MDK3 is a work from ASPj of k2wrlz, it uses the osdep library from the aircrack-ng project to inject frames on several operating systems.
Many parts of it have been contributed by the great aircrack-ng community:
Antragon, moongray, Ace, Zero_Chaos, Hirte, thefkboss, ducttape, telek0miker, Le_Vert, sorbo, Andy Green, bahathir
THANK YOU!

MDK3 is licenced under the GPLv2


Contents:
1. Setting up your environment
2. Getting MDK3 to run (Compiling MDK3, where to get binaries)
3. How to use MDK3
4. The different test modes



1. Setting up your environment

MDK3 is a tool, that "injects" data into wireless networks. "Injection" is the possibility to send self-made data through the air without being connected or associated to anything. MDK3 is used to send valid and invalid data, that does belong to the wireless management and not to a regular data connection. This is only possible with this Injection technique. Sadly, this is something, wifi equipment is NOT build for! To enable the injection feature on your wireless card, you need modified drivers. A lot of work has already been done by several hackers (including me) to make these modified drivers available for a lot of wifi adaptors.
To set up your driver for Injection, please visit www.aircrack-ng.org and follow the Driver Documentation there.
MDK3 uses the drivers and Injection routines from this project and its predecessor. Thus, all drivers listed there should work with MDK3. (Some special hardware, like Intel Centrino (ipw2200) is NOT supported since they can only inject data, and no management information!)
MDK3 works on Linux and maybe FreeBSD currently, soon it may run on Windows, too. It runs best with a pretty up-to-date kernel and drivers.


2. Getting MDK3 to run (Compiling MDK3, where to get binaries)

Some Linux distributions already contain a precompiled mdk3 binary. As far as I know, there are Debian and BackTrack having the old mdk2 in their repositories at the moment. If you do not use one of these, you have to create the binary yourself (compiling).
To do this, go to the directory, where you extracted the tarballs contents and simply type make
To copy the compiled binary to your /usr/local/sbin directory (installing it), type make install afterwards.


3. How to use MDK3

Using MDK3 is quite simple, since it comes with lots of help screens directly included in the code.
You can easily access them by typing only mdk3
MDK3 displays the main help screen. To see all possible options, type mdk3 --fullhelp
To see only information for a specific test, type mdk3 --help followed by the test mode identifier (b, a, p, d, m or x)

Before you can use MDK3, you need to setup your wireless adaptor. As far as there are different driver architectures, the way to setup your adaptor may vary depending on which driver is in use. To make this procedure easy, it is recommended to use airmon-ng from the aircrack project, since this can setup almost every known driver correctly.
To enable injection, your card needs to be started, switched to the monitor and a bitrate and channel have to be set.

This way works for most of the cards, its the generic way thats provided by the kernel (sadly not every driver is using this kernel interface)
1. Insert your card, a new interface should appear (use ifconfig -a to show all available interfaces)
2. Start your interface with ifconfig [your_interface] up
3. Set the interface into monitor mode: iwconfig [your_interface] mode monitor
4. Set channel and bitrate: iwconfig [your_interface] channel [channel] rate 1M
This sets the bitrate for your injected data to 1 MBit, the lowest available rate, but with the highest possible range, to reach as many clients as possible.
IMPORTANT: You need to set the channel to the channel where the target AP/client is, otherwise it won't work! This is a very common error.

To find APs and clients, it is recommended to use airodump-ng. Simply start it with airodump-ng [your_interface] first, to see the available stations. If you decided on one CHANNEL where to run the test on, you should restart airodump and set it ONLY to this specific channel, so your card won't change channels anymore to find other stations. You can do this with airodump-ng -c [channel] [your_interface]
The good thing of using airodump-ng is, that you don't need to care about setting your card up correctly since airodump-ng already did this job. Nevertheless, airmon-ng is sometimes also necessary before starting airodump-ng.

Your hardware is now correctly set up, and you can start usind MDK3.

Another important notice for professional users: Some drivers do not correctly echo back injected frames to the system, thus your injected packets won't be seen if you sniff on the interface on which you are injecting. To check if the frames are sent correctly you need to setup another inteface on the same channel and sniff the injected frames with it!


4. The different test modes

b   - Beacon Flood Mode

AccessPoints send out approximately 10 beacon frames per second. They are to identify the network. When you scan for networks, your card does in fact look for beacon frames on every available channel. With MDK3, it is possible to send these beacon frames, too. So people will see your fake networks when they scan with their wifi. Windows does scan automatically as long as it isn't connected and shows a bubble in the taskbar, if a network is found. Additionally, this mode can be used to hide a network by generating thousands of fake networks with the same name as the original one. This mode has several options to set network name, its encryption, its speed etc. So read on to get familiar with them:

      -n <ssid>
         This lets you set the name of the network. Only networks with the given name will be faked. This is used if you want to hide a network.
      -f <filename>
         This lets you read the names for the networks from a file. This way you can fake multiple networks at once.
      -v <filename>
         This is used to fake only a very specific set of networks. Every line is this file consists of the APs adress and its name. See the example file on how to use it.
      -d
         Do not fake a real network, but fake an Ad-Hoc network with clients only. (networks without APs, where peers communicate directly)
      -w
         This generates WEP encrypted networks
      -g
         This generates networks with IEEE-802.11g 54 Mbit. Without this option, you will get b-only 11 MBit networks
      -t
         Show networks using WPA TKIP encryption
      -a
         Show networks using WPA AES encryption
      -m
         Usually, MDK3 generates networks with a random adress. But as far as not all adresses are used this day, this option refers to the adress database included in MDK3 to generate only AcessPoints with adresses from known hardware vendors. With this option it is hard to say, if a network is fake or not.
      -h
         This makes MDK3 to change your card's channel to the channel where the fake network should actually be. Good thing about this is, its harder to determine if this network is fake, since the channel given in the beacon data matches the channel the packet is send on. Bad thing is, your card needs some time to change on a specific channel. So this slows down the injection speed. You could avoid this by generating fake networks on one channel only (see -c option below), but in this case, the targets don't need to change their channels in order to find the correct AP, thus they find the real AP a bit faster.
      -c <chan>
         Set the channel where the fake network should be
      -s <pps>
         Set speed in frames per second (Default: 50). More speed = More fake networks. But don't get crazy with this option. Too many frames may overflow your card's buffers and it will crash!


EXAMPLES:

There is a WPA TKIP network named "Hack me" on channel 11, supporting up to 54 MBit with lots of clients. You want to confuse them a little by generating some fake clone networks:

mdk3 [your_interface] b -n "Hack me" -g -t -m -c 11

The b activates beacon flood mode, -n sets the name, -g makes it 54 MBit, -t enables TKIP, -m makes MDK3 only use valid adresses and -c sets the correct channel. Do not forget to set your card's channel before your start such a test! You could also use -h option for this.


a   - Authentication DoS mode
      Sends authentication frames to all APs found in range.
      Too much clients freeze or reset some APs.

EXAMPLES:

p   - Basic probing and ESSID Bruteforce mode
      Probes AP and check for answer, useful for checking if SSID has
      been correctly decloaked or if AP is in your adaptors sending range
      SSID Bruteforcing is also possible with this test mode.

EXAMPLES:

d   - Deauthentication / Disassociation Amok Mode
      Kicks everybody found from AP

EXAMPLES:

m   - Michael shutdown exploitation (TKIP)
      Cancels all traffic continuously

EXAMPLES:

x   - 802.1X tests

EXAMPLES:


And for those who read this document until the end, here is the special Multi Destruction Mode to really shutdown and destroy a network.
WARNING: This could REALLY shutdown every communication, even until the hardware is manually resetted. This can crash drivers, computers and APs alike! So consider yourself to have been warned! Run these commands only, if there is no important data transmitted and you can afford some downtime!



(c) Pedro Larbig 2007