NetTIP: Extracting Digital Certificates from Network Captures in Easy Steps
Introduction
Troubleshooting connectivity issues in scenarios involving SSL/TLS communications usually involve an important point to verify whether the certificates exchanged during that process (TLS Client/Server Hello) is the correct one and has the attributes or extensions in place such as EKU, SAN, and others.
In this article, we will show you how to extract digital certificate information by using two network excellent and well known analysis tools: Microsoft Message Analyzer and Wireshark. The good news is you can also get some hands on and review the same captures used this article. Just go to Network Capture Library to have access to them.
Side Note: Other captures will be added soon in the Network Capture Library with different scenario where you can download, review and learn from them.
The main goal of this article is more educational on teaching you how to extract information of digital certificates from a network capture. I would like to anticipate that if you search Internet you can find several ready tools and other methodologies to perform same action. However, most of those tools are focus on TLS for HTTP traffic (HTTPS) and we will explore here other scenarios you may face, for example, 802.1x that will explore in this article.
Exporting Web Server Certificate using Message Analyzer
We are going to open capture named HTTPS-TLS-Certificate.cap
After opening the capture in Message Analyzer follow these steps:
- Apply the following filters just to show frames where certificate information is *Summary contains "Certificate"
- Select the frame and start to expand each property on the package focusing on Certificate.
- Select in x509_cert.
- Automatically Message Data 1 window will highlight in the grey portion of the capture with the certificate to be exported.
Note: If Message Data 1 is not displayed just proceed to menu Tools -> Message Data – Message Data 1 - Right-click in any gray area of Message Data 1 window as Save Selected Bytes As… as type any file name and just make sure the extension is .CER
After successful get the file exported. Just go to the folder and double click in the file and you will be able to see it.
Note: In your review, you may get a warning message while opening the certificate because your system does not trust on it. So, this may be expected.
Exporting Client and RADIUS Server Ceritificates from EAP-TLS traffic (802.1x) using Wireshark
We are going to open capture named EAP-TLS-Certificate.cap.
The same process above you can perform with Wireshark. In this scenario, Client and RADIUS Server Certificate during the process of EAP-TLS authentication are going to be extracted:
- Select frames where we have Certificate explicitly in the information. For RADIUS server certificate, select frame 17. Client certificate can be done by selecting frame 21.
- Expand bottom part on Packet details window and select Certificate.
- Right Click and Export Packet Bytes (CTRL + H) and name it and add extension .CER.
*Side Note: You may be wondering why do we have source and destination shown as MAC address? Again this 802.1x and machine is authenticating to get an IP.
- Repeat same steps above to export the client certificate and final output both exported .CER files are:
Wireshark Extra Bonus Tip:
One cool very cool tip I would like to present is a way to expose the certificate names in Wireshark as a Column. That will come in handy loading a capture and digital certificate name will be exposed to the column:
- Add a custom type column in via menu Edit – Preferences and add in Fields x509sat.printableString as shown in this picture:
2. Certificate information will be exposed to the Column with the Certification Authority (issuer) and certificate as shown below:
In the example above: Contoso-EntCA is the Issuer Certification Authority (CA), WADC01.contoso.corp is the certificate of NPS Server (RADIUS) and WA-W10CLI2.contoso.corp is the certificate from the client.
Conclusion
This post described in easy steps on how to export digital certificates from network captures by using either Microsoft Message Analyzer or Wireshark. We will be posting in the next few days a troubleshooting case scenario that will explore and resolve an issue that will leverage digital certificate information. Stay Tune! Thanks for visiting us and I hope you learned something new today.