airdecloak-ng
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionNext revisionBoth sides next revision | ||
airdecloak-ng [2008/11/06 03:35] – created mister_x | airdecloak-ng [2023/01/15 21:06] – add Param. column to Options table gemesa | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Airdecloak-ng ====== | ====== Airdecloak-ng ====== | ||
+ | |||
===== Description ===== | ===== Description ===== | ||
- | Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) can actively " | + | Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) actively " |
The program works by reading the input file and selecting packets from a specific network. | The program works by reading the input file and selecting packets from a specific network. | ||
Line 12: | Line 13: | ||
===== Usage ===== | ===== Usage ===== | ||
- | Airdecloak-ng 1.0 rc1 r1193 - (C) 2008 Thomas d' | + | Airdecloak-ng 1.4 - (C) 2008-2018 Thomas d' |
- | | + | |
| | ||
usage: airdecloak-ng [options] | usage: airdecloak-ng [options] | ||
Line 39: | Line 40: | ||
| | ||
| | ||
- | | + | much more precise than using all these |
- | filters one by one). | + | |
| | ||
- | | + | |
- | | + | |
| | ||
- | | + | |
==== Options ==== | ==== Options ==== | ||
- | ^Option^Explanation| | + | ^Option^Param.^Description| |
- | |-i <input file>|Path to the capture file.| | + | |-i|input file|Path to the capture file.| |
- | |--bssid | + | |--bssid|BSSID|BSSID of the network to filter.| |
- | |--ssid | + | |--ssid|ESSID|ESSID of the network to filter (not yet implemented).| |
- | |--filters | + | |--filters|filters|Apply theses filters in this specific order. They have to be separated by a ',' |
- | |--null-packets|Assume that null packets can be cloaked (not yet implemented).| | + | |--null-packets|-|Assume that null packets can be cloaked (not yet implemented).| |
- | |--disable-base_filter|Disable the base filter.| | + | |--disable-base-filter|-|Disable the base filter.| |
- | |--drop-frag|Drop all fragmented packets. In most networks, fragmentation is not needed.| | + | |--drop-frag|-|Drop all fragmented packets. In most networks, fragmentation is not needed.| |
==== Tests ==== | ==== Tests ==== | ||
Line 62: | Line 64: | ||
=== Capturing traffic === | === Capturing traffic === | ||
- | Destroy all VAP | + | Destroy all VAP (only needed for madwifi-ng): |
airmon-ng stop ath0 | airmon-ng stop ath0 | ||
Line 80: | Line 82: | ||
=== Trying to crack the WEP key === | === Trying to crack the WEP key === | ||
- | aircrack-ng.exe wep_cloaking_full_speed_dl.pcap -b 00: | + | aircrack-ng wep_cloaking_full_speed_dl.pcap -b 00: |
| | ||
{{http:// | {{http:// | ||
Line 195: | Line 197: | ||
=== Timing === | === Timing === | ||
- | The time needed to receive a cloaked frame could be analysed; compared to its uncloaked equivalent since the sensor | + | The time needed to receive a cloaked frame could be analyzed; compared to its uncloaked equivalent since the sensor |
For this, 2 packets are needed (one real and one cloaked) and we have to make sure the " | For this, 2 packets are needed (one real and one cloaked) and we have to make sure the " | ||
Line 225: | Line 227: | ||
{{http:// | {{http:// | ||
- | There' | + | There are a few possibilities |
- both packets can be discarded since they have the same sequence number. | - both packets can be discarded since they have the same sequence number. | ||
- use signal/ | - use signal/ | ||
- | For packet 7538/7539, it will be easier, it's easy to find out which one is cloaked, a beacon has the same sequence | + | For packet 7538/7539, it will be easier, it's easy to find out which one is cloaked, a beacon has the same sequence |
Line 245: | Line 247: | ||
... so other ways have to be used. Beacon will still be used but in another way: since 1319 is a valid sequence number, the previous (1318) and the next (1320) sequence numbers of valid packets are known. It's getting more complicated, | ... so other ways have to be used. Beacon will still be used but in another way: since 1319 is a valid sequence number, the previous (1318) and the next (1320) sequence numbers of valid packets are known. It's getting more complicated, | ||
- | Since it is known that wep cloaking | + | Since it is known that wep cloaking |
^Position^Uncloaked^Cloaked^Frame size^Reason| | ^Position^Uncloaked^Cloaked^Frame size^Reason| | ||
Line 315: | Line 317: | ||
Remove all duplicate sequence numbers for both the AP and the client (that are close to each other). | Remove all duplicate sequence numbers for both the AP and the client (that are close to each other). | ||
- | Basically it apply '' | + | Basically it applies |
== consecutive_sn == | == consecutive_sn == | ||
Line 347: | Line 349: | ||
Not yet, but they will. | Not yet, but they will. | ||
+ | |||
+ | ==== Why is KoreK used instead of PTW? ==== | ||
+ | |||
+ | Only a few hundred packets in this capture file can be used for PTW and that wasn't enough. See the following [[aircrack-ng# | ||
===== Links ===== | ===== Links ===== | ||
Line 354: | Line 360: | ||
* Joshua Wright [[https:// | * Joshua Wright [[https:// | ||
* Wifisec Mailing list: [[http:// | * Wifisec Mailing list: [[http:// | ||
+ | |||
+ | ===== Thanks ===== | ||
+ | |||
+ | Thanks to Alex Hernandez aka alt3kx from [[http:// |
airdecloak-ng.txt · Last modified: 2023/01/17 09:58 by gemesa