1 files changed, 37 insertions, 0 deletions

diff --git a/read_rdp_cert.py b/read_rdp_cert.py
new file mode 100755
index 0000000..411273a
--- /dev/null
+++ b/read_rdp_cert.py
@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+# File: read_rdp_cert.py
+# Location: https://gitlab.com/bgstack15/read-rdp-cert
+# Author: bgstack15
+# Startdate: 2021-07-28 14:02
+# Title: Read RDP Certificate Used from a Packet Capture File
+# Purpose: Given pcap input file that contains a TLS HANDSHAKE CERTIFICATE packet, extract out the cert
+# History:
+# Usage:
+#    Generate packet capture with:
+#       sudo tcpdump -w ~/packets.in -n -v -A "port 3389 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)"
+#    Then visit rdp.
+#       yes no | xfreerdp destserver.internal.example.com
+#    Then submit the packet capture file to read_rdp_cert.py
+#       ./read_rdp_cert.py --pcapfile ~/packets.in
+# Reference:
+# Improve:
+#    Add debug level
+
+# Note: if I need libpath logic, check logout-manager-cli
+from rrc_lib import *
+import argparse
+
+read_rdp_cert_version="2021-07-29"
+
+parser = argparse.ArgumentParser(description="read pcap files and extract TLSv1 Certificate certificates")
+parser.add_argument("-p","--pcapfile", required=True, help="Input file. Required.")
+parser.add_argument("-V","--version", action="version", version="%(prog)s " + read_rdp_cert_version)
+
+args = parser.parse_args()
+
+array = read_pcap_file(args.pcapfile)
+for i in array:
+   save_cert(
+      data = i,
+      directory = os.path.curdir
+   )