ASPj's WiFi Page mdk3, rt73, rt2570
and other aircrack-ng experiments
Fanmail, Bugs, Patches, Feedback:


mdk3 v6 has been released on 19. October 2009.
If I missed some bugfixes, just drop a mail.

And of course, enjoy the new design.

Enhanced Injection driver for Intel ipw3945
External project by JMF, only hosted here

This is based on a driver made for testing purposes called ipwraw. It allows raw packet Tx/Rx with the Intel PRO/Wireless 3945ABG adapter, it's raw mode only and can't be used for normal connections to the internet. ipwraw doesn't have wireless extensions, so this modification adds some to make it easier to work with programs like aircrack-ng, kismet, mdk, ...

New in ipwraw-ng 2.3.4:
  • Added compatibility fixes for recent kernels (2.6.23 and newer)
  • Fixed bug when setting 5.5 Mb/s rate with iwconfig
  • Fixed bugs (I hope) in Makefile - it would report that old firmware versions were adequate and also had some cosmetic glitches
  • Added set TxPower Wireless Extension. Now TxPower can be set using
    iwconfig INTERFACE txpower TXPOWER
    (INTERFACE is normally wifi0, or eth0; TXPOWER is a the value you want to set, min=-12 and max=16)

This version includes some fixes ported from ipw3945 driver. It should be more stable now...
Default speed was left at 54 MBit, you may want to lower it to 1 MBit before injection with
iwconfig wifi0 rate 1M
You will have that configured automatically if you use airmon-ng from the aircrack-ng suite (changeset 847 or greater)
More information can be found on the included
README.ipwraw-ng file.

Please contact JMF directly for questions regarding his driver:


Older Versions:

RaLink RT73 USB Enhanced Driver

  • Support for Fragmentation Attack
  • Interface is called rausb0 instead of wlan0 to prevent some tools incorrectly detecting it as wlanng or hostap driver
  • Injection speed can be selected with iwconfig <interface> rate command. The default speed is 54 MBit. You may want to lower it to 1 MBit before injection with iwconfig rausb0 rate 1M

Version 3.0.0 is a new fork from the former serialmonkey CVS. It has fixes for 2.6.24 and 2.6.25 and does not need setting a MAC Address before bringing the interface up. This version includes all the enhancement of the 2.0 series of this driver. If you unplug the card while its still in use, it may crash your system. So close all applications accessing it, bring the interface down and then remove the device.

You may have waited for this:
Version 3.0.1 has an updated base version from serialmonkey CVS. It is patched with all the features of 3.0.0 and it has been successfully tested with 2.6.26 vanilla kernel.

Version 3.0.2 provides kernel version 2.6.27 compatibility.
NOTE: You may also try the mac80211 drivers included in 2.6.27 or newer since these drivers are pretty nice too ;)

Version 3.0.3 provides kernel version 2.6.29 compatibility. It uses default kernel memory allocation for devices' private data area. This may fail on 64bit platforms (according to RaLink). In previous versions the driver allocated its own memory and hacked it into the netdev structure. This hack failed in 2.6.29 and has been removed. However, the new mode works for me quite well. Please report if any problems occur.


Older versions:

RaLink RT2570 USB Enhanced Driver

  • Prism header can be toggled via iwpriv, no automatic changes which screwed up packet captures!
  • MAC changing supported
  • Support for Fragmentation Attack

Fragmentation support is now considered stable. For further details on the fragmentation attack see the paper from Andrea Bitteau:

1.5.0 version has some important fixes for kernel version 2.6.19 and above.

The serialmonkey CVS repository updated its driver from a new RaLink legacy one. Version 1.6.0 is the modification of this driver with fragmentation support, MAC changing and prism headers enabled by default. This driver seems to fix some threading, some SMP and some endianness issues. So it should be more stable than previous releases.

Version 1.6.1 works for 2.6.22 kernels and comes with some more stability improvements.

Version 1.6.2 with a new base version from serialmonkey CVS, all the patches from the previous version and support for 2.6.26 kernel.

Version 1.6.3 adds kernel 2.6.27 compatibility. NOTE: You may also try the mac80211 drivers included in 2.6.27 since these drivers are pretty nice too ;)

Version 1.6.4 adds compatibility with 2.6.29.


Older Versions:


The new MDK3 uses the osdep injection library from the project. The Linux-dependant includes have been removed, mdk3 compiles and runs on FreeBSD and even Windows (Cygwin). For Windows you need special drivers, a possibly illegal DLL file and the cygwin environment. Please see the aircrack-ng website for details about Packet Injection in Windows.

MDK3 works on the new mac80211 stack.
If you are a Linux user, just make, make install and have fun.
If you are a FreeBSD user, do the same, and report back to me, if it works correctly there.
If you are a Windows user, good luck, but expect no support from me.
MDK3 is licenced under GPLv2.

  • Bruteforce MAC Filters
  • Bruteforce hidden SSIDs (some small SSID wordlists included)
  • Probe networks to check if they can hear you
  • intelligent Authentication-DoS to freeze APs (with success checks)
  • FakeAP - Beacon Flooding with channel hopping (can crash NetStumbler and some buggy drivers)
  • Disconnect everything (aka AMOK-MODE) with Deauthentication and Disassociation packets
  • WPA TKIP Denial-of-Service
  • WDS Confusion - Shuts down large scale multi-AP installations

MDK3 version 6
  • Amok Mode now works on Ad-Hoc and MANET networks (WARNING: Clients may not reconnect automatically, so they may stay disconnected after the attack stopped!)
  • Removed duplicate WPA downgrade in Deauth Mode (sorry for the confusion)
  • SSID Bruteforce Mode understands 0 and 1 byte SSIDs as hidden now, and tries all lengths
  • GCC 4.4 support, all warnings and extra warnings fixed
  • Whitelists and Blacklists in Amok Mode are re-read periodically every 3 seconds.
    You can use this to dynamically allow or block hosts with scripts.
  • A lot of small bugfixes
MDK3 version 5
  • Enhanced MAC-Filter Bruteforce Mode
  • Another WDS/WIDS/WIPS Confusion Test
  • Amok Mode supports QoS packets
  • Michael Countermeasure Exploit (also known as TKIP QoS Exploit)
    Shuts down APs using TKIP encryption and QoS Extension with 1 sniffed and 2 injected QoS Data Packets
  • WPA-Downgrade Test - deauthenticates Stations and APs sending WPA encrypted packet
    With this test you can check if the sysadmin will try WEP or even disables encryption
    mdk3 will let WEP and unencrypted clients work, so if the sysadmin simply thinks "WPA is broken" he sure isn't the right one for this job. (this can/should be combined with social engineering)
MDK3 version 4
  • Added high-speed MAC-Filter Bruteforce Mode (experimental)
    Please test this on your APs and report back for optimizing and bugfixing, thanks!


Old versions:

Ancient mdk2 versions:

Prism2_usb Injection driver

This is the first Prism2 USB driver that was able to inject packets. I made this before Devine had its own one. But i never released it to the public, however. Instead of his driver, this one seems to be very stable (was able to crack a whole lot of WEPs with aireplay). It shares the same issue with Devine's driver, it doesn't inject on kernels newer than 2.6.11. I can't give any support or help for this since I gave my prism away. Sorry.


Fake Shared Key Authentication

This is world's first fully functional code to enable fake authentication on networks using Shared Key Authentication. You do NOT need to know the key to authenticate, all you need is a keystream that has been chopped with aireplay-ng's chopchop attack. Hirte, another developer from the aircrack-ng community successfully included this code into the aircrack suite.

Fixed in Version 0.2:
  • Show error when network does not use Shared Key Authentication
  • Get Capability Field from Beacon Frame. (Using the standard capabilities failed for some APs)


Fragmentation Attack

And another world premiere from me. First implementation of the Fragmentation Attack on Linux. This attack needs a special driver and card, that is able to handle the IEEE802.11 fragmentation correctly, your driver may not work or may need to be updated or modified. The output of this tool is a file in the aircrack-ng keystream format (.xor). The output can be used in the same way like the output of the chopchop attack in aireplay-ng. With that keystream you can build an ARP packet (arpforge-ng or packetforge-ng). This packet can then be injected into the target wifi system, generating either answers and/or fowarded packets increasing the IV count. For an example attack, see the README in the tarball. afrag has already been integrated into aireplay-ng, best idea is to get the aircrack-ng SVN version for the newest fragmentation attack code.


Contact and Fanclub

If you want to send some funny stuff,
or if want to join the "official" ASPj Fanclub,
or if you just have some useful patch for any of my software
or if you used my code in any other project,
I would like to get some mail

>>  <<

I made up a little list of the people who are in my fanclub. They just drove crazy due to exaggerated happiness after using my drivers and/or mdk3:

Fan List