About this task
In a web application environment with many servers, locating
the servers that are using the Diffie-Hellman cipher cannot be trivial.
Using
Wireshark, you can apply a display filter to refine the list of servers
and identify the ones that are using the Diffie-Hellman cipher.
Procedure
- Start Wireshark.
- Load or capture a TCPdump file of the traffic that is submitted
to the DNCA.
- In the Filter textbox, copy the
following string. Edit it to remove the backslash characters at the
end of each line, which are used to signal continuation. Then, paste
the string to filter the wireshark traffic.
ssl.handshake.ciphersuite == 0x10 || ssl.handshake.ciphersuite == 0x1a || \
ssl.handshake.ciphersuite == 0x1b || ssl.handshake.ciphersuite == 0x30 \
||ssl.handshake.ciphersuite == 0x31 || ssl.handshake.ciphersuite == 0x32 || \
ssl.handshake.ciphersuite == 0x33 || ssl.handshake.ciphersuite == 0x34 \
||ssl.handshake.ciphersuite == 0x36 || ssl.handshake.ciphersuite == 0x37 || \
ssl.handshake.ciphersuite == 0x38 || ssl.handshake.ciphersuite == \
0x39||ssl.handshake.ciphersuite == 0x3a || ssl.handshake.ciphersuite == 0x63 \
|| ssl.handshake.ciphersuite == 0x65 || ssl.handshake.ciphersuite == 0x66
- The filter traffic now shows only traffic from Diffie-Hellman
ciphers.
- Use of the Diffie-Hellman cipher must be disabled on the
listed server or servers. For more information, complete the following
steps, depending on the type of server.