• Twitter
  • Facebook
  • Youtube

Monday, May 1, 2017

My journey to Ethical Hacking



Greetings everyone i hope you all are doing well. Today i want to share my journey to ethical hacking and things that i have experienced in my career and things i did to be an ethical hacker. This article is to motivate the young security researchers and the beginners, so they can start to learn from things that i have experienced and can apply them in their life. So, everything started due to interest in computers as i was a computer enthusiast. It is a dream of every person who is interested in computers to know more about it as much as they can so that was my dream to i always wanted to know about it as much as i could. Back in 2011 some of my Facebook friends discussed that their accounts were hacked, at that time i had no idea about what it was and afterwards i came to know that someone got their credentials and i was shocked that how it was possible. After some days one of my family member became a victim of cyber-attack. That was the time i had to do something about, i tired contacting some people who were claiming that they were hackers and can hack into accounts, i spent a long time asking them for help and i begged them to get their accounts back and what i got in response was their laughs. Some people insulted me by saying that i got zero skills in programming and i can’t ever learn this. Some people said they learned it by learning programming and some said they learned by themself. So that was a point where you can say was a turning point, no one helped at the tough time so i decided to go for myself in order to learn something.

Well, i started googling about how to hack stuff and etc. Like every person, what i got was some weird Facebook hacking softwares that never actually worked. I learned that they were not the way to hack into stuff. The rejections and demotivation always made me keep the passion alive and i kept on search for stuff and i ended up with Phishing attacks and Keyloggings. I became familiar with those tricks and found them useful, after successful attempts i started learning more about how these things happen. This was the skill i always wanted to attain. But i found that these were the dead end, in these conditions what i always do is to switch to something else and learn new stuff i did the same and found some posts of people who hacked into websites. I was amazed by seeing how they got controls over an entire website which was a new thing for me i tried googling stuff once again as no one was there to help me. I found some methods like SQL Injection using which i was able to hack into site’s database where all information where stored and all passwords, i learned that technique and found admin credentials but i was not able to go further as passwords were hashed(was not in clear form, was not readable). I left learning about that for a while as i was not able to find the solution, i was the one struggling on my own, i found some online sites which were able to crack hashes like hashkiller and etc. I used them to get into the website and that was the fun part where i got control over a website. What i wanted to do next was to learn more about it like i always do because i wanted to achieve more about what i was doing. I saw some youtube videos and stuff and learned about Shelling,Rooting and compromising Cpanels. After learning all these i was able to hack into websites, computers and accounts.

So after keep doing those stuff i felt like the cycle was repeating again and again. Just like other defacers and hackers i went into something that repeats and what i wanted was to achieve more rather than just repeating stuff. I knew how insecure the people and websites were and as i was a victim of cyber attacks, they were too. I always wanted to help people so they could survive in the situations which i experienced. At that point i wanted to get out of the repeating cycle(loop). I discovered that there were hackers that were helping people and i saw people getting listed in websites and getting gifts, that was the good side where i always wanted to be and it was the ethical hacking as it was positive use of skills which i wanted to do. I reported the vulnerabilities(securtiy flaws) to the website owners that i discovered in early days.

This was the time when i turned into White Hat. I reported the flaws to famous companies like BMW and others. The response were really motivative and that was something which kept the passion alive. I kept reporting random sites and all i learned at that time were the two attacks(XSS,SQLI). I reported these issues to over 20 sites and one of them asked my address to give me a gift i was really happy to hear that and it was a watch that i received from a company in Hong Kong. For a normal person it was a great achievement for me to receive a watch from an international company as i never received any gift before(I still keep that watch just to remember what i was in the past). A few sites listed me in their Hall of Fame page where names are mentioned of security researchers who helped them secure their site. When i got 3 Halls of Fame an announcement was made at my school just to appreciate me and my interview was taken by a company. It was quite impressive, i set a target to achieve 15 Halls of Fame which i completed in a quick time and i wanted to achieve as much as i could so i keep hunting websites and helped them secure.

I was a normal guy hunting sites with XSS and SQLI only. Almost every report was an XSS vulnerability as i knew nothing else at that time. I made some friends in the social network and helped them in learning new stuff. I was satisfied for what i achieved and what my next goal was to help people that were suffering from condition that i was in. I wrote some articles, released some videos of how i hunted each site and things so people can learn from it. Suggested some books to people and helped them in each and every situation because i never wanted them to face rejections and demotivation that i faced. I started learning more techniques from Google and ended up with books like “Web Application Hacker’s Handbook” & “OWASP Testing Guide v4”. These were the books that were available in PDF form for free. I gave some time to it and studied them. It was really tough for me to learn all those stuff so i learned about how web apps work and about different CMS(Content Management Systems). I wanted to focus more on XSS as i was familiar with it so i watched some videos of people and some conference talks on youtube which gave me a quick push against the penetration testing.

I learned some new attacks and felt that i was in the right place and all i needed was experience so i could learn more(Never wanted the cycle to repeat). Once i got enough experience and knowledge i started training people who were new to cyber security and hacking. It was a quite good time as i learned much from teaching them and it is always satisfying when you are training someone. But in the same time i found that some people were still into bad stuff like defacers who are still defacing people’s sites. They are still targeting people for no reason except stamping and proving that they owned the site. I talked to some people and focused on helping them get to the right side and i wanted to get their skills on the good side because for a limited time it was fun but they had no idea about what they were doing.

Finally, after some struggle i was able to change their mind and they came on the good side in Ethical Hacking. Those people are now well known ethical hackers and many of students got hired by companies and many of them are in news and are interviewed by top companies. It is always good to make people get on the right path no matter what you have to sacrify. No matter what position you are today at, just always remember who you were in the past and all you have to do it to help people rise so they can further help people who are down.

To all those hackers,beginners and people who are reading this i’d say that Attain the Skill, Contribute to the community, Help those who are really in need and you will get the satisfaction you never had. Being a security researcher just make sure to always be on the good side. This isn’t limited to hacking, being on a good side you should also help the community and the people so they can achieve the skill and can learn the positive use of it.

Rising from a normal guy to a security researcher isn’t an easy journey. People will always demotivate you,reject you and will always let you down no matter what. This is the stage which is really difficult to face and that’s the only thing every person should learn is to keep the passion alive and to keep himself up.

Still many people are trying to defame me by targeting my social accounts, website and stuff but they can never stop me from achieving my goals and can never destroy the passion i have. When i was admitted in the Hospital, my website was compromised and people started judging my skills but what they say doesn’t matter, all you have to do is to get self satisfaction and no one expect you knows who you really are. The people in the community should help each other rather than just making people down and stopping them from achieving their goals. Being a hacker isn’t the important thing, being a successful person is the important thing and that can be only done by helping the community rise.

Being a security researcher, it is really tough to keep yourself up to date. I’d ask the beginners to focus on self study and learn things by themself as everything is possible all you need is the passion of taking a step after that you can achieve anything. Still the passion is up and i am using my skills to help people getting secure in the cyber space. Now i am listed in almost 90+ Halls of Fame, have 30+ Certificates, and got acknowledged by over 300 companies which are well known. Some of them are Google,Microsoft,Oracle,Sony,Dell,Amazon,Ebay. These are a few companies that i have named and i am glad that i finally proved that nothing is impossible to achieve. All i achieved was by doing self-study and self motivation and without any certifications. You are never a perfect person, but you are still better then the rest of the people. For being a security researcher, all it takes is the passion to achieve something. I hope this article helped you motivate to take a positive step in life, Share the article so we can help the community rise 🙂

Shawar Khan
Security Researcher

Contact

Get in touch with me