airdecloak-ng
                Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| airdecloak-ng [2008/11/06 03:35] – created mister_x | airdecloak-ng [2023/01/17 09:58] (current) – [Options] add note about typo in --disable-base_filter gemesa | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Airdecloak-ng ====== | ====== Airdecloak-ng ====== | ||
| + | |||
| ===== Description ===== | ===== Description ===== | ||
| - | Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) can actively " | + | Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) actively " | 
| The program works by reading the input file and selecting packets from a specific network. | The program works by reading the input file and selecting packets from a specific network. | ||
| Line 12: | Line 13: | ||
| ===== Usage ===== | ===== Usage ===== | ||
| - | Airdecloak-ng 1.0 rc1 r1193 - (C) 2008 Thomas d' | + | Airdecloak-ng 1.7 | 
| - |  | + |  | 
|  |  | ||
| usage: airdecloak-ng [options] | usage: airdecloak-ng [options] | ||
| Line 26: | Line 27: | ||
|  |  | ||
|  |  | ||
| + | -o < | ||
| + | -c < | ||
| + | -u < | ||
|  |  | ||
|  |  | ||
| Line 46: | Line 50: | ||
|  |  | ||
|  |  | ||
| + | |||
| ==== Options ==== | ==== Options ==== | ||
| - | ^Option^Explanation| | + | ^Option^Param.^Description| | 
| - | |-i <input file>|Path to the capture file.| | + | |-i|input file|Path to the capture file.| | 
| - | |--bssid | + | |--bssid|BSSID|BSSID of the network to filter.| | 
| - | |--ssid | + | |--ssid|ESSID|ESSID of the network to filter (not yet implemented).| | 
| - | |--filters | + | |--filters|filters|Apply theses filters in this specific order. They have to be separated by a ',' | 
| - | |--null-packets|Assume that null packets can be cloaked (not yet implemented).| | + | |--null-packets|-|Assume that null packets can be cloaked (not yet implemented).| | 
| - | |--disable-base_filter|Disable the base filter.| | + | |--disable-base_filter|-|Disable the base filter. | 
| - | |--drop-frag|Drop all fragmented packets. In most networks, fragmentation is not needed.| | + | |--drop-frag|-|Drop all fragmented packets. In most networks, fragmentation is not needed.| | 
| ==== Tests ==== | ==== Tests ==== | ||
| Line 62: | Line 68: | ||
| === Capturing traffic === | === Capturing traffic === | ||
| - | Destroy all VAP | + | Destroy all VAP (only needed for madwifi-ng): | 
| airmon-ng stop ath0 | airmon-ng stop ath0 | ||
| Line 80: | Line 86: | ||
| === Trying to crack the WEP key === | === Trying to crack the WEP key === | ||
| - | aircrack-ng.exe wep_cloaking_full_speed_dl.pcap -b 00: | + | aircrack-ng wep_cloaking_full_speed_dl.pcap -b 00: | 
|  |  | ||
| {{http:// | {{http:// | ||
| Line 195: | Line 201: | ||
| === Timing === | === Timing === | ||
| - | The time needed to receive a cloaked frame could be analysed; compared to its uncloaked equivalent since the sensor | + | The time needed to receive a cloaked frame could be analyzed; compared to its uncloaked equivalent since the sensor | 
| For this, 2 packets are needed (one real and one cloaked) and we have to make sure the " | For this, 2 packets are needed (one real and one cloaked) and we have to make sure the " | ||
| Line 225: | Line 231: | ||
| {{http:// | {{http:// | ||
| - | There' | + | There are a few possibilities | 
| - both packets can be discarded since they have the same sequence number. | - both packets can be discarded since they have the same sequence number. | ||
| - use signal/ | - use signal/ | ||
| - | For packet 7538/7539, it will be easier, it's easy to find out which one is cloaked, a beacon has the same sequence | + | For packet 7538/7539, it will be easier, it's easy to find out which one is cloaked, a beacon has the same sequence | 
| Line 245: | Line 251: | ||
| ... so other ways have to be used. Beacon will still be used but in another way: since 1319 is a valid sequence number, the previous (1318) and the next (1320) sequence numbers of valid packets are known. It's getting more complicated, | ... so other ways have to be used. Beacon will still be used but in another way: since 1319 is a valid sequence number, the previous (1318) and the next (1320) sequence numbers of valid packets are known. It's getting more complicated, | ||
| - | Since it is known that wep cloaking | + | Since it is known that wep cloaking | 
| ^Position^Uncloaked^Cloaked^Frame size^Reason| | ^Position^Uncloaked^Cloaked^Frame size^Reason| | ||
| Line 315: | Line 321: | ||
| Remove all duplicate sequence numbers for both the AP and the client (that are close to each other). | Remove all duplicate sequence numbers for both the AP and the client (that are close to each other). | ||
| - | Basically it apply '' | + | Basically it applies | 
| == consecutive_sn == | == consecutive_sn == | ||
| Line 347: | Line 353: | ||
| Not yet, but they will. | Not yet, but they will. | ||
| + | |||
| + | ==== Why is KoreK used instead of PTW? ==== | ||
| + | |||
| + | Only a few hundred packets in this capture file can be used for PTW and that wasn't enough. See the following [[aircrack-ng# | ||
| ===== Links ===== | ===== Links ===== | ||
| Line 354: | Line 364: | ||
| * Joshua Wright [[https:// | * Joshua Wright [[https:// | ||
| * Wifisec Mailing list: [[http:// | * Wifisec Mailing list: [[http:// | ||
| + | |||
| + | ===== Thanks ===== | ||
| + | |||
| + | Thanks to Alex Hernandez aka alt3kx from [[http:// | ||
airdecloak-ng.1225938907.txt.gz · Last modified:  by mister_x
                
                