1 00:00:00,960 --> 00:00:03,540 hello and welcome back to red blue Labs 2 00:00:03,540 --> 00:00:04,980 today's video is gonna be a little bit 3 00:00:04,980 --> 00:00:06,240 different than the ones I've done in the 4 00:00:06,240 --> 00:00:08,160 past where I'm actually am going to be 5 00:00:08,160 --> 00:00:10,860 doing a walk through on a try hack me 6 00:00:10,860 --> 00:00:13,980 room the room of choice for me today is 7 00:00:13,980 --> 00:00:17,820 actually introduction to owasp zap and I 8 00:00:17,820 --> 00:00:20,100 chose this room because I personally 9 00:00:20,100 --> 00:00:24,180 really enjoy zap I like 10 00:00:24,180 --> 00:00:26,640 the the features that it has and when I 11 00:00:26,640 --> 00:00:29,519 read this paragraph here 12 00:00:29,519 --> 00:00:30,779 um apparently the person who made this 13 00:00:30,779 --> 00:00:33,420 room prefers it over burp and honestly 14 00:00:33,420 --> 00:00:35,219 it's a it's a personal preference kind 15 00:00:35,219 --> 00:00:37,739 of thing many many people use burp some 16 00:00:37,739 --> 00:00:40,020 people use zap I'm one of those people 17 00:00:40,020 --> 00:00:43,079 that use zap regularly 18 00:00:43,079 --> 00:00:45,840 just a heads up I do plan on editing 19 00:00:45,840 --> 00:00:48,120 this video so it's gonna be 20 00:00:48,120 --> 00:00:50,700 fairly fluid and as I walk through 21 00:00:50,700 --> 00:00:54,239 things so there you go now you know 22 00:00:54,239 --> 00:00:55,980 if you're if you're not familiar with 23 00:00:55,980 --> 00:01:00,660 what zap is it's a proxy where you have 24 00:01:00,660 --> 00:01:04,440 your browser pointing to a proxy server 25 00:01:04,440 --> 00:01:06,180 that's running locally so maybe on your 26 00:01:06,180 --> 00:01:08,760 Cali machine and then you will 27 00:01:08,760 --> 00:01:11,100 go on to the website so you're sending 28 00:01:11,100 --> 00:01:13,200 traffic through the proxy over the 29 00:01:13,200 --> 00:01:15,659 website and in the website is going to 30 00:01:15,659 --> 00:01:17,280 go through the proxy back to you so 31 00:01:17,280 --> 00:01:19,080 you've got like a a person in the middle 32 00:01:19,080 --> 00:01:21,720 that's handling that traffic and then 33 00:01:21,720 --> 00:01:23,939 while that traffic's being handled you 34 00:01:23,939 --> 00:01:26,040 can actually manipulate the data 35 00:01:26,040 --> 00:01:28,619 so let's go ahead and start arm remove I 36 00:01:28,619 --> 00:01:30,600 gotta join the room and start that 37 00:01:30,600 --> 00:01:32,780 machine 38 00:01:35,159 --> 00:01:36,299 and we're going to start off with the 39 00:01:36,299 --> 00:01:39,540 first one so zap stands for 40 00:01:39,540 --> 00:01:43,380 Zed attack proxy 41 00:01:43,380 --> 00:01:44,640 whoo 42 00:01:44,640 --> 00:01:46,860 day 148. 43 00:01:46,860 --> 00:01:49,740 so let's see if I can do that right now 44 00:01:49,740 --> 00:01:51,720 still waiting 18 seconds 45 00:01:51,720 --> 00:01:54,180 task one is done 46 00:01:54,180 --> 00:01:55,979 go to task two 47 00:01:55,979 --> 00:01:58,079 zap is a great tool that's totally slept 48 00:01:58,079 --> 00:02:00,659 on you know that is 49 00:02:00,659 --> 00:02:02,159 totally true 50 00:02:02,159 --> 00:02:05,399 go ahead and give this section A read 51 00:02:05,399 --> 00:02:09,200 I've read the task 52 00:02:11,940 --> 00:02:14,400 installation 53 00:02:14,400 --> 00:02:16,980 okay so I've actually already gone ahead 54 00:02:16,980 --> 00:02:19,260 and done that 55 00:02:19,260 --> 00:02:21,120 there's uh there's a couple ways you can 56 00:02:21,120 --> 00:02:24,060 do it uh they've got the the tool right 57 00:02:24,060 --> 00:02:25,140 here so 58 00:02:25,140 --> 00:02:26,400 pretty straightforward just go to the 59 00:02:26,400 --> 00:02:28,800 website and connect it into your Cali 60 00:02:28,800 --> 00:02:31,140 and go ahead and just download it I 61 00:02:31,140 --> 00:02:32,940 already have it installed so and that's 62 00:02:32,940 --> 00:02:34,260 that was an easy 63 00:02:34,260 --> 00:02:36,180 completed 64 00:02:36,180 --> 00:02:38,700 and then open it up 65 00:02:38,700 --> 00:02:42,020 let's go over my machine 66 00:02:44,340 --> 00:02:45,720 and I 67 00:02:45,720 --> 00:02:48,440 open it up 68 00:02:50,879 --> 00:02:53,160 hit the Windows button or the command 69 00:02:53,160 --> 00:02:56,239 button zap 70 00:02:57,780 --> 00:03:00,440 powered on 71 00:03:04,319 --> 00:03:07,140 eventually your zap will turn on and you 72 00:03:07,140 --> 00:03:08,580 are ready to proceed with the rest of 73 00:03:08,580 --> 00:03:10,260 the room 74 00:03:10,260 --> 00:03:13,700 let's go check out task four 75 00:03:15,239 --> 00:03:17,280 and on this task looks like we're doing 76 00:03:17,280 --> 00:03:21,659 a automate automated scan let's let's go 77 00:03:21,659 --> 00:03:23,459 ahead and run the command that it's 78 00:03:23,459 --> 00:03:26,000 asking for 79 00:03:29,400 --> 00:03:32,519 set up the Ajax spider looks like in 80 00:03:32,519 --> 00:03:34,200 Task 5 we are actually going to be doing 81 00:03:34,200 --> 00:03:36,659 some manual scanning and we need to have 82 00:03:36,659 --> 00:03:39,840 our browser pointing to our Zapped proxy 83 00:03:39,840 --> 00:03:42,239 so there's a there's a number of steps 84 00:03:42,239 --> 00:03:43,980 to do this and actually 85 00:03:43,980 --> 00:03:46,860 what will make this easier is in the 86 00:03:46,860 --> 00:03:48,659 drop down that you see right now I 87 00:03:48,659 --> 00:03:50,280 actually have a video that I've made 88 00:03:50,280 --> 00:03:51,900 where 89 00:03:51,900 --> 00:03:53,940 I actually go through this entire 90 00:03:53,940 --> 00:03:57,540 process so I'm gonna skip ahead and if 91 00:03:57,540 --> 00:03:58,620 you already have this set up and that's 92 00:03:58,620 --> 00:04:00,599 great or if you want to watch that video 93 00:04:00,599 --> 00:04:04,860 that I've made go ahead and do that 94 00:04:04,860 --> 00:04:09,480 what IP do we use for the proxy well we 95 00:04:09,480 --> 00:04:11,700 would be pointing it to ourselves so 96 00:04:11,700 --> 00:04:17,000 that could be localhost or I bet it's 97 00:04:18,000 --> 00:04:22,560 this one right over here finger Bango 98 00:04:22,560 --> 00:04:25,220 with task six it looks like we are doing 99 00:04:25,220 --> 00:04:27,180 scanning an authenticated web 100 00:04:27,180 --> 00:04:29,040 application so 101 00:04:29,040 --> 00:04:32,040 in THM here they give us some some 102 00:04:32,040 --> 00:04:35,100 credentials that we need to use on the 103 00:04:35,100 --> 00:04:36,540 machine that they've got for us so let's 104 00:04:36,540 --> 00:04:41,340 go down and give the page here a read 105 00:04:41,340 --> 00:04:44,400 and we are going to 106 00:04:44,400 --> 00:04:46,979 open up our browser on our Cali machine 107 00:04:46,979 --> 00:04:48,120 here 108 00:04:48,120 --> 00:04:50,220 and here we go we've got our 109 00:04:50,220 --> 00:04:51,840 spot here 110 00:04:51,840 --> 00:04:54,660 to authenticate 111 00:04:54,660 --> 00:04:56,100 they're going to put in the credentials 112 00:04:56,100 --> 00:04:59,900 that try Hackney has given me 113 00:05:00,479 --> 00:05:02,820 and authenticate let's go back and take 114 00:05:02,820 --> 00:05:04,919 a peek at the instructions here 115 00:05:04,919 --> 00:05:07,500 looks like we have or on the page that 116 00:05:07,500 --> 00:05:10,820 we need to be and we need to go down to 117 00:05:10,820 --> 00:05:13,500 dvwa security 118 00:05:13,500 --> 00:05:16,080 as instructed 119 00:05:16,080 --> 00:05:19,440 and just want to do a double check here 120 00:05:19,440 --> 00:05:22,259 navigate to that Tab and set the 121 00:05:22,259 --> 00:05:24,539 security level to low and then hit 122 00:05:24,539 --> 00:05:26,280 submit 123 00:05:26,280 --> 00:05:28,919 and after that we're going to pass our 124 00:05:28,919 --> 00:05:31,979 authentication token into zap so that we 125 00:05:31,979 --> 00:05:34,199 can use the tool to scan authenticated 126 00:05:34,199 --> 00:05:36,120 Pages great 127 00:05:36,120 --> 00:05:39,919 let's do that 128 00:05:41,639 --> 00:05:43,620 low 129 00:05:43,620 --> 00:05:46,880 and submit 130 00:05:47,280 --> 00:05:49,520 okay 131 00:05:51,660 --> 00:05:53,759 so we are going to open up the inspector 132 00:05:53,759 --> 00:05:56,060 here 133 00:06:07,800 --> 00:06:10,500 for storage 134 00:06:10,500 --> 00:06:14,280 and I'm going to grab the session key 135 00:06:14,280 --> 00:06:16,560 here 136 00:06:16,560 --> 00:06:19,560 foreign 137 00:06:29,720 --> 00:06:33,120 open the HTTP sessions tab with the new 138 00:06:33,120 --> 00:06:35,699 tab button which is that one there and 139 00:06:35,699 --> 00:06:37,740 set and set the authenticated session to 140 00:06:37,740 --> 00:06:39,960 active you might actually notice a 141 00:06:39,960 --> 00:06:41,940 slight disconnect between what you're 142 00:06:41,940 --> 00:06:44,100 seeing in the PHP session right now and 143 00:06:44,100 --> 00:06:45,660 what you saw about 10 seconds earlier 144 00:06:45,660 --> 00:06:48,720 they do look different and the reason 145 00:06:48,720 --> 00:06:49,860 for that is because I actually 146 00:06:49,860 --> 00:06:52,800 re-recorded doing this particular task 147 00:06:52,800 --> 00:06:54,840 and I wanted to make it pretty 148 00:06:54,840 --> 00:06:57,840 straightforward to see how we can see in 149 00:06:57,840 --> 00:07:01,620 zap the the exact same session compared 150 00:07:01,620 --> 00:07:03,660 to the session that we can see in the 151 00:07:03,660 --> 00:07:06,660 inspector of the browser so that's what 152 00:07:06,660 --> 00:07:09,860 you're seeing on the screen right now 153 00:07:12,600 --> 00:07:15,020 because we have an authenticated session 154 00:07:15,020 --> 00:07:17,460 in our 155 00:07:17,460 --> 00:07:20,220 zap here we're able to actually do a 156 00:07:20,220 --> 00:07:22,680 scan against our Target and receive a 157 00:07:22,680 --> 00:07:25,740 lot more information because we are now 158 00:07:25,740 --> 00:07:29,520 at this point have an Authentication 159 00:07:29,520 --> 00:07:32,539 on the target 160 00:07:39,900 --> 00:07:42,780 all right so that was task six and now 161 00:07:42,780 --> 00:07:44,580 we're moving on to task seven which is 162 00:07:44,580 --> 00:07:47,160 Brute Force directories Let's Open up 163 00:07:47,160 --> 00:07:49,199 The Challenge and take a look at what 164 00:07:49,199 --> 00:07:50,880 are the requirements here 165 00:07:50,880 --> 00:07:53,099 and so essentially we can actually use 166 00:07:53,099 --> 00:07:55,080 word lists 167 00:07:55,080 --> 00:07:59,039 and zap to do some brute forcing to 168 00:07:59,039 --> 00:08:00,900 figure out what kind of directories so 169 00:08:00,900 --> 00:08:03,660 some directory enumeration that are on 170 00:08:03,660 --> 00:08:08,340 the web server let's go down and when we 171 00:08:08,340 --> 00:08:10,500 have our our sites here when we do a 172 00:08:10,500 --> 00:08:12,900 right click and we do a forced browse 173 00:08:12,900 --> 00:08:16,080 site we can actually do this do 174 00:08:16,080 --> 00:08:18,000 directory enumeration I actually have 175 00:08:18,000 --> 00:08:19,379 another video where I do the exact same 176 00:08:19,379 --> 00:08:20,940 thing so you can see that in the drop 177 00:08:20,940 --> 00:08:22,979 down as well if you want to have a 178 00:08:22,979 --> 00:08:24,840 specifically on that uh but we're going 179 00:08:24,840 --> 00:08:26,220 to do the exact same thing here and it's 180 00:08:26,220 --> 00:08:28,620 it's pretty straightforward let's go 181 00:08:28,620 --> 00:08:30,259 ahead and 182 00:08:30,259 --> 00:08:32,219 do a 183 00:08:32,219 --> 00:08:37,880 forced browse on our Target system here 184 00:08:50,899 --> 00:08:53,519 and then we just have to pick the the 185 00:08:53,519 --> 00:08:56,279 list that we want so I'll use I'll use 186 00:08:56,279 --> 00:08:57,360 this one 187 00:08:57,360 --> 00:09:00,660 but really word lists are all over the 188 00:09:00,660 --> 00:09:02,339 place you can use whatever word list 189 00:09:02,339 --> 00:09:05,420 works best for you 190 00:09:07,140 --> 00:09:09,800 and hit play 191 00:09:12,540 --> 00:09:17,700 task six or task seven complete 192 00:09:19,200 --> 00:09:22,620 okay task number eight let's check out 193 00:09:22,620 --> 00:09:25,320 what we've got here for Brute Force web 194 00:09:25,320 --> 00:09:27,240 login 195 00:09:27,240 --> 00:09:30,060 so just like with the Brute Force 196 00:09:30,060 --> 00:09:32,640 directories we can actually use Hydra 197 00:09:32,640 --> 00:09:35,040 for this as well but what we're doing in 198 00:09:35,040 --> 00:09:36,480 this room is demonstrating that we can 199 00:09:36,480 --> 00:09:38,700 use zap to do some of the similar tasks 200 00:09:38,700 --> 00:09:39,980 as well 201 00:09:39,980 --> 00:09:42,740 the what we're going to be doing also is 202 00:09:42,740 --> 00:09:45,720 using fuzzing again so let's take a peek 203 00:09:45,720 --> 00:09:47,399 at some of the instructions that they 204 00:09:47,399 --> 00:09:51,060 give us here so we have a a login so 205 00:09:51,060 --> 00:09:52,500 we're going to be demonstrating on The 206 00:09:52,500 --> 00:09:55,380 Brute Force part of things and we're 207 00:09:55,380 --> 00:09:58,920 going to be doing an attack and fuzz on 208 00:09:58,920 --> 00:10:01,620 the spot the moment in time when we are 209 00:10:01,620 --> 00:10:05,100 actually inputting the credentials so in 210 00:10:05,100 --> 00:10:06,420 here they do 211 00:10:06,420 --> 00:10:10,200 find a test one two three and 212 00:10:10,200 --> 00:10:12,060 we'll we'll do something similar to that 213 00:10:12,060 --> 00:10:15,000 I have my own technique or word that I 214 00:10:15,000 --> 00:10:16,620 like to look for and that's fine you'll 215 00:10:16,620 --> 00:10:17,760 have you'll have your own that you like 216 00:10:17,760 --> 00:10:18,779 as well 217 00:10:18,779 --> 00:10:20,339 so we're gonna find the get and we're 218 00:10:20,339 --> 00:10:21,720 gonna do a fuzz 219 00:10:21,720 --> 00:10:24,420 or at them I actually did all this in a 220 00:10:24,420 --> 00:10:26,580 another video so you'll see it in the in 221 00:10:26,580 --> 00:10:28,500 this pop down on the screen here 222 00:10:28,500 --> 00:10:30,899 now what's unique is that actually Cali 223 00:10:30,899 --> 00:10:33,899 comes with its own uh it comes with tons 224 00:10:33,899 --> 00:10:35,700 of word lists but it comes with a one 225 00:10:35,700 --> 00:10:37,680 called Fast Track I've actually never 226 00:10:37,680 --> 00:10:41,279 used Fast Track I use my own word lists 227 00:10:41,279 --> 00:10:43,800 um and that's fine too so but for this 228 00:10:43,800 --> 00:10:45,480 particular challenge we will be using 229 00:10:45,480 --> 00:10:49,860 the Fast Track Dot txt 230 00:10:49,860 --> 00:10:52,680 all right let's open up our zap machines 231 00:10:52,680 --> 00:10:55,320 and 232 00:10:55,320 --> 00:10:59,579 navigate to the HTTP for this so I'm 233 00:10:59,579 --> 00:11:01,019 going to do 234 00:11:01,019 --> 00:11:04,339 open up my browser here 235 00:11:15,240 --> 00:11:17,399 and because my browser is pointing to my 236 00:11:17,399 --> 00:11:20,820 proxy server I'm going to see 237 00:11:20,820 --> 00:11:24,360 the websites actually populate inside of 238 00:11:24,360 --> 00:11:25,920 my sites here and you can see them 239 00:11:25,920 --> 00:11:28,760 popping up there right now 240 00:11:29,040 --> 00:11:31,440 and according to the instructions on try 241 00:11:31,440 --> 00:11:33,720 Hackney we will need to go to Brute 242 00:11:33,720 --> 00:11:36,079 Force 243 00:11:36,600 --> 00:11:38,820 and at this point that we're going to 244 00:11:38,820 --> 00:11:40,920 actually input 245 00:11:40,920 --> 00:11:42,600 some data that we're going to catch so 246 00:11:42,600 --> 00:11:45,060 we can see it populating here which is 247 00:11:45,060 --> 00:11:47,300 great 248 00:11:49,500 --> 00:11:53,360 I'm going to actually expand this 249 00:11:55,320 --> 00:11:58,680 and we're going to send something to it 250 00:11:58,680 --> 00:12:01,519 red blue 251 00:12:05,579 --> 00:12:09,260 and then I'm going to hit enter 252 00:12:15,240 --> 00:12:17,220 so it says incorrect 253 00:12:17,220 --> 00:12:20,300 and that is fine 254 00:12:22,320 --> 00:12:24,899 what I like to do actually is knowing 255 00:12:24,899 --> 00:12:28,140 because I know that I put red blue in 256 00:12:28,140 --> 00:12:32,300 there I actually like to search on that 257 00:12:32,300 --> 00:12:37,740 and search for all and then hit enter 258 00:12:37,740 --> 00:12:40,920 and I've got a post here we've found the 259 00:12:40,920 --> 00:12:42,839 post where 260 00:12:42,839 --> 00:12:45,180 my password and name was put in there 261 00:12:45,180 --> 00:12:48,720 let's open up resend and you can see my 262 00:12:48,720 --> 00:12:51,660 username here and the password there so 263 00:12:51,660 --> 00:12:53,480 what we're going to do is actually fuzz 264 00:12:53,480 --> 00:12:57,240 on that password there 265 00:12:57,240 --> 00:12:59,160 so we've got it selected I'm going to 266 00:12:59,160 --> 00:13:00,600 remove that because I just do that every 267 00:13:00,600 --> 00:13:02,940 time I'm going to double click and we're 268 00:13:02,940 --> 00:13:07,019 going to add the word list that it 269 00:13:07,019 --> 00:13:08,700 is recommended so in this case it was 270 00:13:08,700 --> 00:13:11,060 fast track 271 00:13:11,279 --> 00:13:14,820 you'll find word lists 272 00:13:14,820 --> 00:13:17,880 file select 273 00:13:17,880 --> 00:13:20,339 Bingo Bango 274 00:13:20,339 --> 00:13:22,680 okay 275 00:13:22,680 --> 00:13:24,180 add 276 00:13:24,180 --> 00:13:26,040 okay 277 00:13:26,040 --> 00:13:28,019 options 278 00:13:28,019 --> 00:13:31,160 follow redirects 279 00:13:33,000 --> 00:13:37,399 and we are going to start the fuzzer 280 00:13:45,060 --> 00:13:49,820 and we will investigate each of these 281 00:13:50,040 --> 00:13:53,000 reflected 282 00:14:04,680 --> 00:14:06,720 we had we had a couple options that were 283 00:14:06,720 --> 00:14:08,040 good security 284 00:14:08,040 --> 00:14:12,980 and password let's try both of those 285 00:14:17,279 --> 00:14:19,760 password 286 00:14:24,959 --> 00:14:29,180 so we can see that this one is in fact 287 00:14:29,180 --> 00:14:31,620 the password that actually worked when 288 00:14:31,620 --> 00:14:33,839 we brute forced it so it's just straight 289 00:14:33,839 --> 00:14:36,320 up password 290 00:14:36,899 --> 00:14:39,300 there you go so that was 291 00:14:39,300 --> 00:14:43,040 brute forcing with web login 292 00:14:43,040 --> 00:14:45,300 zap extensions 293 00:14:45,300 --> 00:14:47,639 so this app's really cool in that it has 294 00:14:47,639 --> 00:14:49,260 a ton of extensions that we can actually 295 00:14:49,260 --> 00:14:51,540 add to 296 00:14:51,540 --> 00:14:56,100 our our tool and in this page this part 297 00:14:56,100 --> 00:14:56,880 here they're actually giving us 298 00:14:56,880 --> 00:14:59,459 instructions on where to find some of 299 00:14:59,459 --> 00:15:01,199 these tools so I recommend going ahead 300 00:15:01,199 --> 00:15:03,540 and actually locating these things and 301 00:15:03,540 --> 00:15:04,920 and testing them out if you're enjoying 302 00:15:04,920 --> 00:15:07,139 zap then then learn more about these 303 00:15:07,139 --> 00:15:08,880 things and maybe you can even build your 304 00:15:08,880 --> 00:15:11,579 own scripts that we can add but for try 305 00:15:11,579 --> 00:15:13,620 hack me we are 306 00:15:13,620 --> 00:15:16,980 happy with knowing that we can do that 307 00:15:16,980 --> 00:15:20,660 let's go on to task 10. 308 00:15:21,300 --> 00:15:24,720 and it's more documentation than what I 309 00:15:24,720 --> 00:15:27,779 I kind of find funny about this 310 00:15:27,779 --> 00:15:28,920 um 311 00:15:28,920 --> 00:15:31,380 this particular section is that it 312 00:15:31,380 --> 00:15:32,940 the the author's like yeah that's pretty 313 00:15:32,940 --> 00:15:35,279 much all there is which is which is kind 314 00:15:35,279 --> 00:15:37,139 of true is that because burp is so 315 00:15:37,139 --> 00:15:39,060 popular it's got so much documentation 316 00:15:39,060 --> 00:15:40,560 on it 317 00:15:40,560 --> 00:15:43,079 um it's just so widely adopted that zap 318 00:15:43,079 --> 00:15:44,699 sort of has been put into the the 319 00:15:44,699 --> 00:15:45,839 background 320 00:15:45,839 --> 00:15:47,160 but I don't think that should be the 321 00:15:47,160 --> 00:15:49,199 case it is actually a pretty cool tool 322 00:15:49,199 --> 00:15:52,260 and it's been around a while and it has 323 00:15:52,260 --> 00:15:55,740 I just I just I enjoy using sound 324 00:15:55,740 --> 00:15:57,899 there you go so we can finish this room 325 00:15:57,899 --> 00:16:01,579 with a completed 326 00:16:02,519 --> 00:16:04,740 and bingo bango there you go we have 327 00:16:04,740 --> 00:16:08,519 finished the introduction to zath 328 00:16:08,519 --> 00:16:12,079 room thanks for watching