CategoriesExploit Development & Vulnerability Research

Introduction to IOCTL (Input/Output CONTROL)


In this blog, We will be discussing the Basics of `IOCTL (Input/Output CONTROL)`, What is it ?, The modes types, What is it used for ? and I will show an example of sending an IOCTL Request. But, before we moving further with all of this we need to understand the User Mode and the Kernel Mode.

The Modes

Basically, The modes word itself referring to the different states of operation & different levels of privilege that the system or a software could run. In general, each mode different from the other and operate differently with different privileges and access levels & the main 2 modes we have and will talk about is User Mode&Kernel Mode.

What is User Mode ?

The User Mode is the mode which the levels of operations & privileges are restricted and limited in access & permissions. So, the software or any program running in the User Mode or inside it, Won’t be able to perform certain operations that could be malicious or harmful to other softwares and the system. In short, User Mode is a non-privileged mode where it can’t access the hardware resources or any low level operations directly. For example, A malware running in the User Mode can’t access or modify the CPU instructions cause if this happened the malware easly will have an elevated privileges and as it’s on the hardware. Therefore, It’s the highest privileges you can get and u won’t have any restriction.

What is Kernel Mode ?

The Kernel Mode is a non-restricted mode where you can access the hardware resources directly where you will be able to manage any related resources such as CPU & Memory and perform any low level operations easily. For example, any one get access to the Kernel Mode will be able to manipulate the resources easily and can also escalate privileges which could happen through a vulnerability or any misconfigurations. In short, The Kernel Mode opposite to the User Mode and each of one has different levels of operations & levels of privileges.

Input/Output Control (IOCTL)

IOCTL is short for “Input/Output Control” which is a system call used for input/output operations and communications from the User Mode to the Kernel Mode drivers. Basically, It allows the components in the User Mode for example a software to communicate and control the behaviour of a device driver in Kernel Mode.


The IOCTLs are a set of codes and each one of these codes has a specific job to be used in and perform. For example:

  • IOCTL_DISK_GET_LENGTH_INFO: This IOCTL code is used to retrieve the length of a disk partition.
  • IOCTL_VIDEO_QUERY_SUPPORTED_BRIGHTNESS: This IOCTL code is used to query the supported brightness levels of a display.
  • IOCTL_SERIAL_SET_BAUD_RATE: This IOCTL code is used to set the baud rate of a serial port.
  • IOCTL_CDROM_GET_LAST_SESSION: This IOCTL code is used to retrieve information about the last session on a CD-ROM.
  • IOCTL_STORAGE_QUERY_PROPERTY: This IOCTL code is used to retrieve information about a storage device.
  • IOCTL_MOUSE_GET_ATTRIBUTES: This IOCTL code is used to retrieve the attributes of a mouse device.
  • IOCTL_KEYBOARD_SET_TYPEMATIC: This IOCTL code is used to set the typematic rate of a keyboard.
  • IOCTL_SMARTCARD_TRANSMIT: This IOCTL code is used to send a command to a smart card reader.
  • IOCTL_USB_GET_DESCRIPTOR_FROM_NODE_CONNECTION: This IOCTL code is used to retrieve a USB descriptor from a USB device.
  • IOCTL_NDIS_QUERY_GLOBAL_STATS: This IOCTL code is used to query global statistics for a network adapter.

Those where example for the IOCTLs you can find all the IOCTL codes you need from Here.

How IOCTL works ?

When the apps or the components in the User Mode wants to query information of a device driver in the Kernel Mode. It sends a request known as IOCTL request, The IOCTL requests are made & sent using the DeviceIoControl() which is a windows API function.

When the the DeviceIoControl() function gets called it is actually implemented by calling another function which is NtDeviceIoControlFile() resides in the ntdll.dll, Then the IOCTL request sent to the device driver. There are 4 buffering methods that can be used with the IOCTL request which are:

  • METHOD_BUFFERED: Copies the input and output buffers to and from the driver through an intermediate system buffer.
  • METHOD_IN_DIRECT: Its used when the input buffer is large and will not fit in the intermediate system buffer. In this case, the input buffer is mapped directly into the driver’s address space.
  • METHOD_OUT_DIRECT: In case the output buffer is large and will not fit in the intermediate system buffer. In this case, the output buffer is mapped directly into the driver’s address space.
  • METHOD_NEITHER: When the input and output buffers are not contiguous and cannot be mapped into a single buffer. The driver and application exchange pointers to the separate input and output buffers.

Note: If you wondering at which part the user get’s a Kernel Mode access. Basically, there are 2 functions/syscalls used which are kifastsystemcall and kifastsystemcallret and both are kernel functions that provide a mechanism for making syscalls from user mode to kernel mode. The kifastsystemcall function takes the parameters for a syscall and makes the transition from user mode to kernel mode using a secret number called syscall gate (which grants the Kernel Mode access) and the parameters onto the stack. Then it makes a syscall instruction to trigger the kernel to execute the syscall. And the kifastsystemcallret function is used to return from the syscall back to the User Mode by passing the return address of the User Mode code which is stored on the stack during the syscall.

Sending IOCTL Request

To understand the IOCTL request we will do in a clearly way, The DeviceIoControl() function structure is as the following:

BOOL DeviceIoControl(
  HANDLE       hDevice,
  DWORD        dwIoControlCode,
  LPVOID       lpInBuffer,
  DWORD        nInBufferSize,
  LPVOID       lpOutBuffer,
  DWORD        nOutBufferSize,
  LPDWORD      lpBytesReturned,
  LPOVERLAPPED lpOverlapped

each parameter in the function represents as the following:

  • hDevice: It’s a handle to the device thatwill be used to perform the operation.
  • dwIoControlCode: The IOCTL code that identifies the operation to be performed.
  • lpInBuffer: A pointer to the input buffer that contains the data required to perform the operation.
  • nInBufferSize: The size of the input buffer.
  • lpOutBuffer: A pointer to the output buffer that receives the data returned by the operation.
  • nOutBufferSize: The size of the output buffer.
  • lpBytesReturned: A pointer to the number of bytes returned by the operation.
  • lpOverlapped: A pointer to an OVERLAPPED structure that is used for asynchronous operations.

Note: the data size is in bytes & the Asynchronous operations is an operation that allows the software to continue executing while waiting for a potentially long-running operation to be completed and the OVERLAPPED structure is used to manage these operations.

Now, It’s the time to send our IOCTL request and i will be using the IOCTL_DISK_GET_DRIVE_GEOMETRY_EX code which retrieves extended information about the physical disk’s geometry like the type, number of cylinders, etc.

IOCTL request Code:

#include <stdio.h>
#include <windows.h>
#include <winioctl.h>

int main() {
  HANDLE hDevice;
  DWORD dwIoControlCode;
  BOOL bResults;
  DWORD dwBytesReturned;
  DISK_GEOMETRY_EX diskGeometry;

  dwIoControlCode = 0x000700A0;
  bResults = DeviceIoControl(hDevice, dwIoControlCode, NULL, 0, & diskGeometry, sizeof(diskGeometry), & dwBytesReturned, NULL);

  if (hDevice == INVALID_HANDLE_VALUE) {
    printf("Handling the device drive faild");
  } else if (bResults == FALSE) {
    printf("IOCTL request faild");
  } else {

    printf("Disk size: %llu bytes\n", diskGeometry.DiskSize.QuadPart);


  return 0;

Now, The above code is the one we will use to send the IOCTL Request, Let’s explain it. First, We included the needed header files that contains the needed functions & methods we will use which are:

  • stdio.h: Which is used for the standard input/output and contains functions such as printf()
  • windows.h: Which provides us with the Windows APIs as the CreateFileW() we used in the code.
  • winioctl.h: Which contains the IOCTL codes and let us perform the IOCTL Request.

After that we defined some variables in the main() function and each one of them has a role as the following:

  • HANDLE hDevice: We declared hDevice as a HANDLE object which used to access and manipulate system resources in our case it’s the device drive.
  • DWORD dwIoControlCode: Here we declared dwIoControlCode as a DWORD data type where we gonna store the IOCTL code.
  • BOOL bResults: Declared the bResults variable as a Boolean data type to store the result of DeviceIoControl() function call.
  • DWORD dwBytesReturned: Here we declared dwBytesReturned as a DWORD data type which we wll use to store the bytes returned by DeviceIoControl() function.
  • DISK_GEOMETRY_EX diskGeometry: declaring diskGeometry variable as a DISK_GEOMETRY_EX data type variable that will store the disk geometry information retrieved by the DeviceIoControl().

It’s the time now to assign and use these variables and initial our IOCTL request in the following lines of code:


Here we used the CreatFileW() Windows API which generally it’s used to create and open files on disk. But, it’s also can be used to open the device drive. The function takes some values as parameters:

  • L"\\\\.\\PhysicalDrive0": Here is device drive and PhysicalDrive0 indicates to the first hard disk drive & the \\\\.\\ is used to communicating with localhost.
  • GENERIC_READ | GENERIC_WRITE: Specifies the access mode for the handle.
  • FILE_SHARE_READ | FILE_SHARE_WRITE: Specifies how the handle can be shared with other processes.
  • NULL: This is the security attributes. We set it to NULL for default security.
  • OPEN_EXISTING: Specifies that the function should open an existing file
  • FILE_ATTRIBUTE_NORMAL: Specifies that the file should have no other attributes set.
  • NULL: A template file that we don’t need.

Next we assign the IOCTL code which is 0x000700A0 to the dwIoControlCode variable. The 0x000700A0 hex code refers to IOCTL_DISK_GET_DRIVE_GEOMETRY_EX. After that we called the DeviceIoControl() and assign it to bResults variable.

bResults = DeviceIoControl(hDevice, dwIoControlCode, NULL, 0, &diskGeometry, sizeof(diskGeometry), &dwBytesReturned, NULL);

And as we can see the DeviceIoControl() takes some parameters and we have explained the structure of it above.

if (hDevice == INVALID_HANDLE_VALUE) {
    printf("Handling the device drive faild");
  } else if (bResults == FALSE) {
    printf("IOCTL request faild");
  } else {

    printf("Disk size: %llu bytes\n", diskGeometry.DiskSize.QuadPart);

Finally, Here we check for errors to handle such as INVALID_HANDLE_VALUE which indicates that the handling value is invalid and in the second conditionit checks if the returned boolean of DeviceIoControl() that stored in bResults False or no, If False that means the operation didn’t done successfully. If the both of the 2 condations aren’t true that means everything goes well and will get us the disk size using diskGeometry.DiskSize.QuadPart and print it. At the end will close the Handle we created. Now, I am using CodeBlocks to write and execute the code.

Running The code

First, I will put a random name to handle. Therefore, it will result in an error:

You can see that the error has been handled. This time i will run the code normally with no problems:

And here is the disk size with no issues. If we opened Procmon or Process Monitor and run our code after compiling it, We will be able to see the process very clearly.

As we can see in the screen shot clearly we can see all the operations done by the compiled code process from the start going through the calls and so on, Until the process exit.


Now, we know what is IOCTL (Input/Output CONTROL) and how it works & This was just a basic introduction to the IOCTL (Input/Output CONTROL) and in the coming parts we will be diving deep by showing more examples & Reverse Engineer a driver and Identifying the IOCTL and extracting IOCTL codes and many more.


eMAPT & Mobile Apps/Sec Guide


On May 23rd, 2022, I successfully passed my eMAPT exam from eLearnsecurity. Whenever I strive to obtain a certification, I always follow a set of steps to ensure a thorough understanding of the topic. These steps are:

  1. Understanding and learning the topic as a developer or IT professional.
  2. Applying and practicing the topic through building applications, for instance.
  3. Learning and applying the security aspect of the topic.

In this blog, I will provide an honest review of the eMAPT course and exam, as well as offer a guide for mobile application security.

You can join the eMAPT Telegram group from the following link:

Course Content

The eMAPT course content was simple and not too bad, so it does not require a lot of description. However, there were some parts that were not clear, particularly in the early modules. If you are a beginner or someone with no prior knowledge, you will learn a lot, but if you have previous experience, you may not learn as much. The course covers both major mobile computing platforms, Android and iOS, starting with the OS architecture, followed by the setup of the necessary environment for the course. The course then moves on to the application building process and discusses how to hack each OS, either through rooting Android or jailbreaking iOS. Finally, the course covers vulnerabilities and security issues that can affect applications on both platforms, as well as how to test for these issues through static and dynamic analysis. Overall, the content is simple and easy to understand.

The Exam

For the exam, it is important to have both development and security knowledge related to the topic. You will be tested on your ability to develop applications, identify specific security vulnerabilities, and create an app that exploits these vulnerabilities. Note that there are no iOS apps included in the exam, but if you have the necessary equipment such as a Mac and iPhone, it is recommended that you study iOS development specifically.

Mobile App/Sec Guide

The most important than the certificate itself is to build the knowledge and the skills of the topic. So let’s move on with this guide that i put it from my view you don’t have to fully follow it, But i explained each part to make everything clear from my point of view:

How to enhance your skills, knowledge & also prepar for the eMAPT ?

Before learn how to hack the thing, learn the thing, do the thing and then hack the thing

So, first is the basics of the both Android & IOS with development & security also pentest.

So, we will start with the basics from TCM-Academy that course will give you some basic knowledge and skills about the Android & IOS both from the security & pentesting side. So, you will be able to understand the up coming courses from the security side and increase your mindset from the security side more.

Tcm-Academy link:

Second step is to study the eMAPT course materials but when we reach the Application fundamentals module we go to the development in Android or IOS depending on the section you are studying And here are two courses that i do recommend for the development:

Android Development:

IOS Development:

You can also look for the development resources that you see its good for you.

Now you can complete the eMAPT course & learning materials, And after that we will do the following:

As we know the mobile apps pentesting is divided into 2 thing, first the static analysis part which is for reverse engineering the application and reading the code for understanding and spotting some vulnerabilities or hardcoded credentials, etc.. & the second part is dynamic analysis which is the part for testing the application in the runtime such as looking for insecure data storing, some leaks & network traffic and many more.

  • Static Analysis courses: The following 2 courses are focused on static analysis more and vulnerabilities such as Owasp Mobile Top 10, how to use drozer & have a small part about exploit development on the mobile apps libraries.



  • Dynamic Analysis:

Now, after you have done your static analysis and understand the logic of the app let’s go for the dynamic analysis part. In this part you run the application and start to analysis the behaviour of the app, network flaw and trying to exploit the behaviour and other flaws that happen during the runtime.



Now we can say that we have fill most of the gaps that could happen to us and if you want to go more deeper and advance your level. You can start to read the books and the books are divided into 2 parts, The first part related to the applications itself and the second part related to exploit development in terms of exploitation to something like native C/C++ libraries that used in the applications and so on.

First part Focusing on Applications:

OWASP Mobile Security Testing Guide:

Mobile Application Penetration Testing:

the following book focuses more on applications and it has a part about exploit development in native libraries.

The Mobile Application Hacker’s Handbook:

Second part Focusing on Exploit Development:

This is especially for the exploit development section. These books explain the internals of mobile operating systems such as Android & iOS, and they are divided into two parts. The first part focuses on in-depth analysis and understanding of the operating systems, how they work, and their architecture. The second part focuses more on exploit development.

The first book helps you understand mobile operating systems in a more in-depth and broad way through digital forensic analysis: Practical Mobile Forensics:

This is the second section, which focuses more on exploit development:

Android Hacker’s Handbook:

iOS Hacker’s Handbook:

Don’t forget to conduct your own research and read articles/blogs. Additionally, there is a distribution built on Ubuntu called Mobexler which is a mobile app security and pentesting distribution. It comprises all the tools and frameworks necessary for mobile app pentesting. There is also a checklist available for both Android and iOS app pentesting that you can follow

Download link:

Checklist link:

Used Tools:


eCPTX: The Honest Review



You can join the eCPTX telegram group from here:

On June 17th, 2022, I successfully completed the eCPTX exam from eLearnsecurity and received my certification. At the time, I was working and had a lot of responsibilities, so I didn’t have a chance to study the course material beforehand. Instead, I relied on my previous experience and what gathered & used it during the exam. I will now provide an honest review of the eCPTX overall and in more details than the eCPPT, Cause there are a lot of things. Doesn’t make sense i saw in other ppls review.

Course Content

For the eCPTX course content i was disappointed with a lot of stuff. The content as the following:

  • Penetration Testing: Preparing the Attack
  • Penetration Testing: Red Teaming Active Directory
  • Penetration Testing: Red Teaming Critical Domain Infrastructure
  • Penetration Testing: Evasion

Penetration Testing: Preparing the Attack

In this part it was all about email security and phishing. You will learn about Email security like SPFDKIMDMARC. In addition to phishing attacks and ways to use macros & will show you study cases of macros used by APTs. Finally, C2 and redirectors. You think it’s cool right ? No, Cause if someone have no idea about macros actually or VBAs will not be able to understand and a lot of things will fall while learning. Side by that the module shall teaches you. How to develop Macros to use in your engagement. But, all what i saw was study cases and methods without writing any Macros. So, we can say that this section is showing you knowledge or giving you some knowledge. In the video related to this section, It shows how to get used codes and use it again by modifying it it's Good point but it will be hard to work with the modern solutions. In summary, In my opinion it was gonna better to teach how to develop macros from scratch up to advanced level as this certificate under the Red Teaming part. But, it still have good topics like the redirectors, But also still not everything explained clear in this section. But, at all if you are familiar with these topics and have previous knowledge about it you gonna find that it’s all fine with you.

Penetration Testing: Red Teaming Active Directory

I can say the real fun starts here as this section doesn’t have a lot of unclear things. But, in my opinion the only thing that i didn’t like is that in the first part in this section which was Advanced Active Directory Reconnaissance & Enumeration. They didn’t cover what is active directory first or it’s basics. But, it’s in the second part/pdf. So it shall be in the first PDF. But, it discuss how to start enumerate and obtain information from non-joined machine which is something good & Also attacking joined Linux machine in the AD, which is not common for people to talk about. In the second PDF which is Red Teaming Active Directory it was cool actually and here started by explaining The Active Directory environment, Moving to the Attacks of tradntial Active Directory attacks like LLNMR PoisoningDowngrading NTLM and more.Then talking about Powershell defense and bypasses, Abusing active directory features and components, Moving laterly, Browser Pivoting and many more.

Penetration Testing: Red Teaming Critical Domain Infrastructure

This section talking about used components and services in windows like MS ExchangeWSUS & MSSQL. it does not have that much of information but it’s fine to learn from it and you can find other blog series online talking in much more details would help you also you could find online abusing for something like SCCM.

Penetration Testing: Evasion

In this section explained about the AMSI architecture and some bypasses moving to other methods and components like Sensitive groups that solutions can use it for detection, also other solutions like EDRs and techniques to bypass and evading, After that developing a custom payload which i can say is a good one. Finally, The most section i liked in the course is the second section and i explained why. My final words is if the course relied on using and abusing built-in commands, functions and features for abusing as example, It would be absolutely an amazing content as it will reduce the detection in the real-world engagement.

The Exam

Now, Let’s talk about the exam. But, before this i mentioned something and its when i searched for reviews for the eCPTX, I found one thing common between most of the people that go through the exam, Which is some of them fail cause they had to find 3 paths or 3 ways to access the targeted domain, But, the funny part here if you go through the RoE (Rules of engagement) You can clearly see in the document that it’s telling one of the rules to pass the exam is to identify 3 ways to access the targeted domain. And others saw it as a really hard exam. But at all, As i mentioned before i toke the exam and passed without studying the content (That doesn't mean i am 1337 "elite" I'm giving my opinion honestly and what i see from my point of view), You may find content so wow and amazing, Therefore, th exam will be extremely hard. But, no exam was normal and if you have deal with .net stuff and reverse some of it it would be easy for you. For me i was reversing the .dll files from unity games in the past to modify it. So, I can say exam was normal not too easy and not too hard & It’s really was gonna be hard if we applied all what the content teach and i would be failing in it. For the exam environment you would face some issues, For example, you could try to abuse an attack, But will not work and when you restart the exam lab, the try again. It will work. At the end Thanks for taking to read and if you want to add books to read i would recommend books like Anti-Virus Bypass techniquesThe Hacker Playbook 3Advanced Infrastructure Penetration Testing .


Red Team Infrastructure & Macros

Active Directory and lateral movement

Attacking MSSQL, WSUS, Exchange and SCCM



Homograph Attack: Abusing IDNs for Phishing


In recent years, phishing and social engineering attacks have become a significant threat to businesses
and individuals alike. These attacks are particularly dangerous because they target end-users directly,
bypassing many traditional cyber security defenses such as firewalls, endpoint detection and response
(EDR), and anti-virus software. To combat these threats, many companies have implemented phishing
awareness training programs to educate employees on how to spot suspicious email attempts and
protect themselves and the business from bad actors. However, even with user awareness, it can be
difficult to limit or prevent certain types of attacks, such as homograph attacks, where the attacker uses
seemingly legitimate websites or emails to trick the user.

What is phishing ?

Phishing is a type of social engineering attacks that uses deception to trick individuals into providing
sensitive information such as login credentials or personal data. This type of attack typically occurs
through email, telephone, or text message communication and is designed to appear legitimate in order
to gain the trust of the victim. The attackers may use various tactics such as creating fake websites or
emails that resemble legitimate sources, impersonating a trusted organization, or using urgent
language to create a sense of urgency and pressure the victim into providing the requested information.
The goal of these attacks is to steal sensitive information such as passwords, credit card numbers, or
other personal data for financial gain or to gain access to sensitive systems and information.

Types of Phishing

Types of Phishing

Email Phishing

Email Phishing is a tactic used in penetration testing and red teaming engagements where an attacker
targets a specific company or individual by gathering information through Open-source intelligence
(OSINT). This type of attack involves researching the company, their interests, and the services they
offer in order to appear legitimate and trick the target into taking a desired action. An example of this
type of attack is Spear Phishing, where the attacker poses as someone searching for a job and targets
the human resources department of the company. The attacker then tricks the HR representative into
downloading a malicious file, such as a keylogger or spyware, which allows the attacker to gain access
to sensitive information. The goal of Email Phishing is to gather information or gain access to a
company’s systems through tricking the target into taking an action that they would not normally take.

Whaling Phishing

Whaling phishing is a specific type of phishing that targets individuals with high levels of access and
permissions within an organization, such as the CEO. This tactic involves creating fake emails that
appear to be from other individuals within the company, in order to gain sensitive information or access
to important systems. The goal of whaling phishing is to take advantage of the trust and authority of
high-level individuals in order to compromise the entire organization. To carry out a successful whaling
phishing attack, an attacker may conduct extensive research on the targeted organization, known as
OSINT (Open Source Intelligence). This research may include studying the roles, positions, and groups
within the company, in order to identify potential targets and understand their access levels. Once the
attacker has a good understanding of the organization, they may create fake emails that appear to be
from other individuals within the company. These emails may contain malicious links or attachments,
which, when clicked, can infect the target’s computer with malware or steal sensitive information. For
example, imagine that the CEO of a company has local administrator access on the company’s system.
An attacker may create a fake email that appears to be from a lower-level employee, requesting the
CEO to click on a link or download a file. If the CEO falls for the trap and clicks on the link or download
the file, the attacker can potentially gain access to the CEO’s computer and potentially the entire
company’s system. In summary, whaling phishing is a tactic that targets high-level individuals within an
organization, such as the CEO, with the goal of compromising the entire organization. It involves
conducting extensive research on the targeted organization and creating fake emails that appear to be
from other individuals within the company, in order to steal sensitive information or gain access to
important systems.

Smishing Phishing

Smishing, also known as SMS phishing, is where the attacker sends text messages to the victim in
order to obtain sensitive information or trick them into taking a specific action. Unlike traditional phishing
attacks, which are delivered through email, smishing attacks are delivered through text messages on a
victim’s mobile device. The attacker may obtain the victim’s phone number through an old data breach
or other means, making it easy for them to target the victim. One of the advantages of smishing is that it
does not require an internet connection. This means that even if the victim is on vacation or in an area
with limited internet access, they can still be targeted by the attacker. Additionally, the victim may be
more likely to respond to a text message than an email, as text messages are typically considered
more urgent and personal. However, it is important to note that smishing can be just as dangerous as
traditional phishing attacks. The victim may be tricked into providing sensitive information, such as login
credentials or financial information, or they may be directed to a malicious website that can infect their
device with malware. Therefore, it is important for individuals and organizations to be aware of the risks
of smishing and to take appropriate measures to protect themselves.

Vishing Phishing

Vishing, also known as voice call phishing, is where the threat actor contacts the victim or targeted
person via phone call. The attacker may use phone numbers over IP (Internet Protocol) if they have
already gained access to them. This method of phishing is considered harder compared to others, as
the attacker must have a well-planned and convincing story in order to obtain the desired information
from the victim without arousing suspicion. One benefit of vishing is that the outcome of the attack is
often faster than email phishing, as the attacker does not need to wait for a file or email to be opened or
clicked. It is important to note that there is often confusion between phishing and spear phishing. The
main difference between the two is that spear phishing targets specific groups or organizations, such as
individuals with specific positions that have access to sensitive systems.

What is IDN’s ?

International Domain Names (IDNs) are a solution to the problem of the limited character set of the
early days of the World Wide Web’s Domain Name System (DNS). The DNS root originally only
supported Latin letters A-z and digits. However, with over 6000 languages spoken worldwide, it became
clear that support for non-Latin alphabets such as Cyrillic and Arabic was necessary. IDNs were
created to address this issue and make the DNS root more inclusive and accessible for speakers of
non-Latin languages. Additionally, IDNs also play a significant role in Homograph attacks, that uses
visually similar characters to trick users into visiting malicious websites.

IDN Homograph Attack

An IDN Homograph Attack is an attack that utilizes the Internationalized Domain Name (IDN) feature to
manipulate letters in different languages. The IDN feature allows for the use of non-Latin characters in
domain names, which can be used to create a spoofed version of a legitimate domain that looks very
similar to the original. This can be used to trick victims into providing sensitive information, such as
login credentials or personal information, through phishing emails or other means. In a demonstration
of an IDN Homograph Attack, an attacker may use a tool such as the Homoglyph Attack Generator
( to create a spoofed version of a trusted
domain. For example, the attacker may create a domain that looks like “” but uses non-
Latin characters that are visually similar to the letters “h”, “a”, “c”, “k”, “e”, “r”, “o”, “n” and “e”. The
victim may not realize that the domain is different from the legitimate “” and may enter
their login credentials or personal information, allowing the attacker to steal their information.

irongeek homograph

As you can observe in the picture, we utilized characters from a different language, specifically “cyrillic”
letters, to create a domain name that appears similar to “”. However, it is important to
note that the domain name in question, һackе, is not the same as the legitimate domain

Unicode Characters

And here is the domain available as we can see:

Phishing domain

By using the domain suppo[email protected] as the original domain, in order to steal their
HackerOne account. This is a simple simulation of this type of attack and it can be used in different
scenarios, depending on the target. This attack is specifically found in common browsers like Google
Chrome, specifically in version 58 and Chromium-based browsers, but it also exists in Firefox.
However, we will cover how to limit the risk of this attack in Firefox as well.

What is punycode ?

Punycode is a method of encoding Unicode characters in the ASCII character set. Unicode is a
standardized system of representing characters and symbols from different languages and scripts,
while ASCII is a standardized set of characters and symbols used in computer systems. Punycode
allows the use of Unicode characters in domain names and URLs, which are typically limited to the
ASCII character set. The process of converting Unicode characters to Punycode involves a series of
steps. First, the Unicode characters are divided into basic and non-basic characters. Basic characters
are those that are already included in the ASCII character set, while non-basic characters are those
that are not. Next, the non-basic characters are assigned a unique code point, which is a numerical
value that represents the character. The code point is then converted to a series of ASCII characters
using a specific algorithm. These ASCII characters are then prepended with the prefix xn-- , which
indicates that the characters following it are Punycode encoded. When a user enters a Punycode
encoded URL, the browser will convert the Punycode back to Unicode characters and display the
correct characters on the screen. An example of Punycode in action is the domain name xn--
d1acufc.xn--p1ai , which is the Punycode version of the Russian domain name рф.рф (rf.rf) . In
this example, the non-ASCII characters р and ф have been encoded in Punycode, allowing them to
be used in the domain name. In summary, Punycode is a method of encoding Unicode characters,
which are used in different languages and scripts, into the ASCII character set, which is widely used in
computer systems. This allows the use of Unicode characters in domain names and URLs, which would
otherwise not be possible.

Limit the attack

In order to limit the risk of attack in Firefox browser, there are a few steps you can take. First, open your
Firefox browser and type about:config in the address bar and enable it:


The attack fixed in some common used browsers, but it’s still exist in firefox. We will cover blow how to
limit the risk of this attack in firefox & Goolge.

Prevent and Detect homograph attack and HTTP spoofing

HTTP spoofing is an attack in which an attacker creates a fake website that looks identical to the
original website. This can be done by using SSL certificates to make the fake website appear secure
and trustworthy. However, it is important to pay attention to the certificate information to confirm the
owner of the domain and website. To prevent and mitigate this type of attack, it is recommended to
disable punycode in the address bar as most modern browsers have this feature. When punycode is
disabled, the user will see the punycode as unicode, making it easier to identify suspicious websites.
Additionally, using third-party tools such as virustotal can also help to check the authenticity of a
website’s URL.



In conclusion, phishing and social engineering attacks are a significant threat to businesses and
individuals alike. These attacks target end-users directly and bypass traditional cyber security
defenses. To combat these threats, many companies have implemented phishing awareness training
programs to educate employees on how to spot suspicious email attempts and protect themselves and
the business from bad actors. However, even with user awareness, it can be difficult to limit or prevent
certain types of attacks, such as homograph attacks. Email Phishing, Spear Phishing, and Whaling
Phishing are some of the types of phishing that can be used by attackers to gain sensitive information
or access to important systems. It is important for organizations and individuals to be aware of these
tactics and to take necessary precautions to protect themselves and their data from phishing attacks.


eCPPT course & exam: The Honest Review



On February 4th, 2022, I successfully passed the “eCPPT” exam from “eLearnsecurity” and obtained the certification. Prior to this, I had previous experience with penetration testing and was already working as a penetration tester. In this blog, I will be providing my simple honest opinion on the course and exam.

Course Content

The course content was overall good, in my opinion. It was filled with a lot of information and knowledge to learn. However, there were some cons that I did not like. Specifically, in some sections of the course, certain points were not explained clearly or completely, and were more like definitions or short sentences. Despite this, the overall content was good and anyone can learn new things, whether they have previous knowledge or not. The section that I particularly liked in the course was the “Network Security” section, as it was the longest and biggest section in terms of content. It covered a lot of different types of attacks and techniques that can be used for penetration testing on networks, both internally and externally. I also appreciated the inclusion of sections on “Wireless Security” and “Metasploit & Ruby,” as these topics are not covered as frequently and are important for a penetration tester to know, as you may encounter wireless networks during engagements or projects. However, the course does not cover any content on attacking active directory, but that is included in the eCPTX certificate course content.

If I were to make some recommendations for preparing for the exam, I would suggest reading the following books:

  • “Penetration Testing with Shellcode”
  • “The Hacker Playbook 2” (which contains active directory).

Additionally, I would recommend going through the “Tryhackme” learning paths such as the “Jr Penetration Tester” path and the “Offensive Security” path. You will notice that the “Offensive Security” path also covers active directory, as does “The Hacker Playbook 2.” The reason I recommend this is because active directory is widely used in the majority of environments around the world and it is necessary to know about it.

The Exam

Now, coming to the exam part which took me few hours to done it. The exam was pretty easy and will be easy even if you didn’t have any previous experience with penetration testing as the exam was not providing everything you learn in the content which i see that it’s another thing under the cons side by the unstable exam environment. It will be enough for you to study the content and solve the labs. And at the end i would recommend the course for sure. but it’s important to consider the recognition of the certificate in the market or in the country you are targeting, as it may not be recognized in some areas.


Information Gathering:,