blob: 411273ac1833b8637011eefdc42e9a6e2e7b98dd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
#!/usr/bin/env python3
# File: read_rdp_cert.py
# Location: https://gitlab.com/bgstack15/read-rdp-cert
# Author: bgstack15
# Startdate: 2021-07-28 14:02
# Title: Read RDP Certificate Used from a Packet Capture File
# Purpose: Given pcap input file that contains a TLS HANDSHAKE CERTIFICATE packet, extract out the cert
# History:
# Usage:
# Generate packet capture with:
# sudo tcpdump -w ~/packets.in -n -v -A "port 3389 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)"
# Then visit rdp.
# yes no | xfreerdp destserver.internal.example.com
# Then submit the packet capture file to read_rdp_cert.py
# ./read_rdp_cert.py --pcapfile ~/packets.in
# Reference:
# Improve:
# Add debug level
# Note: if I need libpath logic, check logout-manager-cli
from rrc_lib import *
import argparse
read_rdp_cert_version="2021-07-29"
parser = argparse.ArgumentParser(description="read pcap files and extract TLSv1 Certificate certificates")
parser.add_argument("-p","--pcapfile", required=True, help="Input file. Required.")
parser.add_argument("-V","--version", action="version", version="%(prog)s " + read_rdp_cert_version)
args = parser.parse_args()
array = read_pcap_file(args.pcapfile)
for i in array:
save_cert(
data = i,
directory = os.path.curdir
)
|
