Airdecloak-ng

Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) can actively “prevent” cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff.

The program works by reading the input file and selecting packets from a specific network. Each selected packet is put into a list and classified (default status is “unknown”). Filters are then applied (in the order specified by the user) on this list. They will change the status of the packets (unknown, uncloaked, potentially cloaked or cloaked). The order of the filters is really important since each filter will base its analysis amongst other things on the status of the packets and different orders will give different results.

Important requirement: The pcap file needs to have all packets (including beacons and all other “useless” packets) for the analysis (and if possible, prism/radiotap headers).

Options
Option Explanation
-i Path to the capture file.
–bssid BSSID of the network to filter.
–ssid ESSID of the network to filter (not yet implemented).
–filters Apply theses filters in this specific order. They have to be separated by a ','.
Example: –filters signal,consecutive_sn
–null-packets Assume that null packets can be cloaked (not yet implemented).
–disable-base_filter Disable the base filter.
–drop-frag Drop all fragmented packets. In most networks, fragmentation is not needed.