Hackers Abuse Zero-Day Exploit for CrushFTP

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
there is a new vulnerability hit in the streets and being actively exploited in the wild all pertinent to this software called Crush FTP it is a software solution written in Java to offer file transfer services now let me say I'm recording this video on April 23rd and this thing hit the light of day on April 19th when a lot of folks started to chat about it and one of the most I think earliest ones from crowd strike over on their subred noting Crush FTP advised of a virtual file system Escape present in their FTP software that could allow any arbitrary user to download system files on that host and on the endpoint this affects versions of the software Crush FTP below 11.1 and it is just that almost in a sense local file inclusion but we'll pull that thread a little bit further to see how it could develop in those early days when there wasn't a ton of information out and about there was no cve or common vulnerabilities and exposures identifier a assigned to that vulnerability there was a whole lot of chatter across the internet though with a whole lot of folks noting look this is already being exploited in the wild and compromising hosts that are out on the public internet I really like this post on r/ cyers security over on Reddit someone had commented and responded yeah we moved from Crush fdp to move it uh whoops that's tough obviously this whole thing hit the news this is an article from bleep computer with the headline hey Crush FTP warns users to patch this exploited zero day immediately so high severity high impact big criticality this is something we should take seriously and at that point I think around April 22 now it is tagged as cve 2024 44 let me give credit where credit is due this was found and disclosed by Simon guello I'm sorry I'm not sure about your last name Simon of Airbus CER and that's pretty awesome really cool to see those guys up in action here now fixed in crush FTP versions 10.7.18 so anything prior is vulnerable I've seen a lot of different numbers on how many of these are publicly exposed whether it's almost 3,000 I think I've seen some folks say just about 5,000 almost 6,000 and if you happen to be thinking well I've heard of that Crush FTP thing before if you weren't already familiar you might be right look you probably caught one of the news cycle way back in November just the very end of last year Crush FTP was again vulnerable to a critical remote code execution vulnerability cve 2023 43177 so yesterday if you're following along with this timeline again I'm recording on April 23rd but I had tweeted just previously a little bit of a tease on April 22nd that look I've seen and I've recreated the crush FTP proof a concept that didn't previously have the cve identified but had to edit this tweet to say now it is 44 and the attack chain is pretty dumb it's pretty simple it's small stuff but it's something that we could showcase and dig into so I'd like to do that in this video but let me add the little note here I am kind of noting oh if you look for those 404 HTTP response codes like a page is not found maybe that could be an indicator and I had that breadcrumb but let me acknowledge hey that's actually now that I've learned a little bit more not all that really is needed it doesn't strictly have to be a 404 to trigger oh getting a component of the attack chain you could just as easily get what you might need as the next puzzle piece with the 200 status code we'll chat about it in a sec before we start cutting up some code I think there is another interesting thing that we can do when there is word of a new emerging vulnerabil ility that is actively being exploited and something that we could track across the cyber security Horizon so I thought well let's use flare to see if there are any cyber criminals threat actors adversaries that are already chatting about this that are talking about it and in case they might say oh that one looks neat or hey I want to use this on target XYZ it's cheesy but I think it's worth a shot now if you aren't familiar we could use flare to track down our own identifiers hey maybe specific domain names or usernames websites email addresses accounts that we care about for ourself personally or our company our business and organization other employees that we're making sure are doing the right thing online and that can help us assess our own threat exposure and attack surface management or we could use this for some research and we could go see what folks are chatting about regarding Crush FTP across some of the more spooky scary parts of the internet I can search for this and I can drill down into the different categories that might have an offering here but look if I wanted to to take a look at stuff on the clear net up on the open internet maybe some lookalike domains or clear leaked credentials or just the open web whether it's pce sites maybe web accounts get repositories and source code or Cloud hosted activity stuff on Google buckets Amazon S3 yada y y I don't need to worry about that but I am curious about some of those illicit networks like malare marketplaces or cyber crime hackers for hire stuff like that whether it's Forum posts telegram chat conversations I'm curious if anyone is discussing that Crush FTP now again I want to drill that down probably just about the last week or so maybe the last two days but I'm curious hey can we see any new hits about 43 coming through I'm curious if there's anything other than just the news got some messaging from an account on telegram they've got oh the cutesy little image and flare is kind of cool they can pull a lot of the images from different telegram channels that might be helpful and worthwhile for investigations or work that you do and it looks like this is just sort of the boilerplate hey maybe uh information and awareness getting out to everyone in that crew nothing special here oh they drill down into some Census Data they're saying like 9600 publicly exposed Crush fdp hosts that's pretty wild and help Net security into some more news articles out this and of course you got the usual call to action in social media crap uh what else is there some more notifications again on telegram hackers feed we could drill down into the content section and see what other folks might be discussing here but at least in a lot of telegram channels like this they're probably just spewing out more notifications and alerts this one from the user hacker tricks though is a little bit interesting cuz that might share some new resources for us links or repositories tools that we weren't familiar with before if I take a look at the content looks like oh I'll specifically zoom in on that message yeah they've got a link for Airbus CT in their own scanner Little proof of concept to try to find and detect vulnerable instances I plan to chat about that a little bit later when we dig into the vulnerability and the exploit and the code that we write but let's table that for now some more hits of the same stuff dark leak monitor on telegram hey at least there's some uh cilc characters or or Russian language there maybe that'll have at least something remotely interesting well okay no these are just more messaging and honestly the things would have a low severity you can see the big yellow there maybe the medium ones I'm more interested in so I could filter that out in the results let me just close okay now we'll bring down to just about three events great saves us from scrolling through all those but even these which might very well just be again more discussions and Showcase of it at least they give us the onion link so we could go take a look at that across tour the onion router and dark web if we'd like but I'll be the first to say look I can't read that language so I could use either the AI assist to see if it could ask chat GPT do whatever artificial intelligence magic to get a little bit more context on the conversation or we can go copy and paste that into a translator in fact using some AI to do the translation might really help I'm not sure if folks are familiar with this but if you aren't hey this is one of those more dedicated fine-tuned llm shenanigan thinks with chat GPT to do some translating but actually retain a lot of the context slang and kind of the vernacular that's used in that language or dialect whatever it might be so I could say hey translate this from Russian to English and I'll paste all this in here let's see if it can spit it out and give me a little bit more context clues tracking it down okay Crush FTP file transfers are strongly recommended to be updated to the latest version after vulnerability was discovered yeah yeah yeah okay everything we already know nothing all that new here yeah they have a couple cool clarifications or a little bit more explanation as to what some of these terms might mean in the context so nice looking good well that's one trick again flare can do that just as well for you if you hop on over to the AI assist gives you the translation and even a little bit more context in the circle of cyber crime and communication platforms there there's another hit and hey a result on a forum called gerky and maybe this account newsmaker chatting about it uh I don't see any conversation or responses comments on that thread though so there's not a whole lot we could drill down into I'm going to assume that's a lot more messaging notifications just getting folks aware hey whatever the case may be I hope you think that's an interesting use case for flare trying to see what thread actors are doing and chatting about when a new vulnerability is popping off and there's a lot of commotion and chatter about it with that said big thanks to Flair for sponsoring this video you can check him out with the link below in the video description okay sorry I know that's enough talk in Rambling background context now let's get to the demo so I am inside of my windows 11 in virtual machine and remember this Crush FTP application could run on Windows or on Linux or on Mac it is a Java based application so it could run just about anywhere if you were to go onto their website and go try and download a version that you could go play with and test there is a download now button that'll take you over to that download page in the navigation but it'll tell you all about look this is going to be version 11 and the latest rendition that has the patch because obviously look the vulnerability they want to be locking all the doors boarding up the windows here so you would download the latest version 11 with the links given if you scroll all the way down you can track down an old Crush FTP version 10 download but that is still patched even if you were to take the link here if I copy that link and you might be able to see it down below in the navigation if I were to change this number from like oh early 10 to early 9 to try and get an even older version it would return a file we could download it and that would work for us but even that version 9 that's hosted on the web page is patched now after I got to chat with some folks hey bounce some ideas around think on this and do a little bit more research we had found looked this Crush FTP 10.5.2 vulnerable build that was available out on GitHub from the past cve 2023 43177 by the EMT one of the uh Hey individuals here on GitHub and we can chat about that soon but they had been generous enough to share hey here's a copy of the old school original Crush fp10 dzip but it included a another copy with a different addition that you could just sort of patch onto it overwriting the files there and still maintain the vulnerabilities now I've gotten these both downloaded on my windows 11 virtual machine and we could hey drill down take a look but honestly the only interesting file here in my mind is this jar file it is a Java application after all and if we go take a look at that other hey sort of in place hot fix we could do for the vulnerability we could introduce it is just something we'd clobber that jar file and with it being job we could decompile that down now normally I like to use tools like JD goey or jadex some of the others I found one that I think is pretty awesome here pron proon I don't know how to say that but it does include a Java decompiler I've heard great recommendations from some folks so hey we could go download if you weren't familiar this Pro and DC compiler as the release and go get it running I am going to end up cruising this through just on Linux I'm over here inside of vuntu virtual machine right now but I've got that downloaded in stage for us so we'll play with it let me invoke Java Tac jar on that Pro and DC compiler and it gives me all of the output on how we might use this thing and there are a couple things that are worthwhile here ultimately just the output directory because otherwise it would just spit everything out to the standard output just display it all on the screen it's got some nice syntax highlighting though so I got to give it that but if I were to hey just drop in paste those files for our FTP instance we'll include the zip files that we'll extract and get the jar file to decompile and do some patch diffing really to see what's different between the vulnerable version and something that might not be with that in mind make sure you are benchmarking and sort of diffing taking a look between what would be a genuinely patch rendition like the latest thing you download from their website and the rendition that we know is vulnerable so make sure you pull from their website V10 if that's what you're doing I will go ahead and showcase the vulnerable one if I wanted to actually go extract unzip that V10 5.0 that includes the plugins directory and the jar file that I'd like to do compile so let me use that Java Tac jar Pro and decompiler will supply the output for our vulnerable and then we'll be sure to include the current crushftp dojar file in our current directory that should once it's done decompile everything we need and slap it into a new vulnerable directory that we can go analyze you could follow this exact same process for the patch rendition and then do a diff with some gooey tools like meld or whatever you might like and prefer ultimately just put the file side by side see what differs we've showcase that in previous videos so I won't drill down into the weeds right now but that's how patch diffing comes to life and while we're doing that honestly we still haven't seen this application in action yet so let's go do what we were planning to do by taking all of the files from that hot fix version that we saw on GitHub clobbering it in the crushftp folder let me go ahead and paste these yep we can replace them as needed now if I double click on crushftp dojar having Java installed we'll see this version of crush FTP made available to us with a couple options we can create a new admin user install this as a service start a temporary server remove start stop whatever uh if I create an admin user just for the sake of having one we'll use Crush admin as the default username and let me just enter Crush admin by default as the password here that'll create the user if you wanted to install this as a service you do need to have a license in which case it being paid for but we can start up a temporary server just as well let me click on that and it spins it up on port 8080 locally and on those interfaces so let's go take a look can I go see Crush FTP spun up on this instance go to Local Host 8080 and there we are Crush FTP that's all it takes it redirects me to web interface and login. HTML nothing special there really just okay where it puts you for the application but that is an endpoint that we'll talk about back over on the Linux side if we wanted to finish up our patch diffing process or just take a look at the decompiled code we can open up this vulnerable instance take a look at all of the new Java that we might be able to read in all the different locations here now I'm going to streamline us a little bit because I've done that and Tred to see okay what's actually different between these two and the most interesting stuff that aligns well with the screenshot that I got a little sneak peek at actually brings us down into one of the server session. Java files actually forgive me uh the juicy one is server status. Java so I've gotten that opened up here and there's a lot to it right this is a hefty file but again I'll zoom in on and kind of speed rust to the more interesting tidbits because if we were to get a session here and I'll show you how we can do that let's actually start to write the script and kind of go back and forth between the code and what we'll do as our proof of concept let me hop back over to the windows VM where I have this installed and running at least in that temporary instance and we can interact with it locally without a problem so let me start a new python script we'll just slap it into I don't know crushit dopy that's fun and if I import the requests module to make a couple of these URL HTTP Communications back and forth can I get to Local Host 8080 on that web interface endpoint let me do a request.get of that URL we can store that as a variable and then print out the text response if I hit contrl B to run this that returns a selected resource not found just because I didn't Supply like oh a login. HTML or whatever now that'll print out all the HTML response of that usual page but the interesting thing is like if I were to take a look at I don't know the r status code alongside the headers if we want to take a look at those r. headers anything that might be interesting there's not a whole lot there except it is only being done right now with a doget request there's something interesting that happens if you do a post request to literally any endpoint I'll hit contrl B to run this one more time but now you can see that it sets a cookie with a current off and even a crush off set to a value so we have a null session so to speak or an anonymous user kind of still being able to interact with things even without username or password or credentials so unauthenticated control to a couple different things not everything and bear in mind look this could just go to any endpoint even ones that do not exist run this one more time new cookie new off token anything that might be necessary and we've got that session just a post request now I'm hopping back into Linux just to see some of the source code because there's something we could drill down into next when we make the post requests when we have this null Anonymous session given to us we could still ultimately funnel down to like the rest API or some control set up for this application and maybe we could run and access a couple different endpoints or commands with parameters we pass to do different things via the API now I'll admit let me lay my cards on the table when I got to see the screenshot that the anonymous he individual was willing to share they were doing something interesting with a couple of these end points with some syntax that they used that seemed to include a particular file and that was a little bit of the magic sauce there when it was supplied when data was provided with this include syntax it might literally do include file command and that is how you could at least read a file and what looked like arbitrary file inclusion but maybe even a little bit more because there is so much potential with what you could do inside of this function I'll show you it in a little bit but take a look there's a whole lot of like handling and functionality for doing different things with given variables or I don't know host name kind of sort of configuration server properties that you could access and reach like user time remaining their user session ID user current directory username etc etc hopping back over to Windows to play with our little attack script say we actually would retrieve our current o and Crush o cookies from this response you could use a session but I think it's nice to handle this kind of explicitly if we're building out like a proof of concept in case we do any weird voodoo magic later so let's go ahead and extract the r do cookies here and we actually don't need to even index anything we can just store that as sort of a variable outside of the scope or name space of just that object because we'll do some other things make other requests and create a different new R variable because I know this is weird but if I were to literally do another post method to this exact same URL but this time Supply some data and we'll fill that out as another little of prediction are that we could Supply we could do a couple different things like Supply different commands that we might want the API to do one of those is the exists function now I'm sorry I know I'm abstracting a lot here but if I get back into the decompiled code what if I were to search for that function called maybe just matched as a string here exists and we could drill down and see hey some of the use cases as to where that is included in the source code um maybe some FTP communication maybe some S3 work SFTP there's one that's a little bit more interesting in the serers session. Ajax where it's testing if a command equals ignore case of exists and it does some interesting things let's actually go take a look and again let me say I was only able to kind of track that down from seeing the logs and the artifacts left over on that compromise instance I don't know what's going on with the syntax highlighting here but if a command were to be provided where exist looking to check if a file exists then it will respond with some XML data kind of pulling out things based off of the paths variable it looks like and presumably checking if a file that's provided exists on the file system we're turning it out with some XML responses we could play with this let's try it out back to our little sandbox script on the Windows side we knew that the other parameter would have been looking for is like a path and granted we probably want to be looking for I don't know anything we could see if that even exists as a file called just like anything. text right and there is some other audity this actually takes another parameter of like the cookie authentication sort of thing it should be from the cookies that we've just received the current off value that's actually just a last four characters of The Crush off value so we'll stage all that let's go ahead and set that as the response variable or object to capture it and can I see what the r. text response and output should be from just this simple little post request we will need to be sure to include our cookies that we've been tracking those since those should be headers alongside our request now if I hit control B to run this take a look we've got some XML response here that says the command result anything. text what we were querying and looking for with the parameter is false that file does not exist now this should be reading from the Cort of local directory if I do things like a relative path uh I could do anything that might be local to to that directory where Crush FTP is currently running that's on my desktops here in crush ftp1 so we could pull down the whole binary or the installation instructions preferences maybe session objects RSA Keys Etc but we'll just be checking if they exist right now but remember we saw some functionality and I realize I'm not drilling down through the entire call chain so bear with me here but there was some magic where look if it had the include functionality included as the string the parameters here then it might literally just include a file uh if I go track down this function here this ends up checking for the include presence creating a new Random Access file getting some of the content out of it and displaying it in the response so let's just do an experiment here like include our anything. text uh in fact maybe we should make sure to close that since that's how it was going to end up replacing it in the string here now obviously that anything. text file doesn't exist but we could check to see could we include a file that does exist uh let's try to use some of those that we saw just a moment ago kind of browsing through the file explorer here we saw this SSH host RSA key uh and if I run this if I hit contrl B with these include tags to potentially include a file look at that there is the raw contents and output of this SSH private key present on the box this could be done Ely not doesn't have to be local from this testbed example that we've done here and I don't know could I try to do this on like C Windows system 32 let me add an R uh make this a raw string drivers Etc hosts can I pull the hosts file contrl B yeah so that is totally outside of a virtual file system like anything in an FTP sort of service might create like hey you have this Enclave of files that you're willing to serve but no we should have this read capability thanks to this potential vulnerability across the endpoint anywhere on the file system and just as I mentioned you could try to provide any of those sort of variables that you might like that we saw even in some of the code earlier or we could track down in the documentation like host name with two parentheses RoR excuse me percent signs around it should actually return literally the IP address there's even some other Syntax for Server variables like a user unor name when we're wrapping this in uh the curly braces if I run this that should return the value Anonymous where that's presented cuz that's the anonymous user session that we're in right now we could check out the user ID that's 72 in my case if I keep running this that should give me new ones right because it's a new Anonymous session each time and a lot of these server variables are represented and included in their documentation you can track it down online take a look at some of the other things you might be able to pull and access and this is interesting to me right CU that's not strictly local file inclusion but almost in a sense like side template injection sort of kind of cuz you can read different variables or configuration settings now at the very start of all this what I just showed you was the extent of what we knew of the vulnerability it's presumably once it got a cve look okay breaking past the VFS or virtual file system to read any other local file on the endpoint but we have to wonder could this be pushed further could you use it for remote code execution could you leverage that to run commands and ultimately fully compromise the host if that service is installed in running a system I got to say I haven't tracked down a way to do that leverage this thing all the way to full rce but let me say now that it is totally possible we'll chat about that in just a second but at least the idea kind of like what I was thinking maybe what sounds possible or plausible is that look Crush FTP will host and store things in a sessions. obj file and that's sort of like an active cache for actively logged in users because we could read files maybe we could pull that file down go ahead and carve out and pull out some of the session cookies and then hope hope and pray that oh the admin user logged in and we could steal their session cookie bypass authentication to become the admin and then create a new task or job and gain natural remote code execution just through the functionality of the app and the admin capability let me show you that like if I were to just simply include that sessions. obj file relative in the current directory try to pull that down you'll see that it's a boatload of nonsense it's a blob it's a binary data like Marshal whatever compressed to look ultimately be able to store retrieve recall that data as needed but look at all of these sort of structures all of these different components that look like off tokens because they actually are they were for these logged in sessions now because I've ran this script over and over and over again we've got a lot of anonymous sessions here but again to a certain amount you'd have to hope the admin session happens to be logged in at the time of your exploit or just keep looping and wait and try to steal this until you could steal that session and then get code execution truth be told actually that method is basically what was done in the old previous cve 2023 43177 bug with Crush FTP when they leveraged this to remote code execution they did exactly that tracking down trying to keep an eye on that sessions. obj file and then hoping to see can we get an admin session user logged in at that time let me go drill down find it for us here it is yeah yeah yeah okay let me zoom in in the primary install folder a serialized Java object called sessions. obj contains cached information about current logins including all active and live user session tokens so we could totally track that down to steal the admin capability if you take a look at the script the attack script and proof of concept exploit put together for that old vulnerability that is exactly what they do they actually have hey some functionality trying to steal the session pot file with sesss do excuse me sessions. obj and then they'll just try each and every one of those API or a tokens to see look do we have admin access and then try to run code execution if you scroll down well enough into the pock you can see how they actually pull off that rce but bear in mind that was for the old cve not the one that we're chatting about right now 2024 44 if you take a look back at the scanner code that we saw from flare this other GitHub repository even from Airbus themselves hey the folks that actually found and disclosed reported this vulnerability in the first place they put out the scan host python script that basically gives and showcases this proof of concept for exploiting this the current vulnerability so I didn't feel too too bad and like oh showcasing spilling the beans on that file inclusion trick I don't think I could demo the rce component yet but I know someone who can and it might already be out and about and because I've got to give a seriously big kudos to Rapid 7 who's been doing an awesome job keeping track of this chasing this Crush FTP vulnerability digging into the code trying to understand and analyze how far deep does this Rabbit Hole really go and look this is a tweet from Caitlyn Condon I believe their vulnerability research director over rapid 7 she's saying look there's thousands of these exposed to the internet all the instances that are publicly available and there is exploit code or at least the scanner that showcases how this is done and payloads that already discussed the exploit path and the artifact seen from actual in the wild compromises the cat is already out of the bag I do really like her sprinkling in another tidbit here look if we take this in comparison contrasting with like move it transfer exploitation when that was a hot topic that were about maybe 2500 instances and now we've got a little bit more chatting about Crush fdp but look one of the researchers that was really digging into this is chair nectar who analyed this cve found that it's not only exploitable for the arbitrary file read as we just demoed but they can do the authentication bypass and full remote code execution big shout out Kudos celebration for Ryan Emmons and his great work I don't know if you were tracking but that is the very same Ryan Emmons who put together this GitHub repo with the vulnerable instance of crush fdp for folks to download and work with and the proof of concept script and one of the same fellas who had disclose and put together the original reporting for that first cve 2023 I think that's pretty cool honestly to see him hey just about everywhere closing the circle in this and this is is the article right up in messaging that is available from Rapid 7 so far again reminder I'm recording on April 23rd and I believe by the time this video releases it'll be April 25th so between then and now while I'm recording in this releases I believe there will be some new information because rapid 7 tells me I've been chatting with some of the folks over there that there will release their full breakdown their deep dive analysis and spill the beans on everything Crush FTP uh probably tomorrow so yesterday by the time this releases just to reiterate and emphasize there is more to this vulnerability and that it can be fully unauthenticated just like we did without credentials but not just taking the local file inclusion so to speak but even leveraging it for an authentication bypass to the admin account and then full remote code execution so point and shoot hacking high impact High criticality absolutely patch now if you are in the crush fdp world with all that said my goodness I'm sorry there was a whole lot to ramble on in this cuz I wanted to give all the background context and I wanted to show a little bit of the fireworks at least just slapping together some stupid python script to Showcase that small simple attack chain and look finding drilling down in some of the artifacts that you can find from hey compromise instances doing patch diffing trying to drill down into even just open source stuff that's out on the Internet or checking in what cyber crime threat actors and adversaries are talking about with the vulnerabilities maybe they'll share some links Maybe they'll talk about their own plans or operations I don't know you never know but it's worth taking a look so hey again please do give some love to our sponsor flare Link in the video description if you'd like to drill down into that just as well for your own exposed attack surface and threat management thank you so much for watching hope you enjoyed this video like comment subscribe I'll see you in the next one love you take care
Info
Channel: John Hammond
Views: 68,211
Rating: undefined out of 5
Keywords: cybersecurity for beginners, cybersecurity, hacking, ethical hacking, dark web, john hammond, malware, malware analysis, programming, tutorial, python programming, beginners, how-to, education, learn, learn cybersecurity, become a hacker, penetration testing, career, start a career in cybersecurity, how to hack, capture the flag, ctf, zero to hero, cybersecurity for noobs, ethical hacking for noobs, networkchuck, learn to hack, how to do cybersecurity, cybersecurity careers, vulnerable
Id: etHDJWYElso
Channel Id: undefined
Length: 31min 49sec (1909 seconds)
Published: Fri Apr 26 2024
Related Videos
Hackers Hide with Clever Alternate Data Streams
John Hammond
78K
How Hackers Compromise BIG Networks (with NetExec)
John Hammond
109K
Jay Leno Explores The Beast: Inside the Presidential Limousine with Secret Service Agents
Jay Leno's Garage
841K
Where People Go When They Want to Hack You
CyberNews
1.2M
37C3 - Operation Triangulation: What You Get When Attack iPhones of Researchers
media.ccc.de
67K
WE EXPLORED THE DARK WEB [INSTANT REGRET]
Trilogy Media
1.8M
What Does a Former Black Hat Hacker Carry Everyday?
Shawn Ryan Show
424K
Malware Analysis & Threat Intel: UAC Bypasses
John Hammond
67K
A Vulnerability to Hack The World - CVE-2023-4863
LiveOverflow
105K
Yet Another Cybercrime Hacking Forum...
John Hammond
65K
Snip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS
John Hammond
497K
This Company Got Hacked... but HOW?
John Hammond
90K
Free Coding Tool Distributes Malware
John Hammond
129K
3 Levels of WiFi Hacking
NetworkChuck
1.7M
The Kids Who Hacked The CIA
fern
6.5M
I Hacked The Cloud: Azure Managed Identities
John Hammond
61K
The Hacker who could turn on ANYONE'S Zoom Camera [Zero-Day]
Daniel Boctor
78K
Why Hacking is the Future of War
Johnny Harris
2.4M
How Hackers Can Hide PowerShell in Environment Variables
John Hammond
60K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.