0:00:00.960,0:00:03.540
hello and welcome back to red blue Labs

0:00:03.540,0:00:04.980
today's video is gonna be a little bit

0:00:04.980,0:00:06.240
different than the ones I've done in the

0:00:06.240,0:00:08.160
past where I'm actually am going to be

0:00:08.160,0:00:10.860
doing a walk through on a try hack me

0:00:10.860,0:00:13.980
room the room of choice for me today is

0:00:13.980,0:00:17.820
actually introduction to owasp zap and I

0:00:17.820,0:00:20.100
chose this room because I personally

0:00:20.100,0:00:24.180
really enjoy zap I like

0:00:24.180,0:00:26.640
the the features that it has and when I

0:00:26.640,0:00:29.519
read this paragraph here

0:00:29.519,0:00:30.779
um apparently the person who made this

0:00:30.779,0:00:33.420
room prefers it over burp and honestly

0:00:33.420,0:00:35.219
it's a it's a personal preference kind

0:00:35.219,0:00:37.739
of thing many many people use burp some

0:00:37.739,0:00:40.020
people use zap I'm one of those people

0:00:40.020,0:00:43.079
that use zap regularly

0:00:43.079,0:00:45.840
just a heads up I do plan on editing

0:00:45.840,0:00:48.120
this video so it's gonna be

0:00:48.120,0:00:50.700
fairly fluid and as I walk through

0:00:50.700,0:00:54.239
things so there you go now you know

0:00:54.239,0:00:55.980
if you're if you're not familiar with

0:00:55.980,0:01:00.660
what zap is it's a proxy where you have

0:01:00.660,0:01:04.440
your browser pointing to a proxy server

0:01:04.440,0:01:06.180
that's running locally so maybe on your

0:01:06.180,0:01:08.760
Cali machine and then you will

0:01:08.760,0:01:11.100
go on to the website so you're sending

0:01:11.100,0:01:13.200
traffic through the proxy over the

0:01:13.200,0:01:15.659
website and in the website is going to

0:01:15.659,0:01:17.280
go through the proxy back to you so

0:01:17.280,0:01:19.080
you've got like a a person in the middle

0:01:19.080,0:01:21.720
that's handling that traffic and then

0:01:21.720,0:01:23.939
while that traffic's being handled you

0:01:23.939,0:01:26.040
can actually manipulate the data

0:01:26.040,0:01:28.619
so let's go ahead and start arm remove I

0:01:28.619,0:01:30.600
gotta join the room and start that

0:01:30.600,0:01:32.780
machine

0:01:35.159,0:01:36.299
and we're going to start off with the

0:01:36.299,0:01:39.540
first one so zap stands for

0:01:39.540,0:01:43.380
Zed attack proxy

0:01:43.380,0:01:44.640
whoo

0:01:44.640,0:01:46.860
day 148.

0:01:46.860,0:01:49.740
so let's see if I can do that right now

0:01:49.740,0:01:51.720
still waiting 18 seconds

0:01:51.720,0:01:54.180
task one is done

0:01:54.180,0:01:55.979
go to task two

0:01:55.979,0:01:58.079
zap is a great tool that's totally slept

0:01:58.079,0:02:00.659
on you know that is

0:02:00.659,0:02:02.159
totally true

0:02:02.159,0:02:05.399
go ahead and give this section A read

0:02:05.399,0:02:09.200
I've read the task

0:02:11.940,0:02:14.400
installation

0:02:14.400,0:02:16.980
okay so I've actually already gone ahead

0:02:16.980,0:02:19.260
and done that

0:02:19.260,0:02:21.120
there's uh there's a couple ways you can

0:02:21.120,0:02:24.060
do it uh they've got the the tool right

0:02:24.060,0:02:25.140
here so

0:02:25.140,0:02:26.400
pretty straightforward just go to the

0:02:26.400,0:02:28.800
website and connect it into your Cali

0:02:28.800,0:02:31.140
and go ahead and just download it I

0:02:31.140,0:02:32.940
already have it installed so and that's

0:02:32.940,0:02:34.260
that was an easy

0:02:34.260,0:02:36.180
completed

0:02:36.180,0:02:38.700
and then open it up

0:02:38.700,0:02:42.020
let's go over my machine

0:02:44.340,0:02:45.720
and I

0:02:45.720,0:02:48.440
open it up

0:02:50.879,0:02:53.160
hit the Windows button or the command

0:02:53.160,0:02:56.239
button zap

0:02:57.780,0:03:00.440
powered on

0:03:04.319,0:03:07.140
eventually your zap will turn on and you

0:03:07.140,0:03:08.580
are ready to proceed with the rest of

0:03:08.580,0:03:10.260
the room

0:03:10.260,0:03:13.700
let's go check out task four

0:03:15.239,0:03:17.280
and on this task looks like we're doing

0:03:17.280,0:03:21.659
a automate automated scan let's let's go

0:03:21.659,0:03:23.459
ahead and run the command that it's

0:03:23.459,0:03:26.000
asking for

0:03:29.400,0:03:32.519
set up the Ajax spider looks like in

0:03:32.519,0:03:34.200
Task 5 we are actually going to be doing

0:03:34.200,0:03:36.659
some manual scanning and we need to have

0:03:36.659,0:03:39.840
our browser pointing to our Zapped proxy

0:03:39.840,0:03:42.239
so there's a there's a number of steps

0:03:42.239,0:03:43.980
to do this and actually

0:03:43.980,0:03:46.860
what will make this easier is in the

0:03:46.860,0:03:48.659
drop down that you see right now I

0:03:48.659,0:03:50.280
actually have a video that I've made

0:03:50.280,0:03:51.900
where

0:03:51.900,0:03:53.940
I actually go through this entire

0:03:53.940,0:03:57.540
process so I'm gonna skip ahead and if

0:03:57.540,0:03:58.620
you already have this set up and that's

0:03:58.620,0:04:00.599
great or if you want to watch that video

0:04:00.599,0:04:04.860
that I've made go ahead and do that

0:04:04.860,0:04:09.480
what IP do we use for the proxy well we

0:04:09.480,0:04:11.700
would be pointing it to ourselves so

0:04:11.700,0:04:17.000
that could be localhost or I bet it's

0:04:18.000,0:04:22.560
this one right over here finger Bango

0:04:22.560,0:04:25.220
with task six it looks like we are doing

0:04:25.220,0:04:27.180
scanning an authenticated web

0:04:27.180,0:04:29.040
application so

0:04:29.040,0:04:32.040
in THM here they give us some some

0:04:32.040,0:04:35.100
credentials that we need to use on the

0:04:35.100,0:04:36.540
machine that they've got for us so let's

0:04:36.540,0:04:41.340
go down and give the page here a read

0:04:41.340,0:04:44.400
and we are going to

0:04:44.400,0:04:46.979
open up our browser on our Cali machine

0:04:46.979,0:04:48.120
here

0:04:48.120,0:04:50.220
and here we go we've got our

0:04:50.220,0:04:51.840
spot here

0:04:51.840,0:04:54.660
to authenticate

0:04:54.660,0:04:56.100
they're going to put in the credentials

0:04:56.100,0:04:59.900
that try Hackney has given me

0:05:00.479,0:05:02.820
and authenticate let's go back and take

0:05:02.820,0:05:04.919
a peek at the instructions here

0:05:04.919,0:05:07.500
looks like we have or on the page that

0:05:07.500,0:05:10.820
we need to be and we need to go down to

0:05:10.820,0:05:13.500
dvwa security

0:05:13.500,0:05:16.080
as instructed

0:05:16.080,0:05:19.440
and just want to do a double check here

0:05:19.440,0:05:22.259
navigate to that Tab and set the

0:05:22.259,0:05:24.539
security level to low and then hit

0:05:24.539,0:05:26.280
submit

0:05:26.280,0:05:28.919
and after that we're going to pass our

0:05:28.919,0:05:31.979
authentication token into zap so that we

0:05:31.979,0:05:34.199
can use the tool to scan authenticated

0:05:34.199,0:05:36.120
Pages great

0:05:36.120,0:05:39.919
let's do that

0:05:41.639,0:05:43.620
low

0:05:43.620,0:05:46.880
and submit

0:05:47.280,0:05:49.520
okay

0:05:51.660,0:05:53.759
so we are going to open up the inspector

0:05:53.759,0:05:56.060
here

0:06:07.800,0:06:10.500
for storage

0:06:10.500,0:06:14.280
and I'm going to grab the session key

0:06:14.280,0:06:16.560
here

0:06:16.560,0:06:19.560
foreign

0:06:29.720,0:06:33.120
open the HTTP sessions tab with the new

0:06:33.120,0:06:35.699
tab button which is that one there and

0:06:35.699,0:06:37.740
set and set the authenticated session to

0:06:37.740,0:06:39.960
active you might actually notice a

0:06:39.960,0:06:41.940
slight disconnect between what you're

0:06:41.940,0:06:44.100
seeing in the PHP session right now and

0:06:44.100,0:06:45.660
what you saw about 10 seconds earlier

0:06:45.660,0:06:48.720
they do look different and the reason

0:06:48.720,0:06:49.860
for that is because I actually

0:06:49.860,0:06:52.800
re-recorded doing this particular task

0:06:52.800,0:06:54.840
and I wanted to make it pretty

0:06:54.840,0:06:57.840
straightforward to see how we can see in

0:06:57.840,0:07:01.620
zap the the exact same session compared

0:07:01.620,0:07:03.660
to the session that we can see in the

0:07:03.660,0:07:06.660
inspector of the browser so that's what

0:07:06.660,0:07:09.860
you're seeing on the screen right now

0:07:12.600,0:07:15.020
because we have an authenticated session

0:07:15.020,0:07:17.460
in our

0:07:17.460,0:07:20.220
zap here we're able to actually do a

0:07:20.220,0:07:22.680
scan against our Target and receive a

0:07:22.680,0:07:25.740
lot more information because we are now

0:07:25.740,0:07:29.520
at this point have an Authentication

0:07:29.520,0:07:32.539
on the target

0:07:39.900,0:07:42.780
all right so that was task six and now

0:07:42.780,0:07:44.580
we're moving on to task seven which is

0:07:44.580,0:07:47.160
Brute Force directories Let's Open up

0:07:47.160,0:07:49.199
The Challenge and take a look at what

0:07:49.199,0:07:50.880
are the requirements here

0:07:50.880,0:07:53.099
and so essentially we can actually use

0:07:53.099,0:07:55.080
word lists

0:07:55.080,0:07:59.039
and zap to do some brute forcing to

0:07:59.039,0:08:00.900
figure out what kind of directories so

0:08:00.900,0:08:03.660
some directory enumeration that are on

0:08:03.660,0:08:08.340
the web server let's go down and when we

0:08:08.340,0:08:10.500
have our our sites here when we do a

0:08:10.500,0:08:12.900
right click and we do a forced browse

0:08:12.900,0:08:16.080
site we can actually do this do

0:08:16.080,0:08:18.000
directory enumeration I actually have

0:08:18.000,0:08:19.379
another video where I do the exact same

0:08:19.379,0:08:20.940
thing so you can see that in the drop

0:08:20.940,0:08:22.979
down as well if you want to have a

0:08:22.979,0:08:24.840
specifically on that uh but we're going

0:08:24.840,0:08:26.220
to do the exact same thing here and it's

0:08:26.220,0:08:28.620
it's pretty straightforward let's go

0:08:28.620,0:08:30.259
ahead and

0:08:30.259,0:08:32.219
do a

0:08:32.219,0:08:37.880
forced browse on our Target system here

0:08:50.899,0:08:53.519
and then we just have to pick the the

0:08:53.519,0:08:56.279
list that we want so I'll use I'll use

0:08:56.279,0:08:57.360
this one

0:08:57.360,0:09:00.660
but really word lists are all over the

0:09:00.660,0:09:02.339
place you can use whatever word list

0:09:02.339,0:09:05.420
works best for you

0:09:07.140,0:09:09.800
and hit play

0:09:12.540,0:09:17.700
task six or task seven complete

0:09:19.200,0:09:22.620
okay task number eight let's check out

0:09:22.620,0:09:25.320
what we've got here for Brute Force web

0:09:25.320,0:09:27.240
login

0:09:27.240,0:09:30.060
so just like with the Brute Force

0:09:30.060,0:09:32.640
directories we can actually use Hydra

0:09:32.640,0:09:35.040
for this as well but what we're doing in

0:09:35.040,0:09:36.480
this room is demonstrating that we can

0:09:36.480,0:09:38.700
use zap to do some of the similar tasks

0:09:38.700,0:09:39.980
as well

0:09:39.980,0:09:42.740
the what we're going to be doing also is

0:09:42.740,0:09:45.720
using fuzzing again so let's take a peek

0:09:45.720,0:09:47.399
at some of the instructions that they

0:09:47.399,0:09:51.060
give us here so we have a a login so

0:09:51.060,0:09:52.500
we're going to be demonstrating on The

0:09:52.500,0:09:55.380
Brute Force part of things and we're

0:09:55.380,0:09:58.920
going to be doing an attack and fuzz on

0:09:58.920,0:10:01.620
the spot the moment in time when we are

0:10:01.620,0:10:05.100
actually inputting the credentials so in

0:10:05.100,0:10:06.420
here they do

0:10:06.420,0:10:10.200
find a test one two three and

0:10:10.200,0:10:12.060
we'll we'll do something similar to that

0:10:12.060,0:10:15.000
I have my own technique or word that I

0:10:15.000,0:10:16.620
like to look for and that's fine you'll

0:10:16.620,0:10:17.760
have you'll have your own that you like

0:10:17.760,0:10:18.779
as well

0:10:18.779,0:10:20.339
so we're gonna find the get and we're

0:10:20.339,0:10:21.720
gonna do a fuzz

0:10:21.720,0:10:24.420
or at them I actually did all this in a

0:10:24.420,0:10:26.580
another video so you'll see it in the in

0:10:26.580,0:10:28.500
this pop down on the screen here

0:10:28.500,0:10:30.899
now what's unique is that actually Cali

0:10:30.899,0:10:33.899
comes with its own uh it comes with tons

0:10:33.899,0:10:35.700
of word lists but it comes with a one

0:10:35.700,0:10:37.680
called Fast Track I've actually never

0:10:37.680,0:10:41.279
used Fast Track I use my own word lists

0:10:41.279,0:10:43.800
um and that's fine too so but for this

0:10:43.800,0:10:45.480
particular challenge we will be using

0:10:45.480,0:10:49.860
the Fast Track Dot txt

0:10:49.860,0:10:52.680
all right let's open up our zap machines

0:10:52.680,0:10:55.320
and

0:10:55.320,0:10:59.579
navigate to the HTTP for this so I'm

0:10:59.579,0:11:01.019
going to do

0:11:01.019,0:11:04.339
open up my browser here

0:11:15.240,0:11:17.399
and because my browser is pointing to my

0:11:17.399,0:11:20.820
proxy server I'm going to see

0:11:20.820,0:11:24.360
the websites actually populate inside of

0:11:24.360,0:11:25.920
my sites here and you can see them

0:11:25.920,0:11:28.760
popping up there right now

0:11:29.040,0:11:31.440
and according to the instructions on try

0:11:31.440,0:11:33.720
Hackney we will need to go to Brute

0:11:33.720,0:11:36.079
Force

0:11:36.600,0:11:38.820
and at this point that we're going to

0:11:38.820,0:11:40.920
actually input

0:11:40.920,0:11:42.600
some data that we're going to catch so

0:11:42.600,0:11:45.060
we can see it populating here which is

0:11:45.060,0:11:47.300
great

0:11:49.500,0:11:53.360
I'm going to actually expand this

0:11:55.320,0:11:58.680
and we're going to send something to it

0:11:58.680,0:12:01.519
red blue

0:12:05.579,0:12:09.260
and then I'm going to hit enter

0:12:15.240,0:12:17.220
so it says incorrect

0:12:17.220,0:12:20.300
and that is fine

0:12:22.320,0:12:24.899
what I like to do actually is knowing

0:12:24.899,0:12:28.140
because I know that I put red blue in

0:12:28.140,0:12:32.300
there I actually like to search on that

0:12:32.300,0:12:37.740
and search for all and then hit enter

0:12:37.740,0:12:40.920
and I've got a post here we've found the

0:12:40.920,0:12:42.839
post where

0:12:42.839,0:12:45.180
my password and name was put in there

0:12:45.180,0:12:48.720
let's open up resend and you can see my

0:12:48.720,0:12:51.660
username here and the password there so

0:12:51.660,0:12:53.480
what we're going to do is actually fuzz

0:12:53.480,0:12:57.240
on that password there

0:12:57.240,0:12:59.160
so we've got it selected I'm going to

0:12:59.160,0:13:00.600
remove that because I just do that every

0:13:00.600,0:13:02.940
time I'm going to double click and we're

0:13:02.940,0:13:07.019
going to add the word list that it

0:13:07.019,0:13:08.700
is recommended so in this case it was

0:13:08.700,0:13:11.060
fast track

0:13:11.279,0:13:14.820
you'll find word lists

0:13:14.820,0:13:17.880
file select

0:13:17.880,0:13:20.339
Bingo Bango

0:13:20.339,0:13:22.680
okay

0:13:22.680,0:13:24.180
add

0:13:24.180,0:13:26.040
okay

0:13:26.040,0:13:28.019
options

0:13:28.019,0:13:31.160
follow redirects

0:13:33.000,0:13:37.399
and we are going to start the fuzzer

0:13:45.060,0:13:49.820
and we will investigate each of these

0:13:50.040,0:13:53.000
reflected

0:14:04.680,0:14:06.720
we had we had a couple options that were

0:14:06.720,0:14:08.040
good security

0:14:08.040,0:14:12.980
and password let's try both of those

0:14:17.279,0:14:19.760
password

0:14:24.959,0:14:29.180
so we can see that this one is in fact

0:14:29.180,0:14:31.620
the password that actually worked when

0:14:31.620,0:14:33.839
we brute forced it so it's just straight

0:14:33.839,0:14:36.320
up password

0:14:36.899,0:14:39.300
there you go so that was

0:14:39.300,0:14:43.040
brute forcing with web login

0:14:43.040,0:14:45.300
zap extensions

0:14:45.300,0:14:47.639
so this app's really cool in that it has

0:14:47.639,0:14:49.260
a ton of extensions that we can actually

0:14:49.260,0:14:51.540
add to

0:14:51.540,0:14:56.100
our our tool and in this page this part

0:14:56.100,0:14:56.880
here they're actually giving us

0:14:56.880,0:14:59.459
instructions on where to find some of

0:14:59.459,0:15:01.199
these tools so I recommend going ahead

0:15:01.199,0:15:03.540
and actually locating these things and

0:15:03.540,0:15:04.920
and testing them out if you're enjoying

0:15:04.920,0:15:07.139
zap then then learn more about these

0:15:07.139,0:15:08.880
things and maybe you can even build your

0:15:08.880,0:15:11.579
own scripts that we can add but for try

0:15:11.579,0:15:13.620
hack me we are

0:15:13.620,0:15:16.980
happy with knowing that we can do that

0:15:16.980,0:15:20.660
let's go on to task 10.

0:15:21.300,0:15:24.720
and it's more documentation than what I

0:15:24.720,0:15:27.779
I kind of find funny about this

0:15:27.779,0:15:28.920
um

0:15:28.920,0:15:31.380
this particular section is that it

0:15:31.380,0:15:32.940
the the author's like yeah that's pretty

0:15:32.940,0:15:35.279
much all there is which is which is kind

0:15:35.279,0:15:37.139
of true is that because burp is so

0:15:37.139,0:15:39.060
popular it's got so much documentation

0:15:39.060,0:15:40.560
on it

0:15:40.560,0:15:43.079
um it's just so widely adopted that zap

0:15:43.079,0:15:44.699
sort of has been put into the the

0:15:44.699,0:15:45.839
background

0:15:45.839,0:15:47.160
but I don't think that should be the

0:15:47.160,0:15:49.199
case it is actually a pretty cool tool

0:15:49.199,0:15:52.260
and it's been around a while and it has

0:15:52.260,0:15:55.740
I just I just I enjoy using sound

0:15:55.740,0:15:57.899
there you go so we can finish this room

0:15:57.899,0:16:01.579
with a completed

0:16:02.519,0:16:04.740
and bingo bango there you go we have

0:16:04.740,0:16:08.519
finished the introduction to zath

0:16:08.519,0:16:12.079
room thanks for watching