Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) actively “prevent” cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff.
Mandatory: -i <file> : Input capture file --ssid <ESSID> : ESSID of the network to filter or --bssid <BSSID> : BSSID of the network to filter Optional: --filters <filters> : Apply filters (separated by a comma). Filters: signal: Try to filter based on signal. duplicate_sn: Remove all duplicate sequence numbers for both the AP and the client. duplicate_sn_ap: Remove duplicate sequence number for the AP only. duplicate_sn_client: Remove duplicate sequence number for the client only. consecutive_sn: Filter based on the fact that IV should be consecutive (only for AP). duplicate_iv: Remove all duplicate IV. signal_dup_consec_sn: Use signal (if available), duplicate and consecutive sequence number (filtering is much more precise than using all these filters one by one). --null-packets : Assume that null packets can be cloaked. --disable-base_filter : Do not apply base filter. Airdecloak-ng --drop-frag : Drop fragmented packets Airdecloak-ng --help : Displays this usage screen Airdecloak-ng
Filtering wep cloaked packets :
cyborg@cyborg:~$ airdecloak-ng --bssid 10:FE:ED:B7:A5:42 --filter signal -i packets.pcap Input file: packetscap.pcap BSSID: 10:FE:ED:B7:A5:42 Opening file Output packets (valids) filename: packetscap.pcap-filtered.pcap Output packets (cloaked) filename: packetscap.pcap-cloaked.pcap Reading packets from file Link type (Prism: 119 - Radiotap: 127 - 80211: 105 - PPI - 192): 802.11 Nb packets: 66193 Checking for cloaked frames Cloaking - Start check Cloaking - Marking all duplicate SN cloaked if frame is valid or uncloaked 782 frames marked Cloaking - Signal filtering Average signal cannot be calculated because headers does not include it Cloaking - Marking all unknown cloaking status frames as uncloacked 585 frames marked Cloaking - Marking all potentially cloaked status frames as cloaked 515 frames marked Writing packets to files Writing packets to files End writing packets to files