Last active
November 18, 2022 20:22
-
-
Save singe/40bda2a1772aaf4903515cc4e436afe5 to your computer and use it in GitHub Desktop.
A simple tshark EAP certificate extractor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Simple CA cert generator & leaf cert signer | |
| # By dominic@sensepost.com | |
| # All rights reserved 2019 | |
| ca_prefix="ca" | |
| leaf_prefix="host" | |
| ca_validity="1825" #days | |
| leaf_validity="730" #days | |
| size=2048 | |
| usage() { | |
| echo "Simple CA & leaf cert generator & signer" | |
| echo "Usage: $0 [-h] [-c <ca.cert.pem> -k <ca.key.pem>] [-l <user1>] [-a <ca>]" | |
| echo " -h This help" | |
| echo " -c <ca.cert.pem> Specify a CA cert to use instead of generating one (requires -k)" | |
| echo " -k <ca.key.pem> Specify the key for the CA cert" | |
| echo " -l <leaf_prefix> Specify the name prefix of the leaf certificate and key" | |
| echo " -a <ca_prefix> Specify the name prefix of the CA certificate and key" | |
| exit 1 | |
| } | |
| while getopts "hc:k:l:a:" OPTIONS; do | |
| case ${OPTIONS} in | |
| h) | |
| usage;; | |
| c) | |
| ca_cert=${OPTARG} ;; | |
| k) | |
| ca_key=${OPTARG} ;; | |
| l) | |
| leaf_prefix=${OPTARG} ;; | |
| a) | |
| ca_prefix=${OPTARG} ;; | |
| esac | |
| done | |
| shift $((OPTIND-1)) | |
| if [ $OPTIND -eq 1 ]; then | |
| echo "Using defaults -a ca -l host" | |
| fi | |
| if [ -z ${ca_cert} ] && [ -n {$ca_key} ] || [ -n ${ca_cert} ] && [ -z {$ca_key} ]; then | |
| echo "-z & -n required together, you can't provide just one." | |
| usage | |
| fi | |
| if [ -z ${ca_cert} ] && [ -z ${ca_key} ]; then | |
| ca_cert="$ca_prefix.cert.pem" | |
| ca_key="$ca_prefix.key.pem" | |
| if [ -f $ca_cert ] || [ -f $ca_key ]; then | |
| echo "Cowardly refusing to overwrite files $ca_cert or $ca_key" | |
| exit 1 | |
| fi | |
| # Create CA key | |
| openssl genrsa \ | |
| -out $ca_prefix.key.pem \ | |
| $size | |
| # Create self-signed CA cert | |
| openssl req -x509 -new -nodes \ | |
| -key $ca_prefix.key.pem \ | |
| -sha256 \ | |
| -days $ca_validity \ | |
| -out $ca_prefix.cert.pem | |
| fi | |
| if [ -f $leaf_prefix.key.pem ] || [ -f $leaf_prefix.cert.pem ]; then | |
| echo "Cowardly refusing to overwrite files $leaf_prefix.key.pem or $leaf_prefix.cert.pem" | |
| exit 1 | |
| fi | |
| # Create user key | |
| openssl genrsa \ | |
| -out $leaf_prefix.key.pem \ | |
| $size | |
| # Create CSR | |
| openssl req -new \ | |
| -key $leaf_prefix.key.pem \ | |
| -out $leaf_prefix.csr | |
| # Generate signed host cert | |
| openssl x509 -req \ | |
| -in $leaf_prefix.csr \ | |
| -CA $ca_cert \ | |
| -CAkey $ca_key \ | |
| -CAcreateserial \ | |
| -out $leaf_prefix.cert.pem \ | |
| -days $leaf_validity \ | |
| -sha256 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Simple tshark WiFi EAP certificate extractor | |
| # By dominic@sensepost.com | |
| # All rights reserved 2020 | |
| function trap_ctrlc () | |
| { | |
| echo "Ctrl-C caught...performing clean up" | |
| killall tshark | |
| exit 2 | |
| } | |
| trap "trap_ctrlc" 2 | |
| if [ ! -x $(which tshark) ]; then | |
| echo "tshark not installed" | |
| exit 1 | |
| fi | |
| if [ -z ${1} ]; then | |
| echo "Usage: $0 [-r file.cap] [-i interface]" | |
| echo "Extracted certificates will be written to <file|int>.cert.rand.der" | |
| exit 1 | |
| fi | |
| # Newer versions of tshark use tls not ssl | |
| filter="ssl.handshake.certificate" | |
| tshark -r /etc/resolv.conf $filter 2>/dev/null | |
| if [[ $? -eq 2 ]]; then | |
| filter="tls.handshake.certificate" | |
| fi | |
| tmpbase=$(basename $2) | |
| for x in $(tshark $1 $2 \ | |
| -Y "$filter and eapol" \ | |
| -T fields -e "ssl.handshake.certificate"); do | |
| echo $x | \ | |
| sed "s/://g" | \ | |
| xxd -ps -r | \ | |
| tee $(mktemp $tmpbase.cert.XXXX.der) | \ | |
| openssl x509 -inform der -text; | |
| done |
I have no idea how it happened, but when copy pasting this, it changed some of my integers which affected things like $1 and the year. WTF. Fixed it.
I get error:
$./Extract_EAP.sh -i wlp0s20u3mon
tshark: Some fields aren't valid:
ssl.handshake.certificate
$
I have wireshark instaled. Can it be because I am running python 3.0 as default?
What version of tshark/wireshark are you running?
… On 17 Jun 2019, at 13:06, bashbanana ***@***.***> wrote:
I get error:
$./Extract_EAP.sh -i wlp0s20u3mon
tshark: Some fields aren't valid:
ssl.handshake.certificate
$
I have wireshark instaled. Can it be because I am running python 3.0 as default?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
Had the same issue as @bashbanana, fixed it by replacing "ssl.handshake.certificate" with "tls.handshake.certificate".
Yup. Same issue as @bashbanana and the fix recommended by @GOAT-FARM3R is valid and working.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
made some changes: https://gist.github.com/Cablethief/a2b8f0f7d5ece96423ba376d261bd711