> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# mdk4

> 802.11 frame injection tool: SSID brute force, deauthentication floods, beacon spam, and probe request fuzzing.

## Overview

mdk4 is a frame injection tool for 802.11 networks. In wireless pentesting it is primarily used to brute force hidden SSIDs by sending probe requests with each name from a wordlist until the AP responds.

***

## Install

```bash theme={"dark"}
sudo apt install mdk4
```

***

## Usage

```
mdk4 <interface> <mode> [options]
```

***

## Modes

| Mode | Description                                              |
| ---- | -------------------------------------------------------- |
| `b`  | Beacon flooding: spam fake APs                           |
| `d`  | Deauthentication / disassociation flood                  |
| `p`  | SSID probing and brute force                             |
| `e`  | EAPOL start/logoff packet injection                      |
| `m`  | Michael Countermeasures exploitation (TKIP shutdown DoS) |
| `s`  | Attacks for IEEE 802.11s mesh networks                   |
| `a`  | Authentication DoS (floods APs with 802.11 auth frames)  |
| `f`  | Packet fuzzer                                            |

***

## SSID Brute Force (Mode p)

Used to discover hidden SSIDs when no client is connected to reveal the name via probe responses.

```
mdk4 <interface> p [options]
```

| Flag            | Description                       |
| --------------- | --------------------------------- |
| `-t <BSSID>`    | Target AP MAC address             |
| `-f <wordlist>` | Wordlist of SSIDs to probe        |
| `-b <char>`     | Use character set for brute force |
| `-e <SSID>`     | Try exact SSID                    |

Example, brute force with prefixed wordlist:

```bash theme={"dark"}
# Build prefixed wordlist
cat ~/rockyou-top100000.txt | awk '{print "wifi-" $1}' > ~/wifi-wordlist.txt

# Lock interface to target channel first
sudo iwconfig wlan0mon channel 11

# Launch probe brute force
mdk4 wlan0mon p -t <BSSID> -f ~/wifi-wordlist.txt
```

***

## Deauthentication Flood (Mode d)

```
mdk4 <interface> d [options]
```

| Flag           | Description                 |
| -------------- | --------------------------- |
| `-w <file>`    | Whitelist of MACs to skip   |
| `-b <file>`    | Blacklist of MACs to target |
| `-s <speed>`   | Packets per second          |
| `-c <channel>` | Target channel              |
