A simple tshark EAP certificate extractor

extract_EAP.sh

#!/bin/sh
# Simple tshark WiFi EAP certificate extractor
# By dominic@sensepost.com
# All rights reserved 2019

function trap_ctrlc ()
{
  echo "Ctrl-C caught...performing clean up"
  killall tshark
  exit 2
}

trap "trap_ctrlc" 2


if [ ! -x $(which tshark) ]; then
  echo "tshark not installed"
  exit 1
fi

if [ -z ${1} ]; then
  echo "Usage: $0 [-r file.cap] [-i interface]"
  echo "Extracted certificates will be written to <file|int>.cert.rand.der"
  exit 1
fi

tmpbase=$(basename $2)
for x in $(tshark $1 $2 \
           -Y "ssl.handshake.certificate and eapol" \
           -T fields -e "ssl.handshake.certificate"); do 
  echo $x | \
  sed "s/://g" | \
  xxd -ps -r | \
  tee $(mktemp $tmpbase.cert.XXXX.der) | \
  openssl x509 -inform der -text; 
done

made some changes: https://gist.github.com/Cablethief/a2b8f0f7d5ece96423ba376d261bd711

I have no idea how it happened, but when copy pasting this, it changed some of my integers which affected things like $1 and the year. WTF. Fixed it.

I get error:

$./Extract_EAP.sh -i wlp0s20u3mon
tshark: Some fields aren't valid:
ssl.handshake.certificate
$

I have wireshark instaled. Can it be because I am running python 3.0 as default?

What version of tshark/wireshark are you running?

…

On 17 Jun 2019, at 13:06, bashbanana ***@***.***> wrote: I get error: $./Extract_EAP.sh -i wlp0s20u3mon tshark: Some fields aren't valid: ssl.handshake.certificate $ I have wireshark instaled. Can it be because I am running python 3.0 as default? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

Had the same issue as @bashbanana, fixed it by replacing "ssl.handshake.certificate" with "tls.handshake.certificate".