A Case Study on Network Anti-Forensics presented at OSDFCon 2014

by Ben Schmidt,

Summary : Forensic analysts have plenty to worry about when it comes to the security of their network. Seldom do they worry about their packet analysis software. We will demonstrate why they should.
In this talk, we detail how we uncovered a handful of remotely exploitable Wireshark vulnerabilities and deployed them as anti-forensic measures during DEFCON 20 and 21 CTF. These vulnerabilities can be used to compromise Wireshark by sending specially crafted input to a live sniffer, or by supplying a malicious packet capture. We walk through exploitation of these vulnerabilities to cause denial of service conditions and to execute arbitrary code on modern operating systems.
We dive into the inner workings of the Wireshark network capture and reconstruction tool. We detail the interactions between protocol layers, Wireshark’s dissector model, and mitigations built into the Wireshark common API. We walk through the reconstruction of popular network traffic, from Ethernet frame to IP packet to TCP stream to application data. We highlight where things can (and often do) go wrong and how to exploit this popular software package. We close by offering suggestions for how Wireshark and other forensic tools can mitigate risk and decrease their attack surface.”