Extract SSL/TLS public certificate from pcap

Have a need to extract a public key certificate from a network packet capture session (pcap)?

You can use this method to extract either the server or client side public key using Wireshark.

Configure Wireshark

In my situation I had the ssl traffic using the non standard port (9443) instead of 443. To ensure your packets are correctly decoded in Wireshark, specify the ssl decoder should be used on the correct port number. Select a packet line from Wireshark, choose “Analyze” from the menu bar, select “Decode as” and the rest you can figure out.

Export Certificate

What you want to look for in Wireshark’s main screen is an entry that says “Certificate” or “Hello, Certificate” with the “source” being the owner of the public key’s private key.

Once you find the public key, move down to Wireshark’s decode screen and drill down to “SSL” and look for the “Certificate” section with the expect common name in brackets. In my case this was “Certificate (id-at-commonName=bobby:myvpn.a)”. Right click this section and select “Export select packet bytes”, and save to file “my-client-pubkey.der”. The format of the file will be binary DER.

View x509 certificate

$ openssl x509 -inform der -in my-client-pubkey.pem -noout -text
Certificate:
 Data:
 Version: 1 (0x0)
 Serial Number: 7829 (0x1e95)
 Signature Algorithm: md5WithRSAEncryption
 Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc,
 OU=Certification Services Division,
 CN=Thawte Server CA/emailAddress=server-certs@thawte.com
 Validity 
 Not Before: Jul 9 16:04:02 1998 GMT
 Not After : Jul 9 16:04:02 1999 GMT
 Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala,
 OU=FreeSoft, CN=bobby:myvpn.a
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public Key: (1024 bit)
 Modulus (1024 bit):
 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb:
 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1:
 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66:
 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17:
 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b:
 c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77:
 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3:
 d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8:
 e8:35:1c:9e:27:52:7e:41:8f
 Exponent: 65537 (0x10001)
 Signature Algorithm: md5WithRSAEncryption
 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d:
 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92:
 ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67:
 d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72:
 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1:
 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7:
 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22:
 68:9f

This is a sample certificate.

Save to file. https://www.sslshopper.com/article-most-common-openssl-commands.html

$ openssl x509 -inform der -in certificate.der -out certificate.pem
References

Excellent write that I used to help me http://blog.stalkr.net/2010/03/codegate-decrypting-https-ssl-rsa-768.html

One thought on “Extract SSL/TLS public certificate from pcap

  1. Pingback: Extract iOS private keys | youremindmeofmymother

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s