• Twitter
  • Facebook
  • Youtube

About me

Let me introduce myself


A bit about me

Shawar Khan is an Ethical Hacker & Security Researcher from Pakistan.

With over years of experience in cyber security, Shawar Khan identified major security flaws in world's well known companies. This includes Google, Microsoft, PayPal, Apple and many others. A huge number of Halls of Fame and Certificates were rewarded as a token of appreciation from these companies. In spare time, Shawar used to develope exploits and web-app penetration testing tools. Some of them are BruteXSS & D-TECT.

Profile

Shawar Khan

Personal info

Shawar Khan

A Web Application Penetration Tester and Security Researcher.

Skills & Things about me

Web Application
95%
Penetration Testing
Mobile App
88%
Penetration Testing
Python
90%
Exploit Writing

Portfolio

My latest projects


Monday, May 1, 2017

My journey to Ethical Hacking



Greetings everyone i hope you all are doing well. Today i want to share my journey to ethical hacking and things that i have experienced in my career and things i did to be an ethical hacker. This article is to motivate the young security researchers and the beginners, so they can start to learn from things that i have experienced and can apply them in their life. So, everything started due to interest in computers as i was a computer enthusiast. It is a dream of every person who is interested in computers to know more about it as much as they can so that was my dream to i always wanted to know about it as much as i could. Back in 2011 some of my Facebook friends discussed that their accounts were hacked, at that time i had no idea about what it was and afterwards i came to know that someone got their credentials and i was shocked that how it was possible. After some days one of my family member became a victim of cyber-attack. That was the time i had to do something about, i tired contacting some people who were claiming that they were hackers and can hack into accounts, i spent a long time asking them for help and i begged them to get their accounts back and what i got in response was their laughs. Some people insulted me by saying that i got zero skills in programming and i can’t ever learn this. Some people said they learned it by learning programming and some said they learned by themself. So that was a point where you can say was a turning point, no one helped at the tough time so i decided to go for myself in order to learn something.

Well, i started googling about how to hack stuff and etc. Like every person, what i got was some weird Facebook hacking softwares that never actually worked. I learned that they were not the way to hack into stuff. The rejections and demotivation always made me keep the passion alive and i kept on search for stuff and i ended up with Phishing attacks and Keyloggings. I became familiar with those tricks and found them useful, after successful attempts i started learning more about how these things happen. This was the skill i always wanted to attain. But i found that these were the dead end, in these conditions what i always do is to switch to something else and learn new stuff i did the same and found some posts of people who hacked into websites. I was amazed by seeing how they got controls over an entire website which was a new thing for me i tried googling stuff once again as no one was there to help me. I found some methods like SQL Injection using which i was able to hack into site’s database where all information where stored and all passwords, i learned that technique and found admin credentials but i was not able to go further as passwords were hashed(was not in clear form, was not readable). I left learning about that for a while as i was not able to find the solution, i was the one struggling on my own, i found some online sites which were able to crack hashes like hashkiller and etc. I used them to get into the website and that was the fun part where i got control over a website. What i wanted to do next was to learn more about it like i always do because i wanted to achieve more about what i was doing. I saw some youtube videos and stuff and learned about Shelling,Rooting and compromising Cpanels. After learning all these i was able to hack into websites, computers and accounts.

So after keep doing those stuff i felt like the cycle was repeating again and again. Just like other defacers and hackers i went into something that repeats and what i wanted was to achieve more rather than just repeating stuff. I knew how insecure the people and websites were and as i was a victim of cyber attacks, they were too. I always wanted to help people so they could survive in the situations which i experienced. At that point i wanted to get out of the repeating cycle(loop). I discovered that there were hackers that were helping people and i saw people getting listed in websites and getting gifts, that was the good side where i always wanted to be and it was the ethical hacking as it was positive use of skills which i wanted to do. I reported the vulnerabilities(securtiy flaws) to the website owners that i discovered in early days.

This was the time when i turned into White Hat. I reported the flaws to famous companies like BMW and others. The response were really motivative and that was something which kept the passion alive. I kept reporting random sites and all i learned at that time were the two attacks(XSS,SQLI). I reported these issues to over 20 sites and one of them asked my address to give me a gift i was really happy to hear that and it was a watch that i received from a company in Hong Kong. For a normal person it was a great achievement for me to receive a watch from an international company as i never received any gift before(I still keep that watch just to remember what i was in the past). A few sites listed me in their Hall of Fame page where names are mentioned of security researchers who helped them secure their site. When i got 3 Halls of Fame an announcement was made at my school just to appreciate me and my interview was taken by a company. It was quite impressive, i set a target to achieve 15 Halls of Fame which i completed in a quick time and i wanted to achieve as much as i could so i keep hunting websites and helped them secure.

I was a normal guy hunting sites with XSS and SQLI only. Almost every report was an XSS vulnerability as i knew nothing else at that time. I made some friends in the social network and helped them in learning new stuff. I was satisfied for what i achieved and what my next goal was to help people that were suffering from condition that i was in. I wrote some articles, released some videos of how i hunted each site and things so people can learn from it. Suggested some books to people and helped them in each and every situation because i never wanted them to face rejections and demotivation that i faced. I started learning more techniques from Google and ended up with books like “Web Application Hacker’s Handbook” & “OWASP Testing Guide v4”. These were the books that were available in PDF form for free. I gave some time to it and studied them. It was really tough for me to learn all those stuff so i learned about how web apps work and about different CMS(Content Management Systems). I wanted to focus more on XSS as i was familiar with it so i watched some videos of people and some conference talks on youtube which gave me a quick push against the penetration testing.

I learned some new attacks and felt that i was in the right place and all i needed was experience so i could learn more(Never wanted the cycle to repeat). Once i got enough experience and knowledge i started training people who were new to cyber security and hacking. It was a quite good time as i learned much from teaching them and it is always satisfying when you are training someone. But in the same time i found that some people were still into bad stuff like defacers who are still defacing people’s sites. They are still targeting people for no reason except stamping and proving that they owned the site. I talked to some people and focused on helping them get to the right side and i wanted to get their skills on the good side because for a limited time it was fun but they had no idea about what they were doing.

Finally, after some struggle i was able to change their mind and they came on the good side in Ethical Hacking. Those people are now well known ethical hackers and many of students got hired by companies and many of them are in news and are interviewed by top companies. It is always good to make people get on the right path no matter what you have to sacrify. No matter what position you are today at, just always remember who you were in the past and all you have to do it to help people rise so they can further help people who are down.

To all those hackers,beginners and people who are reading this i’d say that Attain the Skill, Contribute to the community, Help those who are really in need and you will get the satisfaction you never had. Being a security researcher just make sure to always be on the good side. This isn’t limited to hacking, being on a good side you should also help the community and the people so they can achieve the skill and can learn the positive use of it.

Rising from a normal guy to a security researcher isn’t an easy journey. People will always demotivate you,reject you and will always let you down no matter what. This is the stage which is really difficult to face and that’s the only thing every person should learn is to keep the passion alive and to keep himself up.

Still many people are trying to defame me by targeting my social accounts, website and stuff but they can never stop me from achieving my goals and can never destroy the passion i have. When i was admitted in the Hospital, my website was compromised and people started judging my skills but what they say doesn’t matter, all you have to do is to get self satisfaction and no one expect you knows who you really are. The people in the community should help each other rather than just making people down and stopping them from achieving their goals. Being a hacker isn’t the important thing, being a successful person is the important thing and that can be only done by helping the community rise.

Being a security researcher, it is really tough to keep yourself up to date. I’d ask the beginners to focus on self study and learn things by themself as everything is possible all you need is the passion of taking a step after that you can achieve anything. Still the passion is up and i am using my skills to help people getting secure in the cyber space. Now i am listed in almost 90+ Halls of Fame, have 30+ Certificates, and got acknowledged by over 300 companies which are well known. Some of them are Google,Microsoft,Oracle,Sony,Dell,Amazon,Ebay. These are a few companies that i have named and i am glad that i finally proved that nothing is impossible to achieve. All i achieved was by doing self-study and self motivation and without any certifications. You are never a perfect person, but you are still better then the rest of the people. For being a security researcher, all it takes is the passion to achieve something. I hope this article helped you motivate to take a positive step in life, Share the article so we can help the community rise 🙂

Shawar Khan
Security Researcher

Wednesday, April 12, 2017

Pwnage of every user due to Weak Encryption


Greetings everyone, this is Shawar Khan and today i wanted to share one of my recent findings. Recently while pentesting a private project i faced a type of weakness in the web application that i am going to share today. The application that i was testing was fully accessed after the penetration test but in this write-up i am only disclosing an issue which i think is interesting and the developers and researchers can look into it while performing pentests against the web applications.

So, i started the pentest against the web application and checked ever area which was publicly available and found some flaws so after that's done the next steps comes in which we have to check the auth mechanism.
As we know the critical flaws are discovered when it comes to functionality that is responsible for changing user passwords and stuff so i moved towards the password reset functionality.

Simply registered an account, requested a password reset token which looks like:

Password Reset Link sent to User's Email via Web-App
Once the password reset link is requested, an email is sent to user's email which is associated with user's account. The email contains a link as shown above which contains "email" and "token" parameters. These parameters tells the web application that the specific user want to change his password. The "email" parameter's value will be the email of user which is requesting the password change and the value of "token" is a special md5 hash.

How the hash works in this mechanism? 

Each hash that is sent in password change request is associated with a user account so if the token or hash is having the same email which is associated with it then it will allow the password change. Otherwise, the password change request will be rejected as if the hash doesn't match with the email.

Exploiting the mechanism

Now as we understood how it works, its time to exploit it. I tried replacing the 'email' parameter's value to someone else's email address to check if its an IDOR vulnerability but that doesn't works. In these type of situation the only solution is to check how the hash was made.

The hash was identified as MD5 so i tried cracking the hash and i successfully got the plain text after the decryption of that hash which was sent in the reset link. In my case it was "d9d4f495e875a2e075a1a4a6e1b9770f":
Decryption of Password Reset Hash


So the decrypted value of the hash was "46". We now know that they are using numbers as tokens. Now its time to check if the same token or number was being used as token for every requested link. I requested some more links and decrypted them:
Decryption of 4 Password Reset Hashes
So after a little observation i found out that the numbers that were between 0 and 1000. The number was not crossing 1000 so maybe they are using some kind of random function to generate numbers between that specified range. Now we know how the hashes were generated now its time to fire up the weapons. We can bruteforce the password reset link hash but first we need to create the list of payloads.

I coded a little script that will generate hashes of numbers from 0 to 1000:
Generation of MD5s
Now we got a list of hashes from 0-1000 that we will be using to bruteforce the "token" parameter and one of them will be the correct value which will reset the user password. I coded a script that will use those hashes and will bruteforce the "token" parameter and the script prints the valid hash and URL for resetting password of the specified user.
So the final exploit looks like this:
Final Exploitation
 So, as we are now able to generate a valid password reset hash for any user of the site, we are able to compromise any user of the site by just entering his email. One of the request between 0-1000 will succeed which will allow us to compromise the user account. 

Thats it!
I hope you like this write-up, make sure to share so people can learn more from this.

Note: 

The following is the Github link to scripts that i coded for exploiting this weakness:
Github: Github Repo

Monday, April 3, 2017

How i was able to read server files with Python




Greetings everyone, this is Shawar Khan and i hope you all are doing well. It's been a while since my last write up, so i decided to disclose one of my recent findings that i have identified in a top web application.  Recently i found an issue that allowed me to read files on server with Python, that was due to lack of protection and i will show you how i did it, It's quite simple.

So while i was practicing python coding i decided to apply the coded script on the web app, there were a few applications that were using python and i was able to execute python there. Some of these are online tools that execute languages online. Python is the simplest and the powerful language as it contains the easiest syntax with powerful control. There are many commands and modules that can be used to compromise systems and applications by in this write up i will demonstrate how i read the files.

So, lets move towards the interesting stuff, I went to the area where python execution was possible, a normal "print('Shawar Khan')" command returns the following results:



So as you can see that after the "Output:" you can see the result of the command, now the only thing that pings while executing programs is the execution of system commands, so i tried executing system command using the "os" module.

code:

import os
os.system('ls')


 result:

 The system command was not executed as the "syscall" was blocked, they were not allowing us to execute the system command, so i tried the "subprocess" module to do the same trick:

code:

import subprocess
subprocess.Popen('ls')


Result:

Okay, so same issue with this one, they were blocking all commands that execute system command so this trick failed. In similar cases we are able to execute system command and are able to get full control over the server using this trick but in this case i skipped this one and moved on to reading the server files. I tried the 'open()' to open or create a file on the server.

i found that the server was not giving me write permissions and i was not able to write files on the server but i was able to READ file that means i was having read permissions. So using that i was able to read server files by directly calling them using 'open()' with read option. The following was my code for reading /etc/passwd file:

Code:

f = open('/etc/passwd','r')

for i in f:
    print i.strip('\n')




Result:

So, i was successfully able to read files on the server and was able to call them as i was having read permissions. These simple tricks can be handy wile performing pentests against web apps like these. 

Thats it, share the write up if you like it!

Tip:~$ #Where there's a Python, there's a way.

Sunday, March 5, 2017

WhatsApp - 0day Vulnerability in IOS & Android


Greetings Everyone

Today we are going to share the 0day that we have discovered in WhatsApp. Our team(Muhammad Uwais, Kunal Khubchandani, & Shawar Khan) identified a 0day vulnerability in WhatsApp Mobile Applications(iOS & Android). The Followings are the details:

Bug: Buffer Overflow App Crash Denial of Service Vulnerability
Affected Versions: All Whatsapp Versions prior to "2.17.79"

Platform: IOS & Android
Researchers: Muhammad Uwais, Kunal Khubchandani, Shawar Khan
This vulnerability allows a remote attacker to crash the target victim's mobile application. This affects both version of Whatsapp which include Whatsapp for IOS & Whatsapp for Android. 


Recently Uwais joined WhatsApp and started the Pentest against the application as thats what a hacker does at start, identifying security flaws is the first step every hacker performs. Recently a flaw was discovered that allowed attackers to crash victim's whatsapp by sending a message containing unknown characters and recently a guy found that he could crash Whatsapp Ios Version by 2 emojis if you know those are rainbow and a white flag . According to Uwais:

I decided to make up a contact file and add up few emojis "Smiley Face" in the area of Contact name that is shared . Luckily my mobile Xiamoi Mi 3 allowed me to add emoji's and characters as many as I want .Then I shared this contact nothing happened , I added bomb emoji with other 30 smiley face emoji's. Then I send the contact to Kunal while opening his chat I noticed a slightly delay of 1.5-2 secs than usual time while opening his chat.
Uwais noticed this behaviour and asked Kunal to have a look into it because of limited access to computers at my college .

So he made the other contact i.e the contact named with bomb emojis which caused delay , then Kunal copied that message(contact) and only added characters of "bomb" emoji's and then he kept on multiplying the bomb emoji's and kept on testing its response (delay) in opening the conversation (message) .

He noticed a lot of serious lagging and I couldn't type back in the conversation while testing on android application , and again he added more and more bomb emoji characters around 5000 then he sent the contact to me on my phone, as soon as I opened his chat the mobile screen turned black and bamm whatsapp crashed !! As some phones couldn't store emoji's as the contact name so he used 3rd party app from playstore to create a contact like that . As for now we are sure all Android devices along with the whatsapp versions were affected if contact was shared with name containing around 5000 Bomb emoji's.

It was time to test ios devices , so we messaged another friend named Shawar Khan who is also a Cyber Security Researcher & WhiteHat Hacker from Pakistan and we asked him to test ios device as he is an IOS Application Penetration Tester .
I(Uwais) sent him the same contact , this time the results we noticed were crazy. 

 
His phone started lagging and his whatsapp crashed on the pressing of his home button on his iPhone. The payload was further modified by Shawar and a much powerful payload was created which caused a complete application crash of the Victim's device. To handle this such huge payload a powerful device was required as Android devices was not able to handle it, Iphone 6s was used to send the modified payload and was successfully able to takedown any WhatsApp Conversation / Group.



So finally we are confirmed that it effects every phone rather it's an iOS or android 😉 .

All versions prior to 2.17.79 were affected . Along with the app crash main ios was also affected.
The vulnerability was reported to Facebook and is now fully patched.

Demonstrations: 
Android to Android(Demo by Kunal)


IOS to Android(Demo by Shawar Khan)

 

Saturday, August 1, 2015

Stored Cross-Site Scripting(XSS) vulnerability in Intel founded by Shawar Khan


Cross-Site Scripting(XSS) using .jpg file upload in Linux


Services

What can I do


Web-App Penetration Testing

Provides a complete Penetration Test against the web application in order ensure its safety.

Android App Penetration Testing

Provides Android Application Penetration Testing in order to make the app & secure.

iOS App Penetration Testing

Provides iOS Application Penetration Testing in order to make the app & secure.

Contact

Get in touch with me