User Tools

Site Tools


airdecloak-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
airdecloak-ng [2008/11/14 22:58] – Why KoreK and not PTW? mister_xairdecloak-ng [2009/09/26 22:01] – Fixed typos darkaudax
Line 1: Line 1:
 ====== Airdecloak-ng ====== ====== Airdecloak-ng ======
 +
 ===== Description ===== ===== Description =====
  
-Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) can actively "prevent" cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff.+Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) actively "prevent" cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff.
  
 The program works by reading the input file and selecting packets from a specific network. The program works by reading the input file and selecting packets from a specific network.
Line 57: Line 58:
 |--disable-base_filter|Disable the base filter.| |--disable-base_filter|Disable the base filter.|
 |--drop-frag|Drop all fragmented packets. In most networks, fragmentation is not needed.| |--drop-frag|Drop all fragmented packets. In most networks, fragmentation is not needed.|
 +
  
 ==== Tests ==== ==== Tests ====
Line 62: Line 64:
 === Capturing traffic === === Capturing traffic ===
  
-Destroy all VAP +Destroy all VAP (only needed for madwifi-ng):
   airmon-ng stop ath0   airmon-ng stop ath0
  
Line 80: Line 82:
  
 === Trying to crack the WEP key === === Trying to crack the WEP key ===
-  aircrack-ng.exe wep_cloaking_full_speed_dl.pcap -b 00:12:BF:12:32:29 -K -n 64 -d 1F:1F:1F+  aircrack-ng wep_cloaking_full_speed_dl.pcap -b 00:12:BF:12:32:29 -K -n 64 -d 1F:1F:1F
      
 {{http://www.aircrack-ng.org/wep_cloaking/crack_without_filter.jpg}} {{http://www.aircrack-ng.org/wep_cloaking/crack_without_filter.jpg}}
Line 195: Line 197:
 === Timing === === Timing ===
  
-The time needed to receive a cloaked frame could be analysed; compared to its uncloaked equivalent since the sensor receive the real frame then forge a wep cloaked frame with the informations of the real one.+The time needed to receive a cloaked frame could be analyzed; compared to its uncloaked equivalent since the sensor receives the real frame then forge a wep cloaked frame with the informations of the real one.
  
 For this, 2 packets are needed (one real and one cloaked) and we have to make sure the "cloaking" status of both packets is accurate (and that the cloaked packet is forged against the real one we have). For this, 2 packets are needed (one real and one cloaked) and we have to make sure the "cloaking" status of both packets is accurate (and that the cloaked packet is forged against the real one we have).
Line 225: Line 227:
 {{http://www.aircrack-ng.org/wep_cloaking/low_traffic.jpg}} {{http://www.aircrack-ng.org/wep_cloaking/low_traffic.jpg}}
  
-There'a few possibilites to filter out the cloaked packet for 7509/7510:+There are a few possibilities to filter out the cloaked packet for 7509/7510:
 - both packets can be discarded since they have the same sequence number. - both packets can be discarded since they have the same sequence number.
 - use signal/timing to find the cloaked packet. - use signal/timing to find the cloaked packet.
  
  
-For packet 7538/7539, it will be easier, it's easy to find out which one is cloaked, a beacon has the same sequence number as packet 7539; 7539 is cloaked:+For packet 7538/7539, it will be easier, it's easy to find out which one is cloaked, a beacon has the same sequence numbers as packet 7539; 7539 is cloaked:
  
  
Line 245: Line 247:
  
 ... so other ways have to be used. Beacon will still be used but in another way: since 1319 is a valid sequence number, the previous (1318) and the next (1320) sequence numbers of valid packets are known. It's getting more complicated, these sequence number are both used more than once ;) \\ ... so other ways have to be used. Beacon will still be used but in another way: since 1319 is a valid sequence number, the previous (1318) and the next (1320) sequence numbers of valid packets are known. It's getting more complicated, these sequence number are both used more than once ;) \\
-Since it is known that wep cloaking copy the attributes (including frame size) of its equivalent real frame, wep cloaked packets can be easily found:+Since it is known that wep cloaking copies the attributes (including frame size) of its equivalent real frame, wep cloaked packets can be easily found:
  
 ^Position^Uncloaked^Cloaked^Frame size^Reason| ^Position^Uncloaked^Cloaked^Frame size^Reason|
Line 315: Line 317:
 Remove all duplicate sequence numbers for both the AP and the client (that are close to each other). Remove all duplicate sequence numbers for both the AP and the client (that are close to each other).
  
-Basically it apply ''duplicate_sn_ap'' and ''duplicate_sn_client'' filters+Basically it applies ''duplicate_sn_ap'' and ''duplicate_sn_client'' filters
  
 == consecutive_sn == == consecutive_sn ==
Line 361: Line 363:
 ===== Thanks ===== ===== Thanks =====
  
-Thanks to Alex Hernandez aka alt3kx from [[http://sybsecurity.com|sybsecurity.com]] for the hardware+Thanks to Alex Hernandez aka alt3kx from [[http://sybsecurity.com|sybsecurity.com]] for the hardware.
airdecloak-ng.txt · Last modified: 2023/01/17 09:58 by gemesa