I'm using tshark to get packet data from pcap. I want to know the website url that the tcp.stream is connected to. The only place I can see that will have that is the certificate. If there's another place let me know, but I do now want to solve this for academic reasons.
I can manually export the certificate within wireshark following http://darenmatthews.com/blog/?p=2036 "Right-click on the on the certificate that you wish to obtain then choose “Export selected packet bytes…” and name the file with a .der extension."
From https://www.c-amie.co.uk/technical/powershell-convert-der-encoded-certificate-file-into-a-base64-cer/ I modified to just present the details. No need to automate writing files just to read them with -Encoding Byte.
function CertTextDetail ($certtext=$null) {
if($certtext -ne $null) {
$bytes = [System.Text.Encoding]::UTF8.GetBytes($certtext)
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($bytes)
$cert |select * ; $cert.Dispose()
}}
CertTextDetail $content
Subject : CN=go.microsoft.com, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Issuer : CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US
Thumbprint : 770170500D521B1E6647DF0949BDC0480613ED80
FriendlyName :
NotBefore : 9/25/2023 12:26:11 PM
NotAfter : 9/19/2024 12:26:11 PM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
I see that tshark's first certificate (separated by a comma from intermediate and root certs) tls.handshake.certificate is in raw format and is the exact same data as I see within wireshark's view packet data. I even did a copy packet bytes into CertTextDetail function and got results. Originally was in ansii encoding.
.\tshark.exe -r "C:\Users\kirt_\Downloads\packetCapture1.pcapng" -T fields -E separator="," -E header='y' -E quote=d -e ip.src -e ip.dst -e _ws.col.Protocol -e frame.time -e frame.number -e _ws.col.Info -e tcp.stream -e frame.time_relative -e frame.len -e tls.handshake.certificate |foreach {$_.replace(' "',' `').replace('" ','` ')} | convertfrom-csv | where frame.number -eq 1464 | foreach { $_.'tls.handshake.certificate' -split(',') | select -First 1}
308208a53082068da003020......
(note: You have to clean up any quotes within _ws.col.Info or the csv will have bad data from frames with embedded double quotes before convertfrom-csv)
I need to properly convert, encode or decode tshark's tls.handshake.certificate from raw to ansii to match the .DER file so I can use the [System.Security.Cryptography.X509Certificates.X509Certificate2]::new function and retrieve the cert details.
I spent hours looking for a [system..]::method to do this, but if not done right it doesn't produce the MII... we all know and love.
-----BEGIN CERTIFICATE-----
MIIIpTCCBo..
Please help me with the proper method to alter, encode, decode the raw format to ansii.
The output from tshark is hexadecimally encoded - interpret each 2 chars as a byte and you'll get the value you're looking for:
$rawCertHexString = "308208a53082068da00302" # truncated for this demonstration
[byte[]]$certData = for ($i = 0; $i -lt $rawCertHexString.Length; $i += 2) {
$byteString = $rawCertHexString.Substring($i, 2)
# let powershell re-parse number as hexadecimal numeric literal
+"0x$byteString"
}
Converting the resulting byte stream to base64 reveals the certificate structure is already encoded correctly:
PS ~> [convert]::ToBase64String($certData)
MIIIpTCCBo2gAwI=
But there's no need to convert it to base64 if you intend to use the certificate data from within PowerShell - you can pass the raw certificate data directly to the [X509Certificate2] constructor:
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certData)