eCPTX: The Honest Review



You can join the eCPTX telegram group from here:

On June 17th, 2022, I successfully completed the eCPTX exam from eLearnsecurity and received my certification. At the time, I was working and had a lot of responsibilities, so I didn’t have a chance to study the course material beforehand. Instead, I relied on my previous experience and what gathered & used it during the exam. I will now provide an honest review of the eCPTX overall and in more details than the eCPPT, Cause there are a lot of things. Doesn’t make sense i saw in other ppls review.

Course Content

For the eCPTX course content i was disappointed with a lot of stuff. The content as the following:

  • Penetration Testing: Preparing the Attack
  • Penetration Testing: Red Teaming Active Directory
  • Penetration Testing: Red Teaming Critical Domain Infrastructure
  • Penetration Testing: Evasion

Penetration Testing: Preparing the Attack

In this part it was all about email security and phishing. You will learn about Email security like SPFDKIMDMARC. In addition to phishing attacks and ways to use macros & will show you study cases of macros used by APTs. Finally, C2 and redirectors. You think it’s cool right ? No, Cause if someone have no idea about macros actually or VBAs will not be able to understand and a lot of things will fall while learning. Side by that the module shall teaches you. How to develop Macros to use in your engagement. But, all what i saw was study cases and methods without writing any Macros. So, we can say that this section is showing you knowledge or giving you some knowledge. In the video related to this section, It shows how to get used codes and use it again by modifying it it's Good point but it will be hard to work with the modern solutions. In summary, In my opinion it was gonna better to teach how to develop macros from scratch up to advanced level as this certificate under the Red Teaming part. But, it still have good topics like the redirectors, But also still not everything explained clear in this section. But, at all if you are familiar with these topics and have previous knowledge about it you gonna find that it’s all fine with you.

Penetration Testing: Red Teaming Active Directory

I can say the real fun starts here as this section doesn’t have a lot of unclear things. But, in my opinion the only thing that i didn’t like is that in the first part in this section which was Advanced Active Directory Reconnaissance & Enumeration. They didn’t cover what is active directory first or it’s basics. But, it’s in the second part/pdf. So it shall be in the first PDF. But, it discuss how to start enumerate and obtain information from non-joined machine which is something good & Also attacking joined Linux machine in the AD, which is not common for people to talk about. In the second PDF which is Red Teaming Active Directory it was cool actually and here started by explaining The Active Directory environment, Moving to the Attacks of tradntial Active Directory attacks like LLNMR PoisoningDowngrading NTLM and more.Then talking about Powershell defense and bypasses, Abusing active directory features and components, Moving laterly, Browser Pivoting and many more.

Penetration Testing: Red Teaming Critical Domain Infrastructure

This section talking about used components and services in windows like MS ExchangeWSUS & MSSQL. it does not have that much of information but it’s fine to learn from it and you can find other blog series online talking in much more details would help you also you could find online abusing for something like SCCM.

Penetration Testing: Evasion

In this section explained about the AMSI architecture and some bypasses moving to other methods and components like Sensitive groups that solutions can use it for detection, also other solutions like EDRs and techniques to bypass and evading, After that developing a custom payload which i can say is a good one. Finally, The most section i liked in the course is the second section and i explained why. My final words is if the course relied on using and abusing built-in commands, functions and features for abusing as example, It would be absolutely an amazing content as it will reduce the detection in the real-world engagement.

The Exam

Now, Let’s talk about the exam. But, before this i mentioned something and its when i searched for reviews for the eCPTX, I found one thing common between most of the people that go through the exam, Which is some of them fail cause they had to find 3 paths or 3 ways to access the targeted domain, But, the funny part here if you go through the RoE (Rules of engagement) You can clearly see in the document that it’s telling one of the rules to pass the exam is to identify 3 ways to access the targeted domain. And others saw it as a really hard exam. But at all, As i mentioned before i toke the exam and passed without studying the content (That doesn't mean i am 1337 "elite" I'm giving my opinion honestly and what i see from my point of view), You may find content so wow and amazing, Therefore, th exam will be extremely hard. But, no exam was normal and if you have deal with .net stuff and reverse some of it it would be easy for you. For me i was reversing the .dll files from unity games in the past to modify it. So, I can say exam was normal not too easy and not too hard & It’s really was gonna be hard if we applied all what the content teach and i would be failing in it. For the exam environment you would face some issues, For example, you could try to abuse an attack, But will not work and when you restart the exam lab, the try again. It will work. At the end Thanks for taking to read and if you want to add books to read i would recommend books like Anti-Virus Bypass techniquesThe Hacker Playbook 3Advanced Infrastructure Penetration Testing .


Red Team Infrastructure & Macros

Active Directory and lateral movement

Attacking MSSQL, WSUS, Exchange and SCCM



Homograph Attack: Abusing IDNs for Phishing


In recent years, phishing and social engineering attacks have become a significant threat to businesses
and individuals alike. These attacks are particularly dangerous because they target end-users directly,
bypassing many traditional cyber security defenses such as firewalls, endpoint detection and response
(EDR), and anti-virus software. To combat these threats, many companies have implemented phishing
awareness training programs to educate employees on how to spot suspicious email attempts and
protect themselves and the business from bad actors. However, even with user awareness, it can be
difficult to limit or prevent certain types of attacks, such as homograph attacks, where the attacker uses
seemingly legitimate websites or emails to trick the user.

What is phishing ?

Phishing is a type of social engineering attacks that uses deception to trick individuals into providing
sensitive information such as login credentials or personal data. This type of attack typically occurs
through email, telephone, or text message communication and is designed to appear legitimate in order
to gain the trust of the victim. The attackers may use various tactics such as creating fake websites or
emails that resemble legitimate sources, impersonating a trusted organization, or using urgent
language to create a sense of urgency and pressure the victim into providing the requested information.
The goal of these attacks is to steal sensitive information such as passwords, credit card numbers, or
other personal data for financial gain or to gain access to sensitive systems and information.

Types of Phishing

Types of Phishing

Email Phishing

Email Phishing is a tactic used in penetration testing and red teaming engagements where an attacker
targets a specific company or individual by gathering information through Open-source intelligence
(OSINT). This type of attack involves researching the company, their interests, and the services they
offer in order to appear legitimate and trick the target into taking a desired action. An example of this
type of attack is Spear Phishing, where the attacker poses as someone searching for a job and targets
the human resources department of the company. The attacker then tricks the HR representative into
downloading a malicious file, such as a keylogger or spyware, which allows the attacker to gain access
to sensitive information. The goal of Email Phishing is to gather information or gain access to a
company’s systems through tricking the target into taking an action that they would not normally take.

Whaling Phishing

Whaling phishing is a specific type of phishing that targets individuals with high levels of access and
permissions within an organization, such as the CEO. This tactic involves creating fake emails that
appear to be from other individuals within the company, in order to gain sensitive information or access
to important systems. The goal of whaling phishing is to take advantage of the trust and authority of
high-level individuals in order to compromise the entire organization. To carry out a successful whaling
phishing attack, an attacker may conduct extensive research on the targeted organization, known as
OSINT (Open Source Intelligence). This research may include studying the roles, positions, and groups
within the company, in order to identify potential targets and understand their access levels. Once the
attacker has a good understanding of the organization, they may create fake emails that appear to be
from other individuals within the company. These emails may contain malicious links or attachments,
which, when clicked, can infect the target’s computer with malware or steal sensitive information. For
example, imagine that the CEO of a company has local administrator access on the company’s system.
An attacker may create a fake email that appears to be from a lower-level employee, requesting the
CEO to click on a link or download a file. If the CEO falls for the trap and clicks on the link or download
the file, the attacker can potentially gain access to the CEO’s computer and potentially the entire
company’s system. In summary, whaling phishing is a tactic that targets high-level individuals within an
organization, such as the CEO, with the goal of compromising the entire organization. It involves
conducting extensive research on the targeted organization and creating fake emails that appear to be
from other individuals within the company, in order to steal sensitive information or gain access to
important systems.

Smishing Phishing

Smishing, also known as SMS phishing, is where the attacker sends text messages to the victim in
order to obtain sensitive information or trick them into taking a specific action. Unlike traditional phishing
attacks, which are delivered through email, smishing attacks are delivered through text messages on a
victim’s mobile device. The attacker may obtain the victim’s phone number through an old data breach
or other means, making it easy for them to target the victim. One of the advantages of smishing is that it
does not require an internet connection. This means that even if the victim is on vacation or in an area
with limited internet access, they can still be targeted by the attacker. Additionally, the victim may be
more likely to respond to a text message than an email, as text messages are typically considered
more urgent and personal. However, it is important to note that smishing can be just as dangerous as
traditional phishing attacks. The victim may be tricked into providing sensitive information, such as login
credentials or financial information, or they may be directed to a malicious website that can infect their
device with malware. Therefore, it is important for individuals and organizations to be aware of the risks
of smishing and to take appropriate measures to protect themselves.

Vishing Phishing

Vishing, also known as voice call phishing, is where the threat actor contacts the victim or targeted
person via phone call. The attacker may use phone numbers over IP (Internet Protocol) if they have
already gained access to them. This method of phishing is considered harder compared to others, as
the attacker must have a well-planned and convincing story in order to obtain the desired information
from the victim without arousing suspicion. One benefit of vishing is that the outcome of the attack is
often faster than email phishing, as the attacker does not need to wait for a file or email to be opened or
clicked. It is important to note that there is often confusion between phishing and spear phishing. The
main difference between the two is that spear phishing targets specific groups or organizations, such as
individuals with specific positions that have access to sensitive systems.

What is IDN’s ?

International Domain Names (IDNs) are a solution to the problem of the limited character set of the
early days of the World Wide Web’s Domain Name System (DNS). The DNS root originally only
supported Latin letters A-z and digits. However, with over 6000 languages spoken worldwide, it became
clear that support for non-Latin alphabets such as Cyrillic and Arabic was necessary. IDNs were
created to address this issue and make the DNS root more inclusive and accessible for speakers of
non-Latin languages. Additionally, IDNs also play a significant role in Homograph attacks, that uses
visually similar characters to trick users into visiting malicious websites.

IDN Homograph Attack

An IDN Homograph Attack is an attack that utilizes the Internationalized Domain Name (IDN) feature to
manipulate letters in different languages. The IDN feature allows for the use of non-Latin characters in
domain names, which can be used to create a spoofed version of a legitimate domain that looks very
similar to the original. This can be used to trick victims into providing sensitive information, such as
login credentials or personal information, through phishing emails or other means. In a demonstration
of an IDN Homograph Attack, an attacker may use a tool such as the Homoglyph Attack Generator
( to create a spoofed version of a trusted
domain. For example, the attacker may create a domain that looks like “” but uses non-
Latin characters that are visually similar to the letters “h”, “a”, “c”, “k”, “e”, “r”, “o”, “n” and “e”. The
victim may not realize that the domain is different from the legitimate “” and may enter
their login credentials or personal information, allowing the attacker to steal their information.

irongeek homograph

As you can observe in the picture, we utilized characters from a different language, specifically “cyrillic”
letters, to create a domain name that appears similar to “”. However, it is important to
note that the domain name in question, һackе, is not the same as the legitimate domain

Unicode Characters

And here is the domain available as we can see:

Phishing domain

By using the domain suppo[email protected] as the original domain, in order to steal their
HackerOne account. This is a simple simulation of this type of attack and it can be used in different
scenarios, depending on the target. This attack is specifically found in common browsers like Google
Chrome, specifically in version 58 and Chromium-based browsers, but it also exists in Firefox.
However, we will cover how to limit the risk of this attack in Firefox as well.

What is punycode ?

Punycode is a method of encoding Unicode characters in the ASCII character set. Unicode is a
standardized system of representing characters and symbols from different languages and scripts,
while ASCII is a standardized set of characters and symbols used in computer systems. Punycode
allows the use of Unicode characters in domain names and URLs, which are typically limited to the
ASCII character set. The process of converting Unicode characters to Punycode involves a series of
steps. First, the Unicode characters are divided into basic and non-basic characters. Basic characters
are those that are already included in the ASCII character set, while non-basic characters are those
that are not. Next, the non-basic characters are assigned a unique code point, which is a numerical
value that represents the character. The code point is then converted to a series of ASCII characters
using a specific algorithm. These ASCII characters are then prepended with the prefix xn-- , which
indicates that the characters following it are Punycode encoded. When a user enters a Punycode
encoded URL, the browser will convert the Punycode back to Unicode characters and display the
correct characters on the screen. An example of Punycode in action is the domain name xn--
d1acufc.xn--p1ai , which is the Punycode version of the Russian domain name рф.рф (rf.rf) . In
this example, the non-ASCII characters р and ф have been encoded in Punycode, allowing them to
be used in the domain name. In summary, Punycode is a method of encoding Unicode characters,
which are used in different languages and scripts, into the ASCII character set, which is widely used in
computer systems. This allows the use of Unicode characters in domain names and URLs, which would
otherwise not be possible.

Limit the attack

In order to limit the risk of attack in Firefox browser, there are a few steps you can take. First, open your
Firefox browser and type about:config in the address bar and enable it:


The attack fixed in some common used browsers, but it’s still exist in firefox. We will cover blow how to
limit the risk of this attack in firefox & Goolge.

Prevent and Detect homograph attack and HTTP spoofing

HTTP spoofing is an attack in which an attacker creates a fake website that looks identical to the
original website. This can be done by using SSL certificates to make the fake website appear secure
and trustworthy. However, it is important to pay attention to the certificate information to confirm the
owner of the domain and website. To prevent and mitigate this type of attack, it is recommended to
disable punycode in the address bar as most modern browsers have this feature. When punycode is
disabled, the user will see the punycode as unicode, making it easier to identify suspicious websites.
Additionally, using third-party tools such as virustotal can also help to check the authenticity of a
website’s URL.



In conclusion, phishing and social engineering attacks are a significant threat to businesses and
individuals alike. These attacks target end-users directly and bypass traditional cyber security
defenses. To combat these threats, many companies have implemented phishing awareness training
programs to educate employees on how to spot suspicious email attempts and protect themselves and
the business from bad actors. However, even with user awareness, it can be difficult to limit or prevent
certain types of attacks, such as homograph attacks. Email Phishing, Spear Phishing, and Whaling
Phishing are some of the types of phishing that can be used by attackers to gain sensitive information
or access to important systems. It is important for organizations and individuals to be aware of these
tactics and to take necessary precautions to protect themselves and their data from phishing attacks.


eCPPT course & exam: The Honest Review



On February 4th, 2022, I successfully passed the “eCPPT” exam from “eLearnsecurity” and obtained the certification. Prior to this, I had previous experience with penetration testing and was already working as a penetration tester. In this blog, I will be providing my simple honest opinion on the course and exam.

Course Content

The course content was overall good, in my opinion. It was filled with a lot of information and knowledge to learn. However, there were some cons that I did not like. Specifically, in some sections of the course, certain points were not explained clearly or completely, and were more like definitions or short sentences. Despite this, the overall content was good and anyone can learn new things, whether they have previous knowledge or not. The section that I particularly liked in the course was the “Network Security” section, as it was the longest and biggest section in terms of content. It covered a lot of different types of attacks and techniques that can be used for penetration testing on networks, both internally and externally. I also appreciated the inclusion of sections on “Wireless Security” and “Metasploit & Ruby,” as these topics are not covered as frequently and are important for a penetration tester to know, as you may encounter wireless networks during engagements or projects. However, the course does not cover any content on attacking active directory, but that is included in the eCPTX certificate course content.

If I were to make some recommendations for preparing for the exam, I would suggest reading the following books:

  • “Penetration Testing with Shellcode”
  • “The Hacker Playbook 2” (which contains active directory).

Additionally, I would recommend going through the “Tryhackme” learning paths such as the “Jr Penetration Tester” path and the “Offensive Security” path. You will notice that the “Offensive Security” path also covers active directory, as does “The Hacker Playbook 2.” The reason I recommend this is because active directory is widely used in the majority of environments around the world and it is necessary to know about it.

The Exam

Now, coming to the exam part which took me few hours to done it. The exam was pretty easy and will be easy even if you didn’t have any previous experience with penetration testing as the exam was not providing everything you learn in the content which i see that it’s another thing under the cons side by the unstable exam environment. It will be enough for you to study the content and solve the labs. And at the end i would recommend the course for sure. but it’s important to consider the recognition of the certificate in the market or in the country you are targeting, as it may not be recognized in some areas.


Information Gathering:,