Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) actively “prevent” cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff.



airdecloak-ng [options]


     -i <file>             : Input capture file
     --ssid <ESSID>        : ESSID of the network to filter
     --bssid <BSSID>       : BSSID of the network to filter

         --filters <filters>   : Apply filters (separated by a comma). Filters:
           signal:               Try to filter based on signal.
           duplicate_sn:         Remove all duplicate sequence numbers
                                 for both the AP and the client.
           duplicate_sn_ap:      Remove duplicate sequence number for
                                 the AP only.
           duplicate_sn_client:  Remove duplicate sequence number for the
                                 client only.
           consecutive_sn:       Filter based on the fact that IV should
                                 be consecutive (only for AP).
           duplicate_iv:         Remove all duplicate IV.
           signal_dup_consec_sn: Use signal (if available), duplicate and
                                 consecutive sequence number (filtering is
                                  much more precise than using all these
                                  filters one by one).
     --null-packets        : Assume that null packets can be cloaked.
     --disable-base_filter : Do not apply base filter. Airdecloak-ng
     --drop-frag           : Drop fragmented packets Airdecloak-ng

     --help                : Displays this usage screen Airdecloak-ng


Filtering wep cloaked packets :

cyborg@cyborg:~$ airdecloak-ng --bssid 10:FE:ED:B7:A5:42 --filter signal -i packets.pcap 
Input file: packetscap.pcap
BSSID: 10:FE:ED:B7:A5:42

Opening file
Output packets (valids) filename: packetscap.pcap-filtered.pcap
Output packets (cloaked) filename: packetscap.pcap-cloaked.pcap
Reading packets from file
Link type (Prism: 119 - Radiotap: 127 - 80211: 105 - PPI - 192): 802.11
Nb packets: 66193           
Checking for cloaked frames
Cloaking - Start check
Cloaking - Marking all duplicate SN cloaked if frame is valid or uncloaked
782 frames marked
Cloaking - Signal filtering
Average signal cannot be calculated because headers does not include it
Cloaking - Marking all unknown cloaking status frames as uncloacked
585 frames marked
Cloaking - Marking all potentially cloaked status frames as cloaked
515 frames marked
Writing packets to files
Writing packets to files
End writing packets to files

Leave a reply


We're are building as a community and a team. Be a part of it.


©2018 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?