this:
Current MAC: xx:xx:xx:xx:xx:xx on Channel x with SSID: "text1"
Current MAC: xx:xx:xx:xx:xx:xx on Channel x with SSID: "text2"
Current MAC: xx:xx:xx:xx:xx:xx on Channel x with SSID: "text3"
Current MAC: xx:xx:xx:xx:xx:xx on Channel x with SSID: "text4"
If you leave it for a few seconds and then check another device for available networks you will see them listed. If for some reason they don't appear on a specific device then disconnect it from whatever network it is connected to and search again. So that's it. I hope you've learnt a little more about the wonders of wifi and are encouraged to look into the tools more deeply. In future posts we'll cover other aspects of wifi and tools that can be used to manipulate it
