Using MDK3, Beacon Flooding & Deauthentication Attack to test wireless stress.

wireless stress

MDK3 is a conceptual tool for proof. It is used to test 802.11 (wifi) networks. It consists of various methods for testing. Some of the essential sare processes are flooding, deauthentication, WPA-dos, etc. For pentests, mdk is used for the monitoring and compatibility of the network infrastructures with 802.11 implementations.


Syntax: mdk3 < interface > < test mode > < test-options >

Mdk3 – help < test mode >: for test options


b-Beacon Flood Mode

Send beacon frames to show customer fake APs. This can crash network scanners and even drivers sometimes!

a-Authentication DoS mode

Sends authentication frames to all applications within the range. Too many customers freeze or reset individual APs.

p-Basic probing and ESSID Bruteforce mode

AP samples and reply checks are useful to verify whether SSID has been adequately decommissioned or whether AP in your adapters can also send SSID brute-forcing with this test mode.

d-Deauthentication / Disassociation Amok Mode

Kicks everybody found from APi

m-Michael shutdown exploitation (TKIP)

Cancel all traffic always

x-802.1X tests

w-WIDS / WIPS Confusion

Intrusion Detection and Prevention Programs Confuse / Abuse

f-MAC filter Bruteforce mode

This test uses a list of known MAC addresses for clients and attempts to authenticate them on the given AP while changing their response timeout dynamically to ensure the best performance. It currently only operates on APs that correctly reject an open authentication request

g-WPA Downgrade test

Deauthenticates WPA encrypted packets from stations and APs. This test helps you to verify if the sysadmin attempts to set your network to WEP or disable encryption.

Lab 1:Deauthenticate all clients on a channel

In this lab, we ‘re trying to deny service to all clients on one channel. This is called a test of deauthentication.

Step 1: First, we need to make sure that the monitor interface is enabled.

Command: iwconfig

All wireless interfaces and their wireless features are presented.

Step 2: Let the monitor interface start

Command: airmon-ng start wlan0<your interface here>

Step 3: See nearby all Access Points and set our target.

Command: airodump-ng mon0

This shows all wifi access points, including hidden access points nearby.

We are getting a lot of information out of that. Access points, Mac IDs, clients, channels every AP is broadcasting on, etc. There is only one AP here that is going to be our target. We can see from the picture above that it’s operating on channel 6. So let’s launch an attack on channel 6.

Command: mdk3 mon0 d -c 6

Lab 2: Beacon Flooding

This lab features the creation of fake access points in different SSIDs (Broadcast Names) at a fast rate. This could crash some customers or repeated wireless access points or extenders etc.

Step 1: Make sure your monitor interface works. For this, see the previous lab.

Step 2: Launch attack

Command: mdk3 mon0 b

Here’s an android phone showing all the access points we’ve made. This could likely be crashed.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.