-
-
Save glefait/10e28d8e40a752453ed6d87633953ed8 to your computer and use it in GitHub Desktop.
A simple tshark EAP certificate extractor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Simple tshark WiFi EAP certificate extractor | |
| # By dominic@sensepost.com | |
| # Updated by : | |
| # Michael Kruger (cablethief) | |
| # Guillem Lefait | |
| # All rights reserved 2018 | |
| if [ ! -x $(which tshark) ]; then | |
| echo "tshark not installed" | |
| exit 0 | |
| fi | |
| if [ "$#" -ne 2 ]; then | |
| echo "Usage: $0 [-r file.cap | -i interface]" | |
| echo "Extracted certificates will be written to <file|int>.cert.rand.der" | |
| exit 0 | |
| fi | |
| tmpbase=$(basename $2) | |
| tshark -r "$tmpbase" -Y "ssl.handshake.certificate or tls.handshake.certificate" \ | |
| -T fields -e frame.number -e "ssl.handshake.certificate" -e "ns_cert_exts.CertType" \ | |
| -E occurrence=a \ | |
| | while read frame_number certificates cert_types; | |
| do | |
| pos=1 | |
| paste <(echo $certificates | sed 's#,#\n#g') <(echo $cert_types | sed 's#,#\n#g') \ | |
| | while read certificate cert_type; | |
| do | |
| file_output="${tmpbase}.${frame_number}.${pos}.${cert_type}.der" | |
| pos=$((pos+1)) | |
| echo $certificate | sed "s/://g" | \ | |
| xxd -ps -r | \ | |
| tee $file_output | \ | |
| openssl x509 -inform der -text; | |
| done; | |
| done; |
Updated to add the certificate type in the filename. It helps to distinguish between CA and SSL.
For example, with the following output :
recon-19.cap.1094.1.40.der
recon-19.cap.1094.2.07.der
we see that two certificates are present in the 1094th frame.
The first has type 40 and is the SSL certificate:
0... .... = ssl-client: False
.1.. .... = ssl-server: True
..0. .... = smime: False
...0 .... = object-signing: False
.... 0... = reserved-for-future-use: False
.... .0.. = ssl-ca: False
.... ..0. = smime-ca: False
.... ...0 = object-signing-ca: False
The second, with type 07 is the CA certificate:
0... .... = ssl-client: False
.0.. .... = ssl-server: False
..0. .... = smime: False
...0 .... = object-signing: False
.... 0... = reserved-for-future-use: False
.... .1.. = ssl-ca: True
.... ..1. = smime-ca: True
.... ...1 = object-signing-ca: True
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When several certificates are present in a single frame, let's extract them all with the use of the tshark
-E occurence=aoption.The certificate filename also includes the frame.number as it facilitates the investigation on the input data.