airdecloak-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
airdecloak-ng [2008/11/09 23:02] – thanks mister_x | airdecloak-ng [2023/01/17 09:58] (current) – [Options] add note about typo in --disable-base_filter gemesa | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Airdecloak-ng ====== | ====== Airdecloak-ng ====== | ||
+ | |||
===== Description ===== | ===== Description ===== | ||
- | Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) can actively " | + | Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) actively " |
The program works by reading the input file and selecting packets from a specific network. | The program works by reading the input file and selecting packets from a specific network. | ||
Line 12: | Line 13: | ||
===== Usage ===== | ===== Usage ===== | ||
- | Airdecloak-ng 1.0 rc1 r1193 - (C) 2008 Thomas d' | + | Airdecloak-ng 1.7 |
- | | + | |
| | ||
usage: airdecloak-ng [options] | usage: airdecloak-ng [options] | ||
Line 26: | Line 27: | ||
| | ||
| | ||
+ | -o < | ||
+ | -c < | ||
+ | -u < | ||
| | ||
| | ||
Line 46: | Line 50: | ||
| | ||
| | ||
+ | |||
==== Options ==== | ==== Options ==== | ||
- | ^Option^Explanation| | + | ^Option^Param.^Description| |
- | |-i <input file>|Path to the capture file.| | + | |-i|input file|Path to the capture file.| |
- | |--bssid | + | |--bssid|BSSID|BSSID of the network to filter.| |
- | |--ssid | + | |--ssid|ESSID|ESSID of the network to filter (not yet implemented).| |
- | |--filters | + | |--filters|filters|Apply theses filters in this specific order. They have to be separated by a ',' |
- | |--null-packets|Assume that null packets can be cloaked (not yet implemented).| | + | |--null-packets|-|Assume that null packets can be cloaked (not yet implemented).| |
- | |--disable-base_filter|Disable the base filter.| | + | |--disable-base_filter|-|Disable the base filter. |
- | |--drop-frag|Drop all fragmented packets. In most networks, fragmentation is not needed.| | + | |--drop-frag|-|Drop all fragmented packets. In most networks, fragmentation is not needed.| |
==== Tests ==== | ==== Tests ==== | ||
Line 62: | Line 68: | ||
=== Capturing traffic === | === Capturing traffic === | ||
- | Destroy all VAP | + | Destroy all VAP (only needed for madwifi-ng): |
airmon-ng stop ath0 | airmon-ng stop ath0 | ||
Line 80: | Line 86: | ||
=== Trying to crack the WEP key === | === Trying to crack the WEP key === | ||
- | aircrack-ng.exe wep_cloaking_full_speed_dl.pcap -b 00: | + | aircrack-ng wep_cloaking_full_speed_dl.pcap -b 00: |
| | ||
{{http:// | {{http:// | ||
Line 195: | Line 201: | ||
=== Timing === | === Timing === | ||
- | The time needed to receive a cloaked frame could be analysed; compared to its uncloaked equivalent since the sensor | + | The time needed to receive a cloaked frame could be analyzed; compared to its uncloaked equivalent since the sensor |
For this, 2 packets are needed (one real and one cloaked) and we have to make sure the " | For this, 2 packets are needed (one real and one cloaked) and we have to make sure the " | ||
Line 225: | Line 231: | ||
{{http:// | {{http:// | ||
- | There' | + | There are a few possibilities |
- both packets can be discarded since they have the same sequence number. | - both packets can be discarded since they have the same sequence number. | ||
- use signal/ | - use signal/ | ||
- | For packet 7538/7539, it will be easier, it's easy to find out which one is cloaked, a beacon has the same sequence | + | For packet 7538/7539, it will be easier, it's easy to find out which one is cloaked, a beacon has the same sequence |
Line 245: | Line 251: | ||
... so other ways have to be used. Beacon will still be used but in another way: since 1319 is a valid sequence number, the previous (1318) and the next (1320) sequence numbers of valid packets are known. It's getting more complicated, | ... so other ways have to be used. Beacon will still be used but in another way: since 1319 is a valid sequence number, the previous (1318) and the next (1320) sequence numbers of valid packets are known. It's getting more complicated, | ||
- | Since it is known that wep cloaking | + | Since it is known that wep cloaking |
^Position^Uncloaked^Cloaked^Frame size^Reason| | ^Position^Uncloaked^Cloaked^Frame size^Reason| | ||
Line 315: | Line 321: | ||
Remove all duplicate sequence numbers for both the AP and the client (that are close to each other). | Remove all duplicate sequence numbers for both the AP and the client (that are close to each other). | ||
- | Basically it apply '' | + | Basically it applies |
== consecutive_sn == | == consecutive_sn == | ||
Line 347: | Line 353: | ||
Not yet, but they will. | Not yet, but they will. | ||
+ | |||
+ | ==== Why is KoreK used instead of PTW? ==== | ||
+ | |||
+ | Only a few hundred packets in this capture file can be used for PTW and that wasn't enough. See the following [[aircrack-ng# | ||
===== Links ===== | ===== Links ===== | ||
Line 357: | Line 367: | ||
===== Thanks ===== | ===== Thanks ===== | ||
- | Thanks to Alex Hernandez aka alt3kx from [[http:// | + | Thanks to Alex Hernandez aka alt3kx from [[http:// |
airdecloak-ng.1226268178.txt.gz · Last modified: 2008/11/09 23:02 by mister_x