5

I will appreciate if someone can point me to a tool or approach to extract SSL/TLS certificates from live HTTPS connections (directly from the network) or from a network trace file (pcap file). I tried using ssldump but I was not able to extract the certificates. I can also use Wireshark for this (manually), but I want to do this in an automated way. I am using a Linux platform for this. Thanks

Edit: I want to extract the SSL certificate than a server sends to the client (browser) during an SSL handshake. I want to use a network sniffer (tcpdump) to capture the SSL connections in a network and then extract the certificates from the resulting pcap file (or doing it live).

Apakoh
  • 53

3 Answers3

3

Do you need the certificates in a particular format (PEM/DER/...)?

ssldump can show parsed ASN.1 certificates with the -N option and read a pcap file as input with -r. The following command could show you the certificates in a human-readable form.

ssldump -Nr file.pcap | awk 'BEGIN {c=0;} { if ($0 ~ /^[ ]+Certificate$/) {c=1; print "========================================";} if ($0 !~ /^ +/ ) {c=0;} if (c==1) print $0; }'

The awk script isn't the cleanest but does the job (improvements more than welcome).

The -x option of ssldump would show you the actual packet payload (packet_data). That will include the record layer and handshake protocol fields (i.e. not the certificate only). A more intelligent script/code might be able to extract it from there and convert it to a more common format.

nrolans
  • 834
1

The easiest way to extract X.509 certificates from a PCAP file with SSL traffic (like HTTPS) is to load the PCAP into the free open-source software NetworkMiner. You'll find the extracted certificate under the "Files" tab in NetworkMiner.

NetworkMiner automatically extracts X.509 certificates to disk from SSL/TLS sessions going to any of the following TCP ports: 443, 465, 563, 992, 993, 994, 995, 989, 990, 5223, 8170, 8443, 9001 and 9030.

You can download NetworkMiner here: http://sourceforge.net/projects/networkminer/

Also, see this guide for how to install and run NetworkMiner on Linux: http://www.netresec.com/?page=Blog&month=2014-02&post=HowTo-install-NetworkMiner-in-Ubuntu-Fedora-and-Arch-Linux

netresec
  • 29
0

Live connections are usually encrypted with a session key, which is set in the beginning of the session. You can't snoop them even if have all keys unless you have a dump of that session's handshake.

But you can see which hosts and ports are communicating. Server SSL certificates are usually port and host bound, so you can check server SSL certificate easily with

openssl s_client -connect example.com:443

Where example.com is a server and 443 is a port your client connecting to.

sanmai
  • 561