SIT703: Advanced Digital Forensics
Students should demonstrate their ability to review literature about shellcode and develop knowledge in technical exploits and their impacts on Windows network domain. Students will be required to compare different techniques and generate their own shellcode based on the requirements provided and implement a fully functional shellcode. Students will be assessed on their ability to perform the required tasks in synthesing knowledge from research papers, video demonstrations, and technical tutorials and present a technical report.
Students are required to put together a technical report of approximately 2000 words as well as exhibits to support findings and a bibliography. This report should consist of:
• an overview of shellcode
• comparison of different methods used to generate shellcode
• analysis and reflection on the technical exploitations and their impact to the Windows network domain
• implementation of a shellcode
Assessment Information Problem Statement
Shellcode In Literature Students are required to answer research questions based on three academic papers:
“The Shellcode Generation” https://ieeexplore.ieee.org/document/1341416/ “Evasion Techniques” https://ieeexplore.ieee.org/abstract/document/6042389/ “English Shellcode” https://dl.acm.org/citation.cfm?id=1653725
There should be at least four additional references from recent academic (IEEE or ACM) research papers or white papers from IT companies. Students must perform their own research for additional references.
1. In the paper “The Shellcode Generation”, what is the development bottom-line for an exploit? List and give detailed explanations to the three components for a usable exploit.
2. Read the paper “Evasion Techniques”, and explain how a piece of shellcode can bypass an intrusion detection system. more information about the shellcode issues related to computer forensic investigations
3. Read the paper “English Shellcode”, explain the concept of program counter and its importance to an attacker who uses shellcodes.
4. In the paper “English Shellcode”, what are the two advantages of using alphanumeric encoding engines to generate shellcode?
ADVANCED DIGITAL FORENSICS
Part A. Shellcode in Literature
There are three basic components can be used for exploiting the bottom lines of the systems are listed below.
Adding user accounts
It is one of the easiest way of exploitation where the user can use the command of adding a line to the password file and accesses all of the information about the system.
Changing systems configuration
This method is one of the publicly available processes where the user can be able to exploit the payload while alerting the vulnerable system configuration. The payload will be distracted from one OS to the other simple variable one.
Network aware shellcode
Shellcode is most vulnerable towards attackers as the attacker already has some of the interactive access with the system. Software flaws advantage will be taken to run the existing programs of the systems where the communication between the remote systems as well with the span shell will be destroyed.
2. Intrusion detection system - “Evasion Techniques”
Most of the Intrusion detection systems are basically work on the basis of signatures detection. The attacker can be able to create a custom packet payload that does not match with any kind of signature in the integrated development systems predefined database (ieeexplore.ieee.org, 2018). In this way the attacker can be able to pass to the IDS without creating any kind of noisy alerts and enters from the remote system. Following many different kind of techniques a piece of shellcode can be able to pass to the intrusion detection systems are listed below.
Insertion Attack: using the shellcode the attackers will confuse the system through invalid packets. Malformed packets will end the system for any other kind of interpretations.
Denial of Service: IDS system generally uses the one of its centralized logging server in order to log the alerts and events. Using the shell code method the intruder can be able to attack the known Internet protocol addresses and launch the denial of service attack. This in turn will not allow any other servers to log in any more events.
Session fragmentation and splicing: This process includes the splitting of packets, breaking and slicing into some of the multiple pieces and none of the single packet can cause any kind of triggers to make any alerts. IDS systems generally ignore this packet reconstruction and also fail to match against the databases signature.
Program counter is a kind of special purpose machine register that helps in identifying the available next instruction that scheduled for execution (ieeexplore.ieee.org, 2018). The first objective of the intruder and attacker is to gain control over the program counter of the machines. While gaining control over program controller the attacker can be able to redirect to the programs and also disrupts it for execution. Program counter in the shell code is generally adjusted to point out the machines. Once the machines gets fetched out by the program counter than the tasks gets executed and performs. It can also be stated that there is a difference between the different exploits to use different techniques of exploits like code injection attacks, buffer overflow and format string attacks. Incase if using code injection technique of exploits the intruder can exploits the grants and takes control over the program counter. The attacker will execute the whole code designed by the programmers in the system and execute the code that is delivered by them. In case of buffer overflow also the intruder takes control over the program counter. Using the program counter the machine instruction will be classified into two types namely jump instruction and do not method.
In case of shell code the program counter has more prominent role where the default exception handling in Operating system will be done through using this program counter. Program counter in OS will be modified to execute detection program. Program counter helps for detecting the programs and controlling over this program controller the hacker can be able to control over the whole programs that has been designed using Shellcode.
An alphanumeric encoding engine converts the arbitrary payloads to the set of composed numerical digits and letters in the machine. There are two basic reasons behind the usage of alphanumeric encoding engines to the machines are of
Advantage of using the alphanumeric encoding engines is that it copes with all kind of possible restrictions and also practices self-modification phenomenon automatically. It has restricted instruction set and for the intruder it creates challenge to encode the system. Arbitrary payloads can be encoded using the phenomenon of decoder and encoding schemes. An alphanumeric encoding engine in shell code encodes the bytes without making any allowed by the vulnerable applications from the intruder or third parties. An alphanumeric shellcode encoder also helps in evading the shell code detection by the Intrusion detection system. Alphanumeric shellcode encoder makes the routine detection more difficulty by the decoder and this in turn helps the system from unwanted threats and also enhances the vulnerability. This machine also helps in detecting the attacks while searching the shellcode patterns that have been already known (dl.acm.org, 2018). The integrated development system in a machine will be updated with all kind of shellcode patterns and signatures and this in turn helps to bring critical situation for the intruder. The attacker need to have greater skills and the process is damn time consuming to predict the pattern. In this case the attacker will implement and try his own patterns and also gets caught by the unknown attacks with new signature. In this way the alphanumeric shellcode encoder has greater advantage while generating shellcode patterns.