The fresh released version of haka (v0.3.0) features a new module allowing to disassemble network data into instructions. This is useful to detect obfuscated shellcodes at network level as suggested in [raid05]1 for instance. The disassembler leverages on Capstone engine which supports several architecture (x86, arm, mips, etc.).
Here we will try to answer to question 8 of a well-known network forensic challenge. The challenge provides a pcap and asks to dump the shellcode used to exploit a vulnerability and then to provide the list of actions done by this shellcode.
[raid05] Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic Worm Detection Using Structural Information of Executables. In: Recent Advanced in Intrusion Detection, pp. 207-226 (2005) ↩