Page 1 of 17 12311 ... LastLast
Results 1 to 10 of 161

Thread: MDK3 Secret Destruction Mode

  1. #1
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    519

    How to Reset WPS Lockouts Using MDK3

    Use at your own risk! Section 638:17 of the New Hampshire House Bill 495 highlights United States rules against wireless hacking. Attempting to and or gaining access to a network that you do not own or have permission to is STRICTLY forbidden. I am NOT responsible for ANYTHING you do with this information.

    The purpose of this guide is to inform users about how a router can be exploited to temporarily reset WPS lockouts. This can be useful when using reaver to crack a WPS pin. Keep in mind that this does not work with every router. It largely depends on hardware. This attack uses MDK3, a set of tools by ASPj to overload the target AP with useless data, thus causing it to freeze and reset. Here is how it works. (Each of these commands are run in a separate terminal window) and I think you can figure out the variables here.

    Code:
    mdk3 monX a -a xx:xx:xx:xx:xx:xx -m
    This floods the target AP with fake clients.

    Code:
    mdk3 monX m -t xx:xx:xx:xx:xx:xx
    This causes Michael failure, stopping all wireless traffic. However, this only works if the target AP supports TKIP. (Can be AES+TKIP)

    Code:
    mdk3 monX d -b blacklist -c X
    This keeps a continuous deauth on the network. If this attack does not start, make a blank text document in your root folder named blacklist. Leave it empty as MDK3 automatically populates the list.

    Code:
    mdk3 monX b -t xx:xx:xx:xx:xx:xx -c X
    This floods a bunch of fake APs to any clients in range (only effective to windows clients and maybe some other devices, Macs are protected against this).

    You will know when the AP has reset either by checking with

    Code:
    wash -i monX -C
    or if the target shows channel -1 and MB shows -1 in airodump.

    Please do NOT use this on a network that is not yours or that you do not have permission to. If the owner finds out that it is you who is attacking their network, you may end up in serious legal trouble.

    Visit ASPj's site as mentioned above for more information.

    Preventing the attack

    As of now, there is no way to prevent the attack except by disabling wireless, buying a high end router, or getting an AP that encrypts management packets. Deauthentication packets are management frames which are sent UNENCRYPTED unless you purchase an AP that supports MFP. You can read more about this here.

    Downloads for useful programs: I will do my best to keep these updated

    Atrophy

    ReVdk3-r1

    FrankenScript 2
    Last edited by soxrok2212; 2014-07-14 at 12:26 PM.

  2. #2
    Senior Member
    Join Date
    Jul 2013
    Posts
    815
    This is great!!! we have been looking for a way to reset WPS locked routers remotely and our team will be happy to write a script for you however a few questions.

    1. You are running the mdk3 a b d and m command lines in four different windows all at the same time - is this correct?

    2. Your comment "You can also add -m to the end of this so it uses real mac addresses instead of 00:00:00:00:00:00."

    Does that deal with the "a" attack above OR the "d" attack below

    This should be easy to write just airodump-ng and four Eterm terminal windows. We already have a DDOS program written to use with pwnstar that runs the a and g and airodump-ng commands. We will drop all our other projects with easy-cred and focus on this. However be aware that a reset WPS router is only going to give you ten keys before it locks up. Anyway we will run some tests and have something back to you in a few weeks. Anything this is better then trying to brute force a long key.

    Again THANKS!!!!!

    Musket Team Alpha

  3. #3
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    519
    1- Yes, ultimately you should have a total of 5 windows open at the same time:
    1- airodump
    2- mdk3 a
    3- mdk3 b
    4- mdk3 d
    5- mdk3 m

    2- You can add -m after mdk3 a. This will authenticate real mac addresses instead of 00:00:00:00:00:00. HOWEVER, with my Alfa AWUS036H, airodump stops working unless I close the teminal window and rerun the command.

    *I updated the tutorial to hopefully solve future questions*

    I could also do some testing with you after you guys push out this tool; I'm excited to see what we can do!
    Last edited by soxrok2212; 2013-12-07 at 02:48 PM.

  4. #4
    Senior Member
    Join Date
    Jul 2013
    Posts
    815
    Reference your comment about airodump-ng we know there is an issue with airodump-ng in a kali-linux install as airodump-ng will freeze randomly in all our computers occassionally. But the issue is so random we do not know how to even approach the problem.

    WE will send you a working copy so you can check the command lines and make suggestions. WE ran some tests yesterday but they were inconclusive as it was against a CCMP encrypted router.

  5. #5
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    519
    If you would like to send me what you have now, I can run some tests against TKIP...
    Last edited by soxrok2212; 2013-12-09 at 08:35 PM.

  6. #6
    Senior Member
    Join Date
    Jul 2013
    Posts
    815
    We do not see a way to send you the script. We do not want to post an incompleted script for general use.

  7. #7
    Senior Member
    Join Date
    Jul 2013
    Posts
    815
    To soxrok2212

    The mdk3 part of the script is completed and ready for you to test and correct. We have run it against CCMP WPS locked routers. We first turned on the WPS locking by requesting pins. After ten pins recieved the router locked. We then gave the router a quad blast with mdk3 in four Eterm windows as you suggested. It seems to freeze the router BUT if it reset, the WPS locking did not reset with the router. We know that after a power failure all the WPS locking resets to off in our area.

    The airodump-ng problem seems to be related to computer speed. On the same computer using HD install of kali-linux, airodump-ng would freeze within a minute or two. If reset it would run and then eventually freeze again. With a 16gb usb persistent install of kali-linux airodump-ng froze within seconds.

    Your comments concerning the -r command may have merit BUT against the routers in our areas of operation time between pin request and mac codes requesting these pins has no relationship to the locking. The locking occurs after ten successful pin requests from any source.

    The varmacreaver.sh program available for download in these forums was originally developed to explore time between pin request versus mac codes requesting said pins. We explored this approach extensively. However our targets are only one make of router. The program sat on the shelf for six month until we discovered a use for it.

    MTA/MTB

  8. #8
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    519
    Quote Originally Posted by mmusket33 View Post
    To soxrok2212

    The mdk3 part of the script is completed and ready for you to test and correct. We have run it against CCMP WPS locked routers. We first turned on the WPS locking by requesting pins. After ten pins recieved the router locked. We then gave the router a quad blast with mdk3 in four Eterm windows as you suggested. It seems to freeze the router BUT if it reset, the WPS locking did not reset with the router. We know that after a power failure all the WPS locking resets to off in our area.

    The airodump-ng problem seems to be related to computer speed. On the same computer using HD install of kali-linux, airodump-ng would freeze within a minute or two. If reset it would run and then eventually freeze again. With a 16gb usb persistent install of kali-linux airodump-ng froze within seconds.

    Your comments concerning the -r command may have merit BUT against the routers in our areas of operation time between pin request and mac codes requesting these pins has no relationship to the locking. The locking occurs after ten successful pin requests from any source.

    The varmacreaver.sh program available for download in these forums was originally developed to explore time between pin request versus mac codes requesting said pins. We explored this approach extensively. However our targets are only one make of router. The program sat on the shelf for six month until we discovered a use for it.

    MTA/MTB
    Ok, send me a private message sometime and I'll give you an email to send the beta to. Good work by the way and I'll do some testing.

  9. #9
    Senior Member
    Join Date
    Jul 2013
    Posts
    815
    To soxrok2212
    We have spent two hours trying to send you the link where you can access the file. We have given up. We keep getting error messages. Maybe if you send me a message I can reply back to you with the link.

  10. #10
    Senior Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    519
    Quote Originally Posted by mmusket33 View Post
    To soxrok2212
    We have spent two hours trying to send you the link where you can access the file. We have given up. We keep getting error messages. Maybe if you send me a message I can reply back to you with the link.
    Heres my old e-mail: soxrok2212@gmail.com

    You can send it there if you'd like.

    *I don't care if it gets spammed because I don't use it*
    Last edited by soxrok2212; 2013-12-11 at 03:42 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •