Airdecap-ng and Airdecloak-ng Package Description

Airdecap-ng can decrypt WEP/WPA/WPA2 capture files and it can also be used to strip the wireless headers from an unencrypted wireless capture.
It outputs a new file ending with -dec.cap, which is the decrypted/stripped version of the input file.

Airdecloak-ng removes WEP cloaking from a pcap file. It works by reading the input file and selecting packets from a specific network. Each selected packet is put into a list and classified (default status is “unknown”). Filters are then applied (in the order specified by the user) on this list. They will change the status of the packets (unknown, uncloaked, potentially cloaked or cloaked). The order of the filters is important as each filter will base its analysis amongst other things on the status of the packets and different orders will give different results.

Source: Airdecap-ng Wiki, Airdecloak-ng Wiki
Airdecap-ng and Airdecloak-ng Homepage | Kali aircrack-ng Repo

  • Author: Thomas d’Otreppe, Original work: Christophe Devine
  • License: GPLv2
airdecap-ng – decrypt a WEP/WPA crypted pcap file
root@kali:~# airdecap-ng --help

  Airdecap-ng 1.5.2 - (C) 2006-2018 Thomas d'Otreppe

  usage: airdecap-ng [options] <pcap file>

  Common options:
      -l         : don't remove the 802.11 header
      -b <bssid> : access point MAC address filter
      -e <essid> : target network SSID
      -o <fname> : output file for decrypted packets (default <src>-dec)

  WEP specific option:
      -w <key>   : target network WEP key in hex
      -c <fname> : output file for corrupted WEP packets (default <src>-bad)

  WPA specific options:
      -p <pass>  : target network WPA passphrase
      -k <pmk>   : WPA Pairwise Master Key in hex

      --help     : Displays this usage screen
airdecloak-ng – removes wep cloaked framed from a pcap file
root@kali:~# airdecloak-ng --help

  Airdecloak-ng 1.5.2 - (C) 2008-2018 Thomas d'Otreppe

  usage: airdecloak-ng [options]


     -i <file>             : Input capture file
     --ssid <ESSID>        : ESSID of the network to filter
     --bssid <BSSID>       : BSSID of the network to filter

     -o <file>             : Output packets (valid) file (default: <src>-filtered.pcap)
     -c <file>             : Output packets (cloaked) file (default: <src>-cloaked.pcap)
     -u <file>             : Output packets (unknown/ignored) file (default: invalid_status.pcap)
     --filters <filters>   : Apply filters (separated by a comma). Filters:
           signal:               Try to filter based on signal.
           duplicate_sn:         Remove all duplicate sequence numbers
                                 for both the AP and the client.
           duplicate_sn_ap:      Remove duplicate sequence number for
                                 the AP only.
           duplicate_sn_client:  Remove duplicate sequence number for the
                                 client only.
           consecutive_sn:       Filter based on the fact that IV should
                                 be consecutive (only for AP).
           duplicate_iv:         Remove all duplicate IV.
           signal_dup_consec_sn: Use signal (if available), duplicate and
                                 consecutive sequence number (filtering is
                                  much more precise than using all these
                                  filters one by one).
     --null-packets        : Assume that null packets can be cloaked.
     --disable-base_filter : Do not apply base filter.
     --drop-frag           : Drop fragmented packets

     --help                : Displays this usage screen

airdecap-ng and airdecloak-ng Usage Examples


With a given ESSID (-e test) and password (-p biscotte), decrypt the specified WPA capture (-r /usr/share/doc/aircrack-ng/examples/wpa.cap).

root@kali:~# tcpdump -r wpa.cap
reading from file wpa.cap, link-type PRISM_HEADER (802.11 plus Prism header)
03:01:06.609737 Beacon (test) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 7, PRIVACY[|802.11]
03:01:06.678714 EAPOL key (3) v1, len 95
03:01:06.678928 Acknowledgment RA:00:0d:93:eb:b0:8c (oui Unknown)
03:01:06.681525 EAPOL key (3) v1, len 119
03:01:06.681732 Acknowledgment RA:00:09:5b:91:53:5d (oui Unknown)
03:01:06.684370 EAPOL key (3) v1, len 119
03:01:06.684584 Acknowledgment RA:00:0d:93:eb:b0:8c (oui Unknown)
03:01:06.685502 EAPOL key (3) v1, len 95
03:01:06.685708 Acknowledgment RA:00:09:5b:91:53:5d (oui Unknown)
03:01:06.686775 Data IV:12000 Pad 20 KeyID 0
03:01:06.686984 Acknowledgment RA:00:0d:93:eb:b0:8c (oui Unknown)
03:01:06.688139 Data IV:12000 Pad 20 KeyID 0
03:01:06.688344 Acknowledgment RA:00:09:5b:91:53:5d (oui Unknown)
root@kali:~# airdecap-ng -e test -p biscotte wpa.cap
Total number of packets read            13
Total number of WEP data packets         0
Total number of WPA data packets         2
Number of plaintext data packets         0
Number of decrypted WEP  packets         0
Number of corrupted WEP  packets         0
Number of decrypted WPA  packets         2
root@kali:~# tcpdump -r wpa-dec.cap
reading from file wpa-dec.cap, link-type EN10MB (Ethernet)
03:01:06.686775 EAPOL key (3) v1, len 127
03:01:06.688139 EAPOL key (3) v1, len 95