Use at your own risk! Section 638:17 of the New Hampshire House Bill 495 highlights United States rules against wireless hacking. Attempting to and or gaining access to a network that you do not own or have permission to is STRICTLY forbidden. I am NOT responsible for ANYTHING you do with this information.
The purpose of this guide is to inform users about how a router can be exploited to temporarily reset WPS lockouts. This can be useful when using reaver to crack a WPS pin. Keep in mind that this does not work with every router. It largely depends on hardware. This attack uses MDK3, a set of tools by ASPj to overload the target AP with useless data, thus causing it to freeze and reset. Here is how it works. (Each of these commands are run in a separate terminal window) and I think you can figure out the variables here.
This floods the target AP with fake clients.Code:mdk3 monX a -a xx:xx:xx:xx:xx:xx -m
This causes Michael failure, stopping all wireless traffic. However, this only works if the target AP supports TKIP. (Can be AES+TKIP)Code:mdk3 monX m -t xx:xx:xx:xx:xx:xx
This keeps a continuous deauth on the network. If this attack does not start, make a blank text document in your root folder named blacklist. Leave it empty as MDK3 automatically populates the list.Code:mdk3 monX d -b blacklist -c X
This floods a bunch of fake APs to any clients in range (only effective to windows clients and maybe some other devices, Macs are protected against this).Code:mdk3 monX b -t xx:xx:xx:xx:xx:xx -c X
You will know when the AP has reset either by checking with
or if the target shows channel -1 and MB shows -1 in airodump.Code:wash -i monX -C
Please do NOT use this on a network that is not yours or that you do not have permission to. If the owner finds out that it is you who is attacking their network, you may end up in serious legal trouble.
Visit ASPj's site as mentioned above for more information.
Preventing the attack
As of now, there is no way to prevent the attack except by disabling wireless, buying a high end router, or getting an AP that encrypts management packets. Deauthentication packets are management frames which are sent UNENCRYPTED unless you purchase an AP that supports MFP. You can read more about this here.
Downloads for useful programs: I will do my best to keep these updated
Atrophy
ReVdk3-r1
FrankenScript 2