Ashraf Mohamed
Available for Work

Hello, I'm

Ashraf Mohamed

Penetration Tester | OSCP+ | OSCP

Cybersecurity professional and penetration tester with OSCP and OSCP+ certifications. Skilled in vulnerability analysis, exploitation, post-exploitation, and reporting with a focus on real-world attack scenarios. Proficient in tools such as Burp Suite, Nmap, Metasploit, and various scripting techniques to automate and enhance testing processes. Backed by years of hands-on software engineering experience building IoT systems, mobile apps, and hardware integrations — giving me deep knowledge of attack surfaces from the inside.

OSCP+
OffSec Certified+
OSCP
OffSec Certified
10+
Systems Built & Tested
50K+
Users Served
Get In TouchAbout Me

01.

About Me

I’m a cybersecurity researcher and penetration tester specializing in network, web application, IoT, and hardware security assessments. With OSCP and OSCP+ certifications, I have proven hands-on ability to identify and exploit vulnerabilities in realistic environments — from Active Directory networks to embedded IoT systems. What sets me apart is my engineering background: I spent years building the exact types of production systems I now test — smart lockers controlled via RS485 serial protocols, vending machines connected through USB APIs, NFC/RFID access control systems, MQTT-connected Raspberry Pi agents, and payment gateways processing real transactions. This gives me something most security researchers don’t have: protocol-level knowledge of how these systems actually work, where the vulnerabilities hide, and how to exploit them.

My core focus areas are penetration testing (network, web, IoT), vulnerability research, privilege escalation, Active Directory exploitation, and hardware hacking. I understand the full attack surface of connected systems: from the mobile app layer (Flutter, REST APIs) through the backend (MQTT brokers, WebSockets, databases) down to the hardware layer (RS485 serial buses, NFC/RFID readers, embedded Linux on Raspberry Pi). I write custom scripts and tools to automate reconnaissance, enumeration, and exploitation workflows.

Based in Riyadh, Saudi Arabia. B.Sc. in Software Engineering from Sudan University of Science and Technology (GPA 3.08/4.0). OSCP & OSCP+ certified penetration tester. IEEE SUSTech Vice-Leader. Built and security-tested 10+ production systems serving 50,000+ users — from ride-hailing apps to automated pharmacy kiosks integrated with Saudi Arabia's national Wasfaty e-Prescribing platform.

What I Do

01

Penetration Testing

Network, web application, and IoT penetration testing. OSCP & OSCP+ certified. Active Directory exploitation, privilege escalation, lateral movement, post-exploitation, and reporting.

02

IoT & Hardware Hacking

RS485 bus sniffing, MQTT broker exploitation, NFC/RFID cloning & replay, firmware analysis, embedded Linux attacks. Built 5+ IoT production systems — I know exactly where the vulnerabilities hide.

03

Web & API Security

OWASP Top 10, SQL injection, XSS, CSRF, IDOR, authentication bypass, SSRF. REST API and WebSocket security testing. Payment gateway vulnerability analysis from the builder’s perspective.

04

Security Tooling & Automation

Python and Bash scripting for recon, enumeration, and exploitation automation. Custom tool development (Magnum Scanner). Proficient with Burp Suite, Nmap, Metasploit, Hashcat, BloodHound, Ghidra.

Personal Info

Email

ashrafal3oni@gmail.com

Phone

+966503489316

Location

Riyadh, Saudi Arabia

Languages

Arabic (Native), English

02.

Professional Certifications

Certified in advanced offensive security techniques with hands-on expertise in penetration testing and web application security.

OSCP+

OffSec Certified Professional+ (OSCP+)

Issued: March 2026

Demonstrates advanced ability to identify vulnerabilities and execute organized attacks under tight time constraints. Validates skills in information gathering, exploit development, privilege escalation, client-side attacks, web application exploitation, tunneling, and Active Directory attacks.

Privilege EscalationWeb App AttacksBuffer OverflowsActive DirectoryAntivirus EvasionTunneling & PivotingBash ScriptingExploit FixingClient-Side AttacksPowerShell Empire
Verify Certificate
OSCP

OffSec Certified Professional (OSCP)

Issued: March 2026

Demonstrates proficiency in ethical hacking through a challenging hands-on exam requiring successful compromise of multiple systems. Validates practical skills in network vulnerability scanning, buffer overflow exploits, web exploitation, password attacks, pivoting, and Active Directory attacks.

Network ScanningBuffer OverflowsWeb ExploitationPassword AttacksPivotingActive DirectoryMetasploitPrivilege EscalationPublic Exploit FixingFile Transfers
Verify Certificate

03.

Skills & Technologies

Security tools, IoT hacking techniques, and software engineering skills — built from years of hands-on system development and offensive security research.

Offensive Security

8 technologies

OSCP+
Offensive Security Certified Professional+
Penetration Testing
Network, Web, IoT
Vulnerability Research
CVE discovery
Exploit Development
Buffer overflow, RCE
Privilege Escalation
Linux & Windows
Active Directory
Kerberos, NTLM attacks
Metasploit
Exploitation framework
Burp Suite
Web app testing

IoT & Hardware Security

8 technologies

RS485 Bus Sniffing
Serial protocol analysis
MQTT Security
Broker auth, TLS, ACLs
NFC/RFID Hacking
Card cloning, replay
Embedded Linux
Raspberry Pi hardening
Firmware Analysis
IoT device reversing
USB Attack Vectors
POS terminal, serial
Vending Machine Internals
Built & tested 5+ systems
Physical Security
Lock bypass, access control

Network & Web Security

7 technologies

Nmap
Network discovery & scanning
Wireshark
Packet analysis
OWASP Top 10
Web vulnerability testing
SQL Injection
Detection & exploitation
XSS / CSRF
Client-side attacks
API Security
REST, WebSocket testing
Payment Security
Gateway vulnerability analysis

Programming & Scripting

7 technologies

Python
Exploit dev, IoT agents, automation
Bash
Recon scripts, enumeration
Dart / Flutter
4+ published mobile apps
Kotlin
Android kiosk apps
Java
Spring Boot backends
PHP
Laravel APIs
JavaScript
Web app testing

Security Tools

8 technologies

Kali Linux
Primary security OS
Burp Suite Pro
Web app pentesting
Metasploit
Exploitation framework
Nmap / Masscan
Network scanning
Hashcat / John
Password cracking
Gobuster / ffuf
Directory brute-force
BloodHound
AD enumeration
Ghidra / IDA
Reverse engineering

Software Engineering

10 technologies

Flutter / BLoC
Cross-platform apps
Clean Architecture
Scalable structure
RESTful APIs
Backend development
Windows Server / IIS
Ministry deployment
MSSQL Server
Enterprise database
Active Directory / Kerberos
Server-to-server auth
MQTT / WebSocket
Real-time IoT comms
MySQL / PostgreSQL
Database systems
AWS / VPS
Cloud deployment
Git / GitHub
Version control

DevOps & Tools

8 technologies

AWS
Cloud hosting
VPS
Server deployment
GitHub
Version control
Android Studio
Mobile IDE
VS Code
Primary editor
Postman
API testing
systemd
Pi service management
Google Maps SDK
3Minutes Taxi
OSCP
Certified
8
Offensive Tools
8
IoT/Hardware Security
7
Network & Web Sec
8
Security Tools
45+
Total Skills

04.

Experience

MOGI ALTIGAH

MOGI ALTIGAH

موجي الاتقان

Vending Machine Solutions

Mobile Application Developer & IoT Developer

12/2023 – PresentRiyadh, Saudi Arabia
  • Led development of subscription-based meal delivery apps (SaladBar, Khozama) with IoT-integrated vending machines and smart locker pickup systems.
  • Designed and built Wasfaty — an automated medication dispensing kiosk integrated with Saudi Arabia's national e-Prescribing platform (NUPCO), handling the full 9-step dispensing cycle.
  • Developed and deployed the Ministry of Industry employee purchase system on dual Windows Server infrastructure — IIS web server with custom AppPool configuration, MSSQL database server, Kerberos delegation for secure Windows-integrated authentication between servers.
  • Built Fushati — a school canteen management ecosystem with parent app, canteen manager app, NFC card scanning, and Google ML Kit face recognition.
  • Integrated payment gateways (Moyasser, Interpay, Apple Pay, mada, Tamara, STC Pay) and QR code-based payment systems for vending machines.
  • Built smart locker control services using Python on Raspberry Pi, communicating with Kerong lock boards via RS485 serial protocol and MQTT.
  • Established a new company department focused on vending machine technology and payment integration.

Projects Delivered

SaladBar MealsFushati CanteenKhozama MealsSmart Vending AppWasfatySmart LockersMinistry of IndustryPayment Integration
Full Screen

Full Screen

فل سكرين

Media · Advertising · Exhibitions

Full Stack Mobile Application Developer

06/2023 – 12/2023Riyadh, Saudi Arabia
  • Built 3Minutes Taxi — a ride-hailing app trusted by 50,000+ customers, with real-time GPS tracking, multiple service tiers, and fixed pricing.
  • Implemented application UI with custom widgets, rich animations, and seamless third-party API integrations using Flutter.
  • Designed dynamic and complex functionality using BLoC design pattern for efficient state management and Clean Architecture principles.
  • Integrated Google Maps SDK for real-time driver tracking, optimal route navigation, and location-based services.

Projects Delivered

3Minutes Taxi
05.

Blog & Writeups

Security research, pentesting techniques, and software engineering insights published on Medium.

Security ToolDec 2025

Magnum Scanner

Baseline once. Watch always. Pivot fast. A recon automation tool for HTB, THM, and OSCP lab environments.

Read on Medium
SystemsMay 2025

Linux vs. macOS: Architecture and Portability Comparison

Deep dive into how Linux and macOS differ in architecture, kernel design, and cross-platform portability for security tooling.

Read on Medium
PentestingApr 2025

When to Use Each Nmap Scan Type

Protocol-level breakdown of Nmap scan options — TCP SYN, UDP, ACK, FIN, and when each scan type is most effective during enumeration.

Read on Medium
Priv EscFeb 2025

systemctl and Systemd Services for Privilege Escalation

How to enumerate and exploit misconfigured systemd services for Linux privilege escalation during penetration tests.

Read on Medium
EngineeringDec 2023

The Importance of Testing in Software Development

Building robust software requires thorough testing — unit tests, integration tests, and end-to-end testing strategies.

Read on Medium
EngineeringDec 2023

The Power of Singleton in App Development

Managing instances efficiently with the Singleton pattern — when to use it and how to implement it in Flutter and Dart.

Read on Medium
EngineeringOct 2023

Version Control in Professional Software Development

Version control is a critical aspect of professional development — Git workflows, branching strategies, and team collaboration.

Read on Medium
EngineeringJul 2023

Flutter Clean Architecture

The secret to maintainable apps — structuring Flutter projects with Clean Architecture, BLoC pattern, and separation of concerns.

Read on Medium
View all on Medium
06.

Featured Projects

From mobile apps serving 50K+ users to IoT systems controlling smart lockers — real projects shipped to production.

IoT

MOGI ALTIGAH

Ministry of Industry — Employee Purchase System

Automated employee purchase system using NFC/RFID access cards with vending machines. Deployed on dual Windows Server infrastructure with IIS application pools, MSSQL database, and Kerberos authentication between web and database servers. Virtual daily point balance with classification-based quotas and purchase rules.

Windows ServerIISMSSQL+6
9 highlights
View
IoT

MOGI ALTIGAH

Smart Lockers

Smart locker service built with Python on Raspberry Pi, communicating with locker board hardware via serial port for lock/unlock control.

PythonRaspberry PiSerial Communication+1
3 highlights
View
APP

AL KUZAMA TRADING CO

Khozama Meals

A smart meal subscription platform (Al Kuzama Trading Co / شركة الخزامى التجارية) for corporate workplaces. Employees subscribe via the app, choose daily meals, and collect them from Smart Locker machines at their office floor — the app decides who gets what, the machine just delivers. A complete digital food ecosystem: subscription management, meal planning, QR-based locker pickup, and an operations dashboard.

FlutterDartBLoC+5
2112 highlights
View
APP

Full Screen

3Minutes Taxi

A ride-hailing taxi app operating in Saudi Arabia connecting passengers with professional drivers. Features real-time GPS tracking, multiple service tiers (daily commute, family transport, business VIP, delivery), fixed pricing with no surge charges, and multiple payment options. Trusted by over 50,000 customers.

FlutterDartBLoC+5
2410 highlights
View
APP

MOGI ALTIGAH

Smart Vending App

A mobile companion app for SaladBar smart vending machines. Users scan a QR code on the machine, browse available products by category (food, drinks, snacks), add items to cart, and pay via credit card, Apple Pay, or PayPal — all from their phone. The machine dispenses the product after payment confirmation.

FlutterDartBLoC+7
2312 highlights
View
APP

MOGI ALTIGAH

SaladBar Meals

Subscription-based healthy meal delivery app with QR code vending machine pickup. Users choose dietary packages (Low-carb, Balanced), select weekly/monthly plans, customize meal combos, and collect meals by scanning QR codes on vending machines. Features a built-in wallet system with Apple Pay integration.

FlutterDartBLoC+6
2110 highlights
View
APP

MOGI ALTIGAH

Fushati Canteen

A new experience for school cafeterias — Fushati (فسحتي) is a comprehensive canteen management solution empowering parents to monitor children’s daily expenses, set spending limits, and top up digital student cards. Features NFC card scanning, face recognition, Apple Pay integration, and full Arabic RTL support.

FlutterDartBLoC+6
1810 highlights
View
IoT

MOGI ALTIGAH

Wasfty — Automated Medication Dispensing

A self-service pharmacy kiosk that replaces traditional pharmacy counters with vending machines. Integrated with Saudi Arabia’s national Wasfaty (NUPCO) e-Prescribing platform. Patients scan a QR code or enter a prescription reference number, and the machine automatically dispenses their medications with printed labels — no pharmacist counter needed.

KotlinJetpack ComposeAndroid+8
1012 highlights
View
IoT

MOGI ALTIGAH

Payment Integration

Integrated vending machines with Interpay and digital payment providers. QR code-based payment systems and POS terminal connectivity via USB APIs.

InterpayDigital PaymentsQR Code+2
5 highlights
View

07.

Education

11/2016 – 03/2022

Bachelor of Science, Software Engineering

Sudan University of Science and Technology · Khartoum, Sudan

GPA: 3.08 / 4.0

IEEE SUSTech Student Branch

  • Project Team Volunteer — Developing Mobile Applications using Flutter (2020–2021)
  • Project Team Vice-Leader (2022)
08.

Get in Touch

Feel free to reach out for collaborations or opportunities.

Email

ashrafal3oni@gmail.com

Phone

+966503489316

Location

Riyadh, Saudi Arabia

LinkedIn

ashraf-mohammed-salih

GitHub

ashrafmohammedsalih

Medium

@ashrafal3oni