aboutsummaryrefslogtreecommitdiff
path: root/README.md
diff options
context:
space:
mode:
authorB. Stack <bgstack15@gmail.com>2021-07-29 10:00:50 -0400
committerB. Stack <bgstack15@gmail.com>2021-07-29 10:00:50 -0400
commitf4804d0d6b8586bca1ee88faf05ab64c507513c6 (patch)
tree066905a04598f45ddeae7d7cb9f2dd03d69612cf /README.md
parentinitial commit (diff)
downloadread-rdp-cert-master.tar.gz
read-rdp-cert-master.tar.bz2
read-rdp-cert-master.zip
add Using section to readmeHEADmaster
Diffstat (limited to 'README.md')
-rw-r--r--README.md19
1 files changed, 18 insertions, 1 deletions
diff --git a/README.md b/README.md
index 57349e5..1299011 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,22 @@ Remote Desktop Protocol (rdp) has the ability to use TLS certificates to encrypt
This project can read a packet capture, really any pcap that contains the TLSv1 Certificate protocol, and save from the TLSv1 Certificates packets any pem-format certificates to disk. Of course this project is open-source, so you can adapt it to do whatever you want.
+
+## Using
+You need to generate a packet capture file, which can be done with `wireshark` or `tcpdump`. I used filters:
+
+ sudo tcpdump -w ~/packets.in -n -v -A "port 3389 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)"
+
+This filter is taken from [Reference 2](https://stackoverflow.com/questions/39624745/capture-only-ssl-handshake-with-tcpdump).
+
+In wireshark, you can even use a display filter of `tls.handshake.type == 11` as well.
+
+With the output file `~/packets.in`, run the main utility with this file as a parameter.
+
+ ./read_rdp_cert.py --pcapfile ~/packets.in
+
+The utility will extract all certificates that it can find from the tls handshake packets, into the current directory.
+
## Reason for existence
I have not found on the Internet appears how to read RDP certificates.
@@ -14,7 +30,8 @@ I have not researched these alternatives thoroughly, but they showed possible al
* pyshark lib [https://security.stackexchange.com/questions/123851/how-can-i-extract-the-certificate-from-this-pcap-file](https://security.stackexchange.com/questions/123851/how-can-i-extract-the-certificate-from-this-pcap-file)
## References
-The `iplayer_from_raw` function is almost directly from [cuckoolinux -> network.py](https://github.com/0x71/cuckoo-linux/blob/82263c5df40ebe70dc35976b917293eb54a363af/modules/processing/network.py) and is licensed GPL-3.
+1. The `iplayer_from_raw` function is almost directly from [cuckoolinux -> network.py](https://github.com/0x71/cuckoo-linux/blob/82263c5df40ebe70dc35976b917293eb54a363af/modules/processing/network.py) and is licensed GPL-3.
+2. [https://stackoverflow.com/questions/39624745/capture-only-ssl-handshake-with-tcpdump](https://stackoverflow.com/questions/39624745/capture-only-ssl-handshake-with-tcpdump)
## License
GPL-3
bgstack15