6

I have a pcap file of 14 sniffed SSL packets. I uploaded it here:

ssl.pcap

I opened it with wireshark. I see the 14 packets. The largest of seems to contain a self signed certificate (as it is made in a populat internet tutorial). I see the packet contains test like "Some-state" and "Intenet Widgets Pty Ltd" ... How can I actually extract the real certificate (maybe in crt format?

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
Kenyakorn Ketsombut
  • 171
  • 1
  • 1
  • 4

4 Answers4

19

With new versions of wireshark:

  • Make sure the traffic is decoded as SSL, i.e. setup the SSL analyzer for this TCP stream in Analyze >> Decode As. Now it will show the SSL details for the packets.
  • Pick the packet which contains the certificate, in this case packet 6.
  • In the packet details expand Secure Socket Layer etc until you get to the certificate itself:

Screenshot from Wireshark, Certificate selected

  • Use the context menu (right click) and save the raw data of the certificate with Export Packet Bytes into a file, for example cert.der.
  • With openssl x509 -inform der -in cert.der -text you can have a look at the certificate, with openssl x509 -inform der -in cert.der -outform pem -out cert.crt you can convert it into a PEM format (i.e. what you mean with crt format).
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks, Steffen. I think I tried all other permutations of "copy as" and stuff like that. This worked exactly as advertised :) In my case, I was looking for a client certificate and the process was just the same, except that I was looking for the `Certificate, Client Key Exchange` message instead of the `Server Hello, Certificate, Server Hello Done` message. – Christopher Schultz May 14 '22 at 12:25
2

Natively, through Wireshark:

How to obtain the SSL certificate from a Wireshark packet capture:

  1. From the Wireshark menu choose Edit > Preferences and ensure that “Allow subdissector to reassemble TCP streams” is ticked in the TCP protocol preferences
  2. Find “Certificate, Server Hello” (or Client Hello if it is a client-side certificate that you are interested in obtaining.
  3. In the packet detail pane, expand the Secure Sockets Layer protocol
  4. Expand the “TLSv1 Record Layer: Handshake Protocol: Certificate” field
  5. Expand the “Handshake Protocol: Certificate” field
  6. Expand the list of certificates. There may be one or more certificates depending upon whether a chain of trust is present. The first certificate is the server certificate, the second is the signing Certificate Authority, the third the CA that trusted/signed that Certificate Authority and so on.
  7. Right-click on the on the certificate that you wish to obtain then choose “Export selected packet bytes…” and name the file with a .der extension.

Alternately, tools like ssldump or Network Miner (and undoubtedly others) can be used.

Community
  • 1
HopelessN00b
  • 3,385
  • 19
  • 27
  • 1
    I tried this. But this instruction is too old and doesn't work any more. The SSL option that is to be expended in step 3 is not available any more. Also I'm sure other tools can be used. possibly even grep. But that doesn't answer the question "how"? – Kenyakorn Ketsombut May 21 '16 at 05:00
1

Try Network Miner

Run the PCAP file through Network Miner. It extracts certs and other file types.

Community
  • 1
StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
0

You may also use pyshark module for Python. You will find certificates in the SSL layer, but not all SSL layer packets have the certificate. Some of the packets are for handshake negotiation, etc. So, you can search for one of the x509 attributes in the packet.

# Import modules
import socket
import pyshark
# Docs: https://github.com/KimiNewt/pyshark/
from pprint import pprint


data = pyshark.FileCapture("path/to/file.pcap")

# Loop through each item (packet)
for pkt in data:
    if "SSL" in pkt:
        # Look for attribute of x509
        if hasattr(pkt['SSL'], 'x509sat_utf8string'):
            print(pkt["SSL"])
            print(dir(pkt['SSL']))
            pprint(vars(pkt['SSL']))
            exit()
I'm Root James
  • 131
  • 7