John Troon
Image for post
Image for post

Within the next few years, the DNS-over-HTTPS (DoH) protocol is likely to become an important component in internet connectivity. The Internet Engineering Task Force (IETF) process of getting DoH from a conceptual idea into a Request for Comments (RFC) document has been fast compared to other standards which averagely takes up two to three years [1]. It took about a year to publish the DoH RFC 8484 filed by P. Hofmann (from ICANN) and P. McManus (from Mozilla) [2].

Since DNS resolution is an integral part of users connecting to the Internet and accessing web resources, privacy becomes a concern. DoH is set to protect DNS users from surveillance and manipulation by encrypting the plain text DNS protocol over HTTPS [3]. Unlike the DNS over TLS (DoT) which uses a dedicated port, DoH cloaks DNS traffic within regular HTTPS traffic in a way that cannot be easily detected or blocked. However, from data collected to study DoH security, it is possible to fingerprint DoH traffic from regular user-generated HTTPS traffic. This is mainly possible since the payload size in DoH traffic is consistently smaller compared to regular HTTPS traffic which tends to fill the maximum transmission unit (MTU) [4]. Johannes Ullrich (2019) in his similar analysis points out that if you see long-lasting TLS connections, with payloads that rarely exceed a kilobyte, you probably got a DoH connection [5]. …

“There’s more to doing good than hating evil.”

Image for post
Image for post

Early last week, I found myself in an interesting conversation with a long time buddy, Harry. Being a little bit older than me, a computer geek, and always cheerful, we talk about anything. “Kids nowadays display sex acts and other explicit content boldly in their rap videos, I’m shocked. What’s up?”, Harry asked while a gengetone hit song played in the background. We argued that we probably experienced a similar phase in our teenage lives, maybe without noticing or not being as underlined as today. We also jammed to Nonini’s hits and other songs like Freak Like Me by Adina Howard which had some naughty lyrics. …

Image for post
Image for post
Image 1: three common missing commands on GEF

GEF (pronounced as “Jeff”) is a kick-ass set of commands for X86, ARM, MIPS, PowerPC, and SPARC to make GDB cool again for exploit dev. It is aimed to be used mostly by exploit developers and reverse-engineers, to provide additional features to GDB using the Python API to assist during the process of dynamic analysis and exploit development [1].

Setting up GEF is straightforward, there is a nifty script that does the auto-config for GDB [2]. …

Continuation of part one

In the first part of this article, I have explained the essential Winsock API functions that are required to implement a reverse stager TCP shellcode. This is a continuation of the article. We shall examine a more detailed implementation of the concepts established.

Windows Socket Programming

The following is a summary of the steps taken to develop a reverse staged TCP shellcode:

  • Initialize Winsock
  • Create a Socket
  • Connect to a remote IP address (on a particular port)
  • Receive second stage shellcode
  • Execute the second stage shellcode
Image for post
Image for post
Img. 2 — Execution flow.

Cstyle Implementation/PoC

Client-Side PoC code. Fetch and execute 2nd stage shellcode.

Compiling the PoC…

Image for post
Image for post
The art and fabrics of windows shellcoding…


Crashing an application is just one part of the vulnerability research and exploit development process. After root-cause analysis, what follows, is crafting an elusive exploit that is reliable and stable. It is all an art of perfection, intrinsic to weaponizing an exploit.

An essential feature of an exploit code is the size and quality of the shellcode used. They affect the efficiency and effectiveness of an exploit code. At some point, you will have to encrypt or decrypt, encode or decode, and patch your shellcode on the fly in an attempt to evade an Intrusion Detection System (IDS) or to deal with bad characters in your shellcode. …

Kenyans on Twitter — KOT, and the entanglement of local politics.

Image for post
Image for post

One of the most distinctive features of the human language compared to any other animal is the ability to tell fiction. Talking about things that can only be imagined, in some cases, lies. We couldn’t have achieved modern civilization and the creation of different social constructs without the aid of our peculiar linguistic features. It is hard to convince a monkey to give you its banana in exchange for an endless supply of more bananas after-life. …

Automation is key to improving the efficiency and accuracy of your analysis.

i. Introduction

In an older post, we examined a stack-based buffer overflow in FreeFloat FTP Server. The step-by-step guide for beginners was to illustrate the process and technique of basic exploit development. However, I skipped the part where I was to explain how to determine which bytes or characters can break an exploit code. In this post, I’ll discuss how to hunt down bad characters in exploit development. If you are preparing for OSCE, you will find this post somehow useful.

ii. General approach

The fundamental principle of testing which bytes corrupt your exploit code is by utilising an array of all the bytes from “\x00” to “\xff” — byte array. The byte array is the shellcode in the exploit code. After executing the exploit code, we have to locate the byte array in the target’s memory application and examine for any missing bytes. The inference of the examination is anchored on the fact that if the shellcode found in the memory is not the same as the one used in the exploit code, there is a bad character. Once any bad character is identified, you generate the byte array again while eliminating the found bad character. The same examination is done repeatedly until all the bad characters are identified i.e. when bytes in exploit code are the same as in the memory of the exploited application. …

If your range of randomness is predictable and can be easily computed with less effort, it makes “random” useless.

Image for post
Image for post

This article is not about the basics of cracking WPA/WPA2 Wi-Fi network. I assume you know how to break WPA/WPA2 wireless networks. The article is a more specific analysis of cracking Huawei 4G MiFi Internet Router default password with 100% success.

The Huawei 4G MiFi default password (WPA/WPA2) is generated in a not so random approach. I bought this device just a month ago, and I noticed the default password is easy to crack.

The default password for the device Wi-Fi is numerical (only) with a length of eight digits. There are only ten different digits (0–9) to produce different random eight digits length passwords. Where given a set of n elements, the permutations with repetition are different groups formed by the k elements of a subset such…

I stumbled upon while running a Pentest Training a couple of months ago. I find the challenges friendly to anyone trying to dive into penetration testing. This is a continuation of the first post —

7. Secret message

Image for post
Image for post
Message Hidden in Image

How I solved it:

This is a very simple challenge but I think I took a wrong start with my analysis. I’ll document all the steps I took (including the wrong turns I made) just to show you I also make mistakes and how my solving process looks like.

I downloaded the image and jumped straight into steganalysis. I checked to see what type of image/file I was dealing with and found out it was a JPEG file (it is always important to know what sort of filetype you are dealing with). …

I stumbled upon while running a Pentest Training a couple of months ago. I find the challenges friendly to anyone trying to dive into penetration testing. Herein, are the challenges and how I tried to solve them. Comments and other (better) ways of solving the challenges are welcome :)

1. Leaked password

We received a report that there are leaking information, the server is sending out the passwords. There is nothing in the HTML code of the page. Send us the username and leaked password.

How I solved it:

For this challenge, I intercepted the traffic via Burp-suite Proxy and forwarded the GET request to the Repeater tab. …


John Troon

If I was a writer I’d have nice words to put here :) Purple Teamer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store