Locating Servers Using Diffie-Hellman

About this task

In a web application environment with many servers, locating the servers that are using the Diffie-Hellman cipher cannot be trivial.

Using Wireshark, you can apply a display filter to refine the list of servers and identify the ones that are using the Diffie-Hellman cipher.

Procedure

  1. Start Wireshark.
  2. Load or capture a TCPdump file of the traffic that is submitted to the DNCA.
  3. In the Filter textbox, copy the following string. Edit it to remove the backslash characters at the end of each line, which are used to signal continuation. Then, paste the string to filter the wireshark traffic.
    
    ssl.handshake.ciphersuite == 0x10 || ssl.handshake.ciphersuite == 0x1a || \
    ssl.handshake.ciphersuite == 0x1b || ssl.handshake.ciphersuite == 0x30 \ 
    ||ssl.handshake.ciphersuite == 0x31 || ssl.handshake.ciphersuite == 0x32 || \ 
    ssl.handshake.ciphersuite == 0x33 || ssl.handshake.ciphersuite == 0x34 \
    ||ssl.handshake.ciphersuite == 0x36 || ssl.handshake.ciphersuite == 0x37 || \
    ssl.handshake.ciphersuite == 0x38 || ssl.handshake.ciphersuite == \
    0x39||ssl.handshake.ciphersuite == 0x3a || ssl.handshake.ciphersuite == 0x63 \
    || ssl.handshake.ciphersuite == 0x65 || ssl.handshake.ciphersuite == 0x66 
    
    
    
    
  4. The filter traffic now shows only traffic from Diffie-Hellman ciphers.
  5. Use of the Diffie-Hellman cipher must be disabled on the listed server or servers. For more information, complete the following steps, depending on the type of server.