Analysis gssapi-data for TLS-DSK packet

Hansel

于 2013-02-24 22:39:35 发布

阅读量897

点赞数

CC 4.0 BY-SA版权

分类专栏： Linux开发 Network

本文链接：https://blog.youkuaiyun.com/hansel/article/details/8607675

Linux开发同时被 2 个专栏收录

69 篇文章

订阅专栏

Network

28 篇文章

订阅专栏

本文介绍了一种从gssapi-data中提取并解析TLS证书的方法。首先需从抓包文件中获取到Base64编码的gssapi-data，然后使用Notepad++等工具解码为二进制文件。接着通过hping3构造数据包，并用tcpdump捕获，最后利用Wireshark导出ServerHello中的证书为DER格式，并转换成PEM格式。

gssapi-data is encoded by base64. It is actually apply to TLS protocol but encapsulated in SIP register and 401 response.

To get server certificate in gssapi-data, do below steps.

1. Extract gssapi-data from capture file. It is base64 encode.
2. Decode it using notepad++ TextFX Tool plugin. And get gssapi-data binary data (file: gssapi_data.bin).
3. using hping3 to craft a packet. and using tcpdump to capture the packet. 5787 is the file size of gssapi_data.bin.
      hping -I lo -u -c 1 -p 443 127.0.0.1 -d 5787 -E gssapi_data.bin
      tcpdump -i lo -s 0 -w gssapi_data.pcap
4. using wireshark open gssapi_data.pcap.
5. on TLSv1 packet right click on certificate in Server Hello packet. "Export selected packet data...".
   Save it as server.der file. It maybe contains several certificates.
6. using openssl to conver DER to PEM format.
       openssl x509 -in server.der -out server.pem -inform DER -outform PEM