Today we’re following up our discussion on 802.11 frames with an investigation of beacons and a practical example using BackTrack Linux and a technique known as raw frame injection.
Download HD Download MP4 Download WMV
As you recall from last time, the beacon frame is one of the four types of management frames. The other three being association, authentication and probes, which we’ll be getting into shortly.
Now the beacon frame is a special kind of management frame as it contains information about the network. This brings us to the terms:
Beacon frames or simple beacons are transmitted periodically by base stations or access points to announce the presence of wireless networks. The beacon frame is made up of several parts, including:
Whether the station is acting in ad-hoc or infrastructure mode (also known as managed mode)
The SSID or network name. We’ll be getting more into service sets of 802.11 networks but for now the SSID is a 32 character, typically human-readable string that uniquely identifies the network.
The Timestamp
The timestamp is quite simply a unit of time by which all associating stations synchronize to. It’s like that scene in the movie where all the spies synchronize their watches, except that it happens by hex in the blink of an eye.
And capability information such as
Channel Information
Supported data rates
Typically access points are setup the broadcast their beacons every 10 seconds. This can add quite a bit of overhead so for improved performance on networks where not a lot of clients are connecting and disconnecting, like a home network, this setting is often changed to be much higher.
MDK3 is a tool that exploits weaknesses in 802.11 protocols. It was created by ASPj with the help of the aircrack-ng team and libraries. MDK3 can be found at Pedro Larig’s homepage and is built in to the latest version of BackTrack from backtrack-linux.org
Today we’re using MDK3 in our practical example of transmitting and analyzing beacon frames.
To achieve this we’ll first we’ll need a card capable of raw frame injection. In order to test whether our card has this capability we’ll use the aireplay tool which is part of the aircrack-ng suite.
Aireplay-ng is a tool for injecting wireless frames and can accomplish 10 basic WiFi attacks, including deauthentication, fake authentication, fragmentation and more. We’ll be getting more in depth with the the aireplay-ng tool soon, but for today we’ll be using mode 9, also known as test mode.
Now before we can use either aireplay-ng or MDK3 we’ll need to bring up a monitor interface for our card, or set our card in monitor mode. If you recall from a previous episode the easiest way to do this is with the command airmon-ng start and our interface.
airmon-ng start wlan2
Now that our card has been set to monitor mode and we have the interface mon0 we can proceed to test our NIC.
Issuing aireplay-ng -9 (or –test) and our wireless interface (which in our case is wlan2) we can test to see whether or not our radio can handle raw frame injection.
aireplay-ng -9 wlan2
Our test is complete and we can see that aireplay-ng reports “injection is working”
Now on to MDK3, which is capable of performing many modes of attack. Issuing mdk3 at the command prompt will display a brief description of them.
mdk3 | more
Today we’re focusing on the beacon flood mode. For more information on any mode issue mdk3 –help and the mode. So we’ll issue
mdk3 –help b
Alternatively we could issue mdk3 –fullhelp for information on all attack modes.
So now finally to craft our beacon flood we can see here that the options -f will read SSIDs from a text file, -g will show that they’re using the 802.11g protocol at 54 Mbps, -a will show them as having WPA enabled using AES encryption, and -c will let us specify a channel.
Thankfully I already have a text file full of SSIDs handy so let’s just issue
mdk3 mon0 b -f ssid.list -g -a -c 11
Now as you can see mdk3 is transmitting hundreds of beacons on channel 11 for the access points I’ve specified.
We can verify this using our other wireless interface by scanning for all nearby networks with the command:
iwlist wlan0 scan | grep ESSID
Now Similar to fuzzing, this sort of attack can sometimes break wifi scanners or network interface drivers. And with a specially crafted ssid list I’m sure you can come up with your own fun.
Mind you all of these BSSIDs or mac addresses are random and there’s no chance of anyong actually associating with these base stations. At least not now.
What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — tips@hak5.org
And be sure to check out our sister show, Hak5 for more great stuff just like this.
I think MDK (Murder Death Kill) is from Demolition Man.
Demolition Man;
Murder Death Kill – the code given by the future police force for unnatural deaths.
MDK3 – Murder Death Kill, 1993 Demolition Man?
Running the Dropbox client in Backtrack.. there’s a certain irony there.
Trivia answer: Demolition Man. It stands for Murder Death Kill.
The movie is “Demolition Man” 1993
MDK (Murder Death Kill) is from Demolition Man.
Trivia: Demolition man.
Trivia: Demolition Man
Doublepost…
Please delete this clone…
Hey,
Demolution Man sounds quite reasonable, but my guess ist “Walker, Texas Ranger”. Don’t know why
Regards
Pepe
MDK = Muder Death Kill from demolition man. How much for the duck?
Guess the movie is Demolition Man. But I always think of the game MDK, it was a fun one.
it comes from the movie Demolition Man and means murder, death, kill.
The movie is “Demolition Manâ€
Trivia = Demolition Man
I fully agree with mikni. I always think of the game MDK when using this tool as well. Showing our age even recognizing this game. Check out the system requirements:
90 MHz CPU, 16 MB RAM, 37 MB available hard disk space, Windows 95 (WIN), Direct3D or 3DFX Glide compatible video card (optional)
trivia = Demolition Man
* Almost said Mortal Kombat* LOL
Demolition Man (1993)
Demolition Man
When are these random drawings?
Code 187 MDK Murder Death Kill Murder Death Kill Murder Death Kill
From Demolition Man
movie = Demolition Man . mdk was also a video game from way back
I had thought this was first come first serve, but in case it’s not (reading the above comments),
Murder Death Kill! (And a shocked Sandra Bullock Face) From Demolition Man, 1993.
the name is a refrence to Demolition man, it was the code for a murder.
also…he doesn’t know about the three seashells.
Demolition Man
wouldnt MDK be named after the movie MDK 1 or MDK 2 armageddon
MDK is the code for an unnatural death in the movie Demolition Man.
Answer: Demolition Man
MDK looks like a really nice tool, I hadn’t heard of it. Amok mode looks really… interesting? Thanks for the tip.
Demolition Man, Murder Death Kill!
MDK is a third-person shooter game developed by Shiny Entertainment and released in 1997 by Playmates Interactive Entertainment in North America and Interplay Entertainment in Europe for the PC, Macintosh, and subsequently PlayStation (Wikipedia). ( I played the game so I instantly remembered the name… also the character can “fly”)
MDK game title was probably stolen from Demolition Man… I remember the damn movie just because of Sandra Bullock (I had a huge crush on her)… but I preferred her work in the “The Net” (1995)… a movie that appeals much more to our natures.
Nice! How about doing a segment on bash tricks (Like the braces-expansion) trick you did in the previous segment? Anyways, keep up the good work.
MDK – Murder Death Kill, Demolition Man.
Demolition Man. It stands for Murder, Death, Kill.
Trivia answer: Demolition Man stands for Murder Death Kill.
Demolition Man
MDK get’s it’s name from the movie Demolition Man, people speculate that it stands for “Murder, Death, Kill” but it’s not actually revealed in the movie.
wireshark = Ethereal
Demolition Man – Murder Death Kill
Where can I find the ssid text file you were using?