Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Get the Cipher Suite List Presented in Wireshark

EDR: How to Get the Cipher Suite List Presented in Wireshark

Environment

  • EDR Server: All Versions
  • EDR Sensor: All Versions

Objective

How to view the Cipher Suites being presented in Wireshark to confirm matching Ciphers

Resolution

  1. When capturing the pcap, you will need to restart the sensor services to trigger a new connection attempt and handshake. 
    • Windows (cmd as admin)
      sc stop carbonblack
      sc start carbonblack
    • Linux (Terminal)
      EL6: 
      sudo service cbdaemon restart
      
      EL7+: 
      sudo systemctl restart cbdaemon
    • macOS (terminal)
      sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
      sudo launchctl load /Library/LaunchDaemons/com.carbonblack.daemon.plist
  2. Open the pcap in Wireshark.
  3. Look for the "Client Hello" packet to the destination IP of the EDR Server and expand
    • Expand Under "Transport Layer Security" -->
    • Expand"TLSv1.2 Record Layer: Handshake Protocol: Client Hello"
    • Expand "Handshake Protocol: Cipher Suites ( 2 )" -- within brackets are number of cipher suites the endpoint presented
    • After expand to see the Ciphers being presented by the Endpoint to the EDR server

Related Content


Labels (2)
Tags (3)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎01-04-2023
Views:
1663
Contributors