Extracting SSL certificates from the network or pcap files

Solution 1:

Do you need the certificates in a particular format (PEM/DER/...)?

ssldump can show parsed ASN.1 certificates with the -N option and read a pcap file as input with -r. The following command could show you the certificates in a human-readable form.

ssldump -Nr file.pcap | awk 'BEGIN {c=0;} { if ($0 ~ /^[ ]+Certificate$/) {c=1; print "========================================";} if ($0 !~ /^ +/ ) {c=0;} if (c==1) print $0; }'

The awk script isn't the cleanest but does the job (improvements more than welcome).

The -x option of ssldump would show you the actual packet payload (packet_data). That will include the record layer and handshake protocol fields (i.e. not the certificate only). A more intelligent script/code might be able to extract it from there and convert it to a more common format.

Solution 2:

The easiest way to extract X.509 certificates from a PCAP file with SSL traffic (like HTTPS) is to load the PCAP into the free open-source software NetworkMiner. You'll find the extracted certificate under the "Files" tab in NetworkMiner.

NetworkMiner automatically extracts X.509 certificates to disk from SSL/TLS sessions going to any of the following TCP ports: 443, 465, 563, 992, 993, 994, 995, 989, 990, 5223, 8170, 8443, 9001 and 9030.

You can download NetworkMiner here: http://sourceforge.net/projects/networkminer/

Also, see this guide for how to install and run NetworkMiner on Linux: http://www.netresec.com/?page=Blog&month=2014-02&post=HowTo-install-NetworkMiner-in-Ubuntu-Fedora-and-Arch-Linux