From 518c1fb1d43e895a4f3070653174c6e3ec481889 Mon Sep 17 00:00:00 2001 From: "B. Stack" Date: Thu, 29 Jul 2021 09:44:57 -0400 Subject: initial commit --- read_rdp_cert.py | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100755 read_rdp_cert.py (limited to 'read_rdp_cert.py') diff --git a/read_rdp_cert.py b/read_rdp_cert.py new file mode 100755 index 0000000..411273a --- /dev/null +++ b/read_rdp_cert.py @@ -0,0 +1,37 @@ +#!/usr/bin/env python3 +# File: read_rdp_cert.py +# Location: https://gitlab.com/bgstack15/read-rdp-cert +# Author: bgstack15 +# Startdate: 2021-07-28 14:02 +# Title: Read RDP Certificate Used from a Packet Capture File +# Purpose: Given pcap input file that contains a TLS HANDSHAKE CERTIFICATE packet, extract out the cert +# History: +# Usage: +# Generate packet capture with: +# sudo tcpdump -w ~/packets.in -n -v -A "port 3389 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)" +# Then visit rdp. +# yes no | xfreerdp destserver.internal.example.com +# Then submit the packet capture file to read_rdp_cert.py +# ./read_rdp_cert.py --pcapfile ~/packets.in +# Reference: +# Improve: +# Add debug level + +# Note: if I need libpath logic, check logout-manager-cli +from rrc_lib import * +import argparse + +read_rdp_cert_version="2021-07-29" + +parser = argparse.ArgumentParser(description="read pcap files and extract TLSv1 Certificate certificates") +parser.add_argument("-p","--pcapfile", required=True, help="Input file. Required.") +parser.add_argument("-V","--version", action="version", version="%(prog)s " + read_rdp_cert_version) + +args = parser.parse_args() + +array = read_pcap_file(args.pcapfile) +for i in array: + save_cert( + data = i, + directory = os.path.curdir + ) -- cgit