Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A simple tshark EAP certificate extractor
#!/bin/sh
# Simple tshark WiFi EAP certificate extractor
# By dominic@sensepost.com
# All rights reserved 2019
function trap_ctrlc ()
{
echo "Ctrl-C caught...performing clean up"
killall tshark
exit 2
}
trap "trap_ctrlc" 2
if [ ! -x $(which tshark) ]; then
echo "tshark not installed"
exit 1
fi
if [ -z ${1} ]; then
echo "Usage: $0 [-r file.cap] [-i interface]"
echo "Extracted certificates will be written to <file|int>.cert.rand.der"
exit 1
fi
tmpbase=$(basename $2)
for x in $(tshark $1 $2 \
-Y "ssl.handshake.certificate and eapol" \
-T fields -e "ssl.handshake.certificate"); do
echo $x | \
sed "s/://g" | \
xxd -ps -r | \
tee $(mktemp $tmpbase.cert.XXXX.der) | \
openssl x509 -inform der -text;
done
@Cablethief

This comment has been minimized.

@singe

This comment has been minimized.

Copy link
Owner Author

singe commented Feb 27, 2019

I have no idea how it happened, but when copy pasting this, it changed some of my integers which affected things like $1 and the year. WTF. Fixed it.

@bashbanana

This comment has been minimized.

Copy link

bashbanana commented Jun 17, 2019

I get error:

$./Extract_EAP.sh -i wlp0s20u3mon
tshark: Some fields aren't valid:
ssl.handshake.certificate

$

I have wireshark instaled. Can it be because I am running python 3.0 as default?

@singe

This comment has been minimized.

Copy link
Owner Author

singe commented Jun 17, 2019

@GOAT-FARM3R

This comment has been minimized.

Copy link

GOAT-FARM3R commented Sep 23, 2019

Had the same issue as @bashbanana, fixed it by replacing "ssl.handshake.certificate" with "tls.handshake.certificate".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.