5

I will appreciate if someone can point me to a tool or approach to extract SSL/TLS certificates from live HTTPS connections (directly from the network) or from a network trace file (pcap file). I tried using ssldump but I was not able to extract the certificates. I can also use Wireshark for this (manually), but I want to do this in an automated way. I am using a Linux platform for this. Thanks

Edit: I want to extract the SSL certificate than a server sends to the client (browser) during an SSL handshake. I want to use a network sniffer (tcpdump) to capture the SSL connections in a network and then extract the certificates from the resulting pcap file (or doing it live).

Apakoh
  • 53
  • 1
  • 1
  • 3

3 Answers3

3

Do you need the certificates in a particular format (PEM/DER/...)?

ssldump can show parsed ASN.1 certificates with the -N option and read a pcap file as input with -r. The following command could show you the certificates in a human-readable form.

ssldump -Nr file.pcap | awk 'BEGIN {c=0;} { if ($0 ~ /^[ ]+Certificate$/) {c=1; print "========================================";} if ($0 !~ /^ +/ ) {c=0;} if (c==1) print $0; }'

The awk script isn't the cleanest but does the job (improvements more than welcome).

The -x option of ssldump would show you the actual packet payload (packet_data). That will include the record layer and handshake protocol fields (i.e. not the certificate only). A more intelligent script/code might be able to extract it from there and convert it to a more common format.

nrolans
  • 643
  • 5
  • 7
  • where do you get ssldump from? – President James K. Polk Sep 21 '11 at 00:44
  • You can get it from [sourceforge](http://ssldump.sourceforge.net). Most distributions will have a package for it. I did this on version 0.9b3. – nrolans Sep 21 '11 at 05:53
  • Great. I new that ssldump was the tool for this, however, I think my problem was that the pcap files that I was trying did not have all the packet payload (truncated). Trying the command you suggest on live connections (not from a pcap file) I am able to see the certificates. I will try the -x option and figure out how to parse the certificate information from the packed data because I want the certificates in DER format. Thanks a lot! – Apakoh Sep 21 '11 at 22:53
1

The easiest way to extract X.509 certificates from a PCAP file with SSL traffic (like HTTPS) is to load the PCAP into the free open-source software NetworkMiner. You'll find the extracted certificate under the "Files" tab in NetworkMiner.

NetworkMiner automatically extracts X.509 certificates to disk from SSL/TLS sessions going to any of the following TCP ports: 443, 465, 563, 992, 993, 994, 995, 989, 990, 5223, 8170, 8443, 9001 and 9030.

You can download NetworkMiner here: http://sourceforge.net/projects/networkminer/

Also, see this guide for how to install and run NetworkMiner on Linux: http://www.netresec.com/?page=Blog&month=2014-02&post=HowTo-install-NetworkMiner-in-Ubuntu-Fedora-and-Arch-Linux

netresec
  • 29
  • 2
0

Live connections are usually encrypted with a session key, which is set in the beginning of the session. You can't snoop them even if have all keys unless you have a dump of that session's handshake.

But you can see which hosts and ports are communicating. Server SSL certificates are usually port and host bound, so you can check server SSL certificate easily with

openssl s_client -connect example.com:443

Where example.com is a server and 443 is a port your client connecting to.

sanmai
  • 521
  • 5
  • 19
  • Maybe I didn't explain well. By using a network sniffer, I want to extract the server SSL certificates that clients (browsers) receive while establishing a SSL connection (HTTPS). The certificate is send by the server during the SSL handshake and it is not encrypted. –  Sep 20 '11 at 04:18
  • What is stopping you from using `openssl s_client`? Why can't you connect to a server to check a certificate? – sanmai Sep 20 '11 at 04:21
  • 1
    I don't want to check the certificate of a specific server. I want to monitor the certificates that other clients in the network are using. For example, if a use tcpdump to capture HTTPS connections in the network (promiscuous mode), I want to extract automatically the server certificates that were used to established such connections (during the SSL handshake). –  Sep 20 '11 at 04:27
  • You can pipe `tcpdump` output into a `grep`/`sed` filter and pipe it to `xargs openssl s_client` and it'll show you certificate info for each connection matching `tcpdump` filter you setup. – sanmai Sep 20 '11 at 04:42
  • 1
    If I understand correctly, you are suggesting to use the filtered connection information to download the certificate from the server directly, instead of extracting it from the existent connection. I want a passive tool, asking again for the certificate to the server is not very efficient if the SSL network load is high. Also, I want to make sure I see exactly the same certificate that the client is using, which could differ in some scenarios (some sites use multiple certificates in their SSL reverse-proxies). Thanks for the suggestion anyway. –  Sep 20 '11 at 14:45