Provided by: mdk4_4.1+git20190904-1_amd64 
NAME
mdk4 - IEEE 802.11 PoC tool
SYNOPSIS
mdk4 [ interface ] [ test_mode ] [ test_options ]
DESCRIPTION
mdk4 is a proof-of-concept (PoC) tool to exploit common IEEE 802.11 protocol weaknesses.
OPTIONS
a - Authentication DoS
Sends authentication frames to all APs found in range. Too many clients freeze or reset almost every AP.
-a ap_mac
Only test an AP with the MAC address ap_mac
-m Use valid client MAC address from the OUI database
-c Do not check for the test being successful.
-i ap_mac
Perform intelligent test on AP (-a and -c will be ignored): connect clients to an AP with
the MAC address ap_mac and reinjects sniffed data to keep them alive
-s rate
Set speed in packets per second to rate (Default: infinity)
b - Beacon Flood
Sends beacon frames to show fake APs at clients. This can sometimes crash network scanners and even
drivers!
-n ssid
Use SSID ssid instead of randomly generated ones
-f file
Read SSIDs from file instead of randomly generating them
-v file
Read MACs and SSIDs from file ; cf. example file
-d Show station as Ad-Hoc
-w Set WEP bit (generate encrypted networks)
-g Show stations as 802.11g (54 Mbit)
-t Show stations using WPA TKIP encryption
-a Show stations using WPA AES encryption
-m Use valid accesspoint MACs from OUI database
-h Hop to channel where AP is spoofed - this makes the test more effective against some
devices/drivers, but it reduces packet rate due to channel hopping
-c chan
Fake an AP on channel chan If you want your card to hop on this channel, you have to set -h
option, too!
-s rate
Set speed in packets per second to rate (Default: 50)
d - Deauthentication / Disassociation Amok Mode
Kicks everybody found from AP.
-w file
Read MACs from file that are to be unaffected (whitelist mode)
-b file
Read MACs from file that are to be tested on (blacklist mode)
-s rate
Set speed in packets per second to rate (Default: infinity)
-c [chan_1,chan_2,...chan_n]
Enable channel hopping. Without providing any channels, mdk4 will hop an all 14 b/g
channels. The current channel will be changed every 5 seconds.
f - MAC Filter Bruteforce Mode
This test uses a list of known client MAC addresses and tries to authenticate them to the given AP while
dynamically changing the response timeout for best performance. It currently works only on APs which deny
an open authentication request properly.
-t bssid
Target bssid
-m mac_prefix
Set the MAC address range mac_prefix (3 bytes, e.g. 00:12:34); without -m, the internal
database will be used
-f mac Begin bruteforcing with MAC address mac (Note: -f and -m cannot be used at the same time)
g - WPA Downgrade Test
Deauthenticates Stations and APs sending WPA encrypted packets. With this test you can check if the
sysadmin will try setting his network to WEP or disable encryption. mdk4 will let WEP and unencrypted
clients work, so if the sysadmin simply thinks "WPA is broken" he sure isn't the right one for this job
(this can/should be combined with social engineering).
-t bssid
Target bssid
m - Michael Shutdown Exploitation (TKIP)
Cancels all traffic continuously.
-t bssid
Target bssid
-w time
Time time (in seconds) between bursts (Default: 10)
-n ppb Set packets per burst ppb (Default: 70)
-j Use the new TKIP QoS-Exploit - needs just a few packets to shut the AP down!
-s rate
Set speed in packets per second to rate (Default: infinity)
p - Basic Probing and ESSID Bruteforce Mode
Probes AP and check for answer, useful for checking if the SSID has been correctly decloaked or if AP is
in your adaptor's sending range. Use -f and -t option to enable SSID Bruteforcing.
-e ssid
Probe for bssid
-f file
Read lines from file for bruteforcing hidden SSIDs
-t bssid
Target AP bssid
-s rate
Set speed in packets per second to rate (Normal Default: infinity; Bruteforce Default: 300)
-b character_set
Use full Bruteforce mode based on character_set (recommended for short SSIDs only!) - use
this switch only to show its help screen
w - WIDS/WIPS/WDS Confusion
Confuses a WDS with multi-authenticated clients, which messes up routing tables.
-e ssid
SSID ssid of target WDS network
-c [chan_1,chan_2,...chan_n]
Enable channel hopping.
-z activate Zero_Chaos' WIDS exploit (authenticates clients from a WDS to foreign APs to make
WIDS go nuts)
x - 802.1X tests
0 - EAPOL Start packet flooding
-n ssid
Use SSID ssid
-t bssid
Target AP bssid
-w WPA_type
Set WPA type to WPA_type (1: WPA, 2: WPA2/RSN; default: WPA)
-u unicast_cipher_type
Set unicast cipher type to unicast_cipher_type (1: TKIP, 2: CCMP; default: TKIP)
-m multicast_cipher_type
Set multicast cipher type to multicast_cipher_type (1: TKIP, 2: CCMP; default: TKIP)
-s rate
Set speed in packets per second to rate (Default: 400)
1 - EAPOL Logoff test
-t ssid
Set target AP MAC address to ssid
-c bssid
Set target STA MAC address to bssid
-s rate
Set speed in packets per second to rate (Default: 400)
AUTHORS
mdk4 was written by E7mer, Pedro Larbig (ASPj) with contributions from the aircrack-ng community:
Antragon, moongray, Ace, Zero_Chaos, Hirte, thefkboss, ducttape, telek0miker, Le_Vert, sorbo, Andy Green,
bahathir, Dawid Gajownik and Ruslan Nabioullin.