airdecloak-ng
Remove WPA/WPA2 cloaked clients' MAC addresses
SYNOPSIS
airdecloak-ng [options] <input_file> <output_file>
PARAMETERS
-i <file>
Specifies the input_file (e.g., .cap or .pcap) to be processed. This file contains the raw wireless capture data.
-o <file>
Specifies the output_file where the cleaned capture data will be written. This file will be suitable for further analysis.
-r <rules_file>
Provides a rules_file, which is a text file containing custom rules to detect and remove specific patterns of cloaked frames. This allows for more targeted and effective cloaking removal.
-s <essid>
Filters frames based on the specified ESSID (network name). Only frames belonging to this ESSID will be considered for processing.
-t <bssid>
Filters frames based on the specified BSSID (MAC address of the Access Point). Only frames from this AP will be processed.
-q
Runs in quiet mode, suppressing non-essential output messages.
-v
Runs in verbose mode, providing more detailed output about the processing, including identified cloaking patterns.
-h
Displays the help message and exits, showing available command-line options.
DESCRIPTION
airdecloak-ng is a specialized utility within the aircrack-ng suite designed to clean and prepare wireless capture files (typically in .cap or .pcap format) for subsequent analysis, especially for cracking WEP/WPA keys with aircrack-ng.
Many access points (APs) employ techniques, known as 'cloaking', to hinder attempts at WEP/WPA key cracking. These methods can involve injecting a large number of bogus frames, repeating Initialization Vectors (IVs), or otherwise manipulating network traffic to confuse analysis tools and artificially inflate IV counts, making it harder to distinguish legitimate data and thus crack the encryption key.
airdecloak-ng's primary function is to identify and remove these cloaking artifacts from the capture file. By filtering out the noise and illegitimate traffic, it produces a 'cleaner' capture file that is more accurate and efficient for aircrack-ng to process, significantly improving the chances of successfully cracking the WEP or WPA passphrase.
CAVEATS
airdecloak-ng is primarily effective against known cloaking techniques and may not fully de-cloak all types of obfuscation, especially newer or proprietary methods. Its effectiveness heavily relies on the quality of the input capture and, for advanced removal, the comprehensiveness of the provided rules file. It does not perform key cracking; its role is solely data preparation.
RULES FILE FORMAT
The rules file (specified with -r) is a plain text file where each line defines a pattern for identifying bogus frames. While specific formats can vary, typical rules might involve hexadecimal byte sequences, frame types, or IV patterns that are indicative of cloaking. Creating effective rules requires a good understanding of network protocols and cloaking methods.
INTEGRATION WITH AIRCRACK-NG SUITE
airdecloak-ng is intended to be used as a pre-processing step. The output file generated by airdecloak-ng should then be fed as input to aircrack-ng for the actual WEP or WPA key cracking process, or to other tools for further analysis.
HISTORY
airdecloak-ng emerged as a necessary component of the aircrack-ng suite to counter the evolving anti-cracking measures implemented by some wireless access point manufacturers. As WEP and WPA cracking became more prevalent, vendors began to introduce cloaking techniques to protect their networks. airdecloak-ng was developed to address this challenge, providing a tool to pre-process capture files and make them amenable to successful key cracking with aircrack-ng.
SEE ALSO
aircrack-ng(1), airmon-ng(1), aireplay-ng(1), airodump-ng(1), airdecap-ng(1), packetforge-ng(1)