0:00:00.960,0:00:03.540 Hello and welcome back to RedBlue Labs. 0:00:03.540,0:00:04.980 Today's video is going to be a little bit 0:00:04.980,0:00:06.240 different than the ones I've done in the 0:00:06.240,0:00:08.160 past, where I'm actually going to be 0:00:08.160,0:00:10.860 doing a walkthrough on a TryHackMe 0:00:10.860,0:00:13.980 room. The room of choice for me today is 0:00:13.980,0:00:17.820 actually "Introduction to OWASP Zap," and I 0:00:17.820,0:00:20.100 chose this room because I personally 0:00:20.100,0:00:24.180 really enjoy ZAP. I like 0:00:24.180,0:00:26.640 the features that it has, and when I 0:00:26.640,0:00:29.519 had this paragraph here, 0:00:29.519,0:00:30.779 apparently the person who made this 0:00:30.779,0:00:33.420 room prefers it over Burp. And honestly, 0:00:33.420,0:00:35.219 it's a personal preference kind 0:00:35.219,0:00:37.739 of thing. Many, many people use Burp. Some 0:00:37.739,0:00:40.020 people use ZAP. I'm one of those people 0:00:40.020,0:00:43.079 that uses ZAP regularly. 0:00:43.079,0:00:45.840 Just a heads up, I do plan on editing 0:00:45.840,0:00:48.120 this video, so it's going to be 0:00:48.120,0:00:50.700 fairly fluid as I walk through 0:00:50.700,0:00:54.239 things. So there you go. Now you know. 0:00:54.239,0:00:55.980 If you're not familiar with 0:00:55.980,0:01:00.660 what ZAP is, it's a proxy where you have 0:01:00.660,0:01:04.440 your browser pointing to a proxy server 0:01:04.440,0:01:06.180 that's running locally, so maybe on your 0:01:06.180,0:01:08.760 Kali machine, and then you will 0:01:08.760,0:01:11.100 go onto the website. So, you're sending 0:01:11.100,0:01:13.200 traffic through the proxy over the 0:01:13.200,0:01:15.659 website, and the website is going to 0:01:15.659,0:01:17.280 go through the proxy back to you. So, 0:01:17.280,0:01:19.080 you've got like a person in the middle 0:01:19.080,0:01:21.720 that's handling that traffic, and then 0:01:21.720,0:01:23.939 while that traffic's being handled, you 0:01:23.939,0:01:26.040 can actually manipulate the data. 0:01:26.040,0:01:28.619 So, let's go ahead and start our room. Oh, I 0:01:28.619,0:01:30.600 got to join the room. And start that 0:01:30.600,0:01:32.780 machine. 0:01:35.159,0:01:36.299 And we're going to start off with the 0:01:36.299,0:01:39.540 first one. So, ZAP stands for 0:01:39.540,0:01:43.380 Zed Attack Proxy. 0:01:43.380,0:01:44.640 Woo. 0:01:44.640,0:01:46.860 Day 148. 0:01:46.860,0:01:49.740 So let's see if I can do that right now. 0:01:49.740,0:01:51.720 Still waiting 18 seconds. 0:01:51.720,0:01:54.180 Task 1 is done. 0:01:54.180,0:01:55.979 Go to task 2. 0:01:55.979,0:01:58.079 ZAP is a great tool that's totally slept 0:01:58.079,0:02:00.659 on. You know, that is 0:02:00.659,0:02:02.159 totally true. 0:02:02.159,0:02:05.399 Go ahead and give this section a read. 0:02:05.399,0:02:09.200 I've read the task. 0:02:11.940,0:02:14.400 Installation. 0:02:14.400,0:02:16.980 Okay, so I've actually already gone ahead 0:02:16.980,0:02:19.260 and done that. 0:02:19.260,0:02:21.120 There's a couple of ways you can 0:02:21.120,0:02:24.060 do it. They've got the the tool right 0:02:24.060,0:02:25.140 here. So, 0:02:25.140,0:02:26.400 pretty straightforward. Just go to the 0:02:26.400,0:02:28.800 website, and connect it into your Kali, 0:02:28.800,0:02:31.140 and go ahead and just download it. I 0:02:31.140,0:02:32.940 already have it installed, so that's 0:02:32.940,0:02:34.260 easy to 0:02:34.260,0:02:36.180 complete, 0:02:36.180,0:02:38.700 and then open it up. 0:02:38.700,0:02:42.020 Let's go over my machine, 0:02:44.340,0:02:45.720 and I'm going to 0:02:45.720,0:02:48.440 open it up. 0:02:50.879,0:02:53.160 Hit the Windows button or the Command 0:02:53.160,0:02:56.239 button, ZAP, 0:02:57.710,0:02:59.690 power it on. 0:03:04.319,0:03:07.140 Eventually, your ZAP will turn on, and you 0:03:07.140,0:03:08.580 are ready to proceed with the rest of 0:03:08.580,0:03:10.260 the room. 0:03:10.260,0:03:13.700 Let's go check out task 4, 0:03:15.239,0:03:17.280 and this task looks like we're doing 0:03:17.280,0:03:21.659 an automated scan. Let's go 0:03:21.659,0:03:23.459 ahead and run the command that it's 0:03:23.459,0:03:26.000 asking for. 0:03:29.400,0:03:32.519 Set up the Ajax spider. Looks like in 0:03:32.519,0:03:34.200 task 5, we are actually going to be doing 0:03:34.200,0:03:36.659 some manual scanning and we need to have 0:03:36.659,0:03:39.840 our browser pointing to our ZAP proxy. 0:03:39.840,0:03:42.239 So, there's a number of steps 0:03:42.239,0:03:43.980 to do this, and actually, 0:03:43.980,0:03:46.860 what will make this easier is in the 0:03:46.860,0:03:48.659 dropdown that you see right now, I 0:03:48.659,0:03:50.280 actually have a video that I've made 0:03:50.280,0:03:51.900 where 0:03:51.900,0:03:53.940 I actually go through this entire 0:03:53.940,0:03:57.540 process. So, I'm going to skip ahead, and if 0:03:57.540,0:03:58.620 you already have this set up, then that's 0:03:58.620,0:04:00.599 great. Or, if you want to watch that video 0:04:00.599,0:04:04.860 that I've made, go ahead and do that. 0:04:04.860,0:04:09.480 What IP do we use for the proxy? Well, we 0:04:09.480,0:04:11.700 would be pointing it to ourselves. So, 0:04:11.700,0:04:17.000 that could be localhost or a bit--it's 0:04:18.000,0:04:22.560 this one right over here. Bingo bango. 0:04:22.560,0:04:25.220 With task 6, it looks like we are 0:04:25.220,0:04:27.180 scanning an authenticated web 0:04:27.180,0:04:29.040 application. So, 0:04:29.040,0:04:32.040 in THM here, they give us some 0:04:32.040,0:04:35.100 credentials that we need to use on the 0:04:35.100,0:04:36.540 machine that they've got for us. So, let's 0:04:36.540,0:04:41.340 go down and give the page here a read, 0:04:41.340,0:04:44.400 and we are going to 0:04:44.400,0:04:46.979 open up our browser on our Kali machine 0:04:46.979,0:04:48.120 here. 0:04:48.120,0:04:50.220 And here we go. We've got our 0:04:50.220,0:04:51.840 spot here 0:04:51.840,0:04:54.660 to authenticate. 0:04:54.660,0:04:56.100 They're going to put in the credentials 0:04:56.100,0:04:59.900 that TryHackMe has given me 0:05:00.479,0:05:02.820 and authenticate. Let's go back and take 0:05:02.820,0:05:04.919 a peek at the instructions here. 0:05:04.919,0:05:07.500 Looks like we have or on the page that 0:05:07.500,0:05:10.820 we need to be, and we need to go down to 0:05:10.820,0:05:13.500 DVWA security 0:05:13.500,0:05:16.080 as instructed. 0:05:16.080,0:05:19.440 And I just want to do a double check here, 0:05:19.440,0:05:22.259 navigate to that tab and set the 0:05:22.259,0:05:24.539 security level to low and then hit 0:05:24.539,0:05:26.280 submit. 0:05:26.280,0:05:28.919 And after that, we're going to pass our 0:05:28.919,0:05:31.979 authentication token into ZAP so that we 0:05:31.979,0:05:34.199 can use the tool to scan authenticated 0:05:34.199,0:05:36.120 pages. Great. 0:05:36.120,0:05:39.919 Let's do that. 0:05:41.639,0:05:43.620 Low 0:05:43.620,0:05:46.880 and submit. 0:05:47.280,0:05:49.520 Okay, 0:05:51.660,0:05:53.759 so we are going to open up the inspector 0:05:53.759,0:05:56.060 here. 0:06:07.800,0:06:10.500 Go to storage, 0:06:10.500,0:06:14.280 and I'm going to grab the session key 0:06:14.280,0:06:16.560 cookie here. 0:06:29.720,0:06:33.120 And in ZAP, open the HTTP Sessions tab with the new 0:06:33.120,0:06:35.699 tab button, which is that one there, and 0:06:35.699,0:06:37.740 set the authenticated session to 0:06:37.740,0:06:39.960 active. You might actually notice a 0:06:39.960,0:06:41.940 slight disconnect between what you're 0:06:41.940,0:06:44.100 seeing in the PHP session right now and 0:06:44.100,0:06:45.660 what you saw about ten seconds earlier. 0:06:45.660,0:06:48.720 They do look different. And the reason 0:06:48.720,0:06:49.860 for that is because I actually 0:06:49.860,0:06:52.800 rerecorded doing this particular task, 0:06:52.800,0:06:54.840 and I wanted to make it pretty 0:06:54.840,0:06:57.840 straightforward to see how we can see in 0:06:57.840,0:07:01.620 ZAP the exact same session compared 0:07:01.620,0:07:03.660 to the session that we can see in the 0:07:03.660,0:07:06.660 inspector of the browser. So, that's what 0:07:06.660,0:07:09.860 you're seeing on the screen right now. 0:07:12.600,0:07:15.020 Because we have an authenticated session 0:07:15.020,0:07:17.460 in our 0:07:17.460,0:07:20.220 ZAP here, we're able to actually do a 0:07:20.220,0:07:22.680 scan against our target and receive a 0:07:22.680,0:07:25.740 lot more information because we now, 0:07:25.740,0:07:29.520 at this point, have an authentication 0:07:29.520,0:07:32.539 on the target. 0:07:39.900,0:07:42.780 Alright, so that was task 6, and now 0:07:42.780,0:07:44.580 we're moving on to task 7, which is 0:07:44.580,0:07:47.160 brute-force directories. Let's open up 0:07:47.160,0:07:49.199 the challenge and take a look at what 0:07:49.199,0:07:50.880 are the requirements here. 0:07:50.880,0:07:53.099 And so, essentially, we can actually use 0:07:53.099,0:07:55.080 word lists 0:07:55.080,0:07:59.039 and ZAP to do some brute-forcing to 0:07:59.039,0:08:00.900 figure out what kind of directories, 0:08:00.900,0:08:03.660 some directory enumeration that are on 0:08:03.660,0:08:08.340 the web server. Let's go down. And when we 0:08:08.340,0:08:10.500 have our sites here, when we do a 0:08:10.500,0:08:12.900 right-click and we do a forced browse 0:08:12.900,0:08:16.080 site, we can actually do this, do 0:08:16.080,0:08:18.000 directory enumeration. I actually have 0:08:18.000,0:08:19.379 another video where I do the exact same 0:08:19.379,0:08:21.200 thing. So, you can see that in the dropdown 0:08:21.200,0:08:22.979 as well if you want to be able to 0:08:22.979,0:08:24.840 specifically watch that. But we're going 0:08:24.840,0:08:26.220 to do the exact same thing here, and it's 0:08:26.220,0:08:28.620 pretty straightforward. Let's go 0:08:28.620,0:08:30.259 ahead and 0:08:30.259,0:08:32.219 do a 0:08:32.219,0:08:37.880 forced browse on our target system here. 0:08:50.899,0:08:53.519 And then we just have to pick the 0:08:53.519,0:08:56.279 list that we want. So, I'll use 0:08:56.279,0:08:57.360 this one. 0:08:57.360,0:09:00.660 But really, word lists are all over the 0:09:00.660,0:09:02.339 place. You can use whatever word list 0:09:02.339,0:09:05.420 works best for you. 0:09:07.140,0:09:09.800 And hit play. 0:09:12.540,0:09:16.460 Task 6 or task 7 complete. 0:09:19.200,0:09:22.620 Okay, task 8. Let's check out 0:09:22.620,0:09:25.320 what we've got here for brute-force web 0:09:25.320,0:09:27.240 login. 0:09:27.240,0:09:30.060 So, just like with the brute-force 0:09:30.060,0:09:32.640 directories, we can actually use Hydra 0:09:32.640,0:09:35.040 for this as well. But what we're doing in 0:09:35.040,0:09:36.480 this room is demonstrating that we can 0:09:36.480,0:09:38.700 use ZAP to do some of the similar tasks 0:09:38.700,0:09:39.980 as well. 0:09:39.980,0:09:42.740 What we're going to be doing also is 0:09:42.740,0:09:45.720 fuzzing again. So, let's take a peek 0:09:45.720,0:09:47.399 at some of the instructions that they 0:09:47.399,0:09:51.060 give us here. So, we have a a login. So, 0:09:51.060,0:09:52.500 we're going to be demonstrating on the 0:09:52.500,0:09:55.380 brute-force part of things, and we're 0:09:55.380,0:09:58.920 going to be doing an attack and fuzz on 0:09:58.920,0:10:01.620 the spot, the moment in time when we are 0:10:01.620,0:10:05.100 actually inputting the credentials. So, in 0:10:05.100,0:10:06.420 here, they do 0:10:06.420,0:10:10.200 find a test 1, 2, 3, and 0:10:10.200,0:10:12.060 we'll do something similar to that. 0:10:12.060,0:10:15.000 I have my own technique or word that I 0:10:15.000,0:10:16.620 like to look for, and that's fine. You'll 0:10:16.620,0:10:17.760 have your own that you like 0:10:17.760,0:10:18.779 as well. 0:10:18.779,0:10:20.339 So, we're going to find the GET and we're 0:10:20.339,0:10:21.720 going to do a fuzz. 0:10:21.720,0:10:24.420 Alright, then. I actually did all this in 0:10:24.420,0:10:26.580 another video, so you'll see it in 0:10:26.580,0:10:28.500 this dropdown on the screen here. 0:10:28.500,0:10:30.899 Now, what's unique is that actually Kali 0:10:30.899,0:10:33.899 comes with its own--it comes with tons 0:10:33.899,0:10:35.700 of word lists, but it comes with a one 0:10:35.700,0:10:37.680 called FastTrack. I've actually never 0:10:37.680,0:10:41.279 used FastTrack. I use my own word lists, 0:10:41.279,0:10:43.800 and that's fine too. But for this 0:10:43.800,0:10:45.480 particular challenge, we will be using 0:10:45.480,0:10:49.860 the fasttrack.txt. 0:10:49.860,0:10:52.680 Alright, let's open up our ZAP machine 0:10:52.680,0:10:55.320 and 0:10:55.320,0:10:59.579 navigate to the HTTP for this. So, I'm 0:10:59.579,0:11:01.019 going to 0:11:01.019,0:11:04.339 open up my browser here. 0:11:15.240,0:11:17.399 And because my browser is pointing to my 0:11:17.399,0:11:20.820 proxy server, I'm going to see 0:11:20.820,0:11:24.360 the websites actually populate inside of 0:11:24.360,0:11:25.920 my sites here, and you can see them 0:11:25.920,0:11:28.760 popping up there right now. 0:11:29.040,0:11:32.068 And according to the instructions on TryHackMe, 0:11:32.068,0:11:35.470 we will need to go to brute-force. 0:11:36.600,0:11:38.820 And at this point, we're going to 0:11:38.820,0:11:40.920 actually input 0:11:40.920,0:11:42.600 some data that we're going to catch. So, 0:11:42.600,0:11:45.060 we can see it populating here, which is 0:11:45.060,0:11:46.516 great. 0:11:49.500,0:11:52.795 I'm going to actually expand this, 0:11:55.320,0:11:58.680 and we're going to send something to it. 0:11:58.680,0:12:01.064 RedBlue. 0:12:02.711,0:12:04.361 Password. 0:12:05.579,0:12:09.260 And then I'm going to hit enter. 0:12:15.240,0:12:17.220 So, it says incorrect, 0:12:17.220,0:12:19.361 and that is fine. 0:12:22.320,0:12:24.899 What I like to do, actually, is knowing 0:12:24.899,0:12:28.140 because I know that I put RedBlue in 0:12:28.140,0:12:32.300 there, I actually like to search on that 0:12:32.300,0:12:37.740 and search for all, and then hit enter. 0:12:37.740,0:12:40.920 And I've got a post here. We found the 0:12:40.920,0:12:42.839 post where 0:12:42.839,0:12:45.180 my password and name was put in there. 0:12:45.180,0:12:48.720 Let's open up resend. And you can see my 0:12:48.720,0:12:51.660 username here and the password there. So, 0:12:51.660,0:12:53.480 what we're going to do is actually fuzz 0:12:53.480,0:12:57.240 on that password there. 0:12:57.240,0:12:59.160 So, we've got it selected, I'm going to 0:12:59.160,0:13:00.600 remove that because I just do that every 0:13:00.600,0:13:02.940 time. I'm going to double-click, and we're 0:13:02.940,0:13:07.019 going to add the word list that it 0:13:07.019,0:13:08.700 is recommending. So, in this case, it was 0:13:08.700,0:13:09.997 FastTrack. 0:13:11.279,0:13:14.820 We'll find word lists. 0:13:14.820,0:13:17.880 File. Select. 0:13:17.880,0:13:20.339 Bingo bango. 0:13:20.339,0:13:22.680 Okay. 0:13:22.680,0:13:24.180 Add. 0:13:24.180,0:13:26.040 Okay. 0:13:26.040,0:13:28.019 Options. 0:13:28.019,0:13:31.160 Follow redirects 0:13:33.000,0:13:36.499 and we are going to start the fuzzer. 0:13:45.060,0:13:49.820 And we will investigate each of these 0:13:50.040,0:13:53.000 reflected. 0:14:04.680,0:14:06.720 We had a couple options that were 0:14:06.720,0:14:08.040 good. Security 0:14:08.040,0:14:12.980 and password. Let's try both of those. 0:14:17.279,0:14:19.760 Password. 0:14:24.959,0:14:29.180 So, we can see that this one is in fact 0:14:29.180,0:14:31.620 the password that actually worked when 0:14:31.620,0:14:33.839 we brute-forced it. So, it's just straight 0:14:33.839,0:14:36.320 up password. 0:14:36.899,0:14:39.300 There you go. So, that was 0:14:39.300,0:14:43.040 brute-forcing with web login. 0:14:43.040,0:14:45.300 ZAP extensions. 0:14:45.300,0:14:47.639 So, ZAP's really cool and that it has 0:14:47.639,0:14:49.260 a ton of extensions that we can actually 0:14:49.260,0:14:51.540 add to 0:14:51.540,0:14:56.100 our tool. And in this page, this part 0:14:56.100,0:14:56.880 here, they're actually giving us 0:14:56.880,0:14:59.459 instructions on where to find some of 0:14:59.459,0:15:01.199 these tools. So, I recommend going ahead 0:15:01.199,0:15:03.540 and actually locating these things, and 0:15:03.540,0:15:04.920 and testing them out if you're enjoying 0:15:04.920,0:15:07.139 ZAP. Then, learn more about these 0:15:07.139,0:15:08.880 things, and maybe you can even build your 0:15:08.880,0:15:12.229 own scripts that we can add. But for TryHackMe, 0:15:12.229,0:15:13.620 we are 0:15:13.620,0:15:16.980 happy with knowing that we can do that. 0:15:16.980,0:15:19.260 Let's go on to task 10. 0:15:21.300,0:15:24.720 And it's more documentation, though, 0:15:24.720,0:15:27.779 I kind of find it funny about this 0:15:28.920,0:15:31.380 particular section is that it... 0:15:31.380,0:15:32.940 The author's, like, "Yeah that's pretty 0:15:32.940,0:15:35.279 much all there is." Which is kind 0:15:35.279,0:15:37.139 of true. Because Burp is so 0:15:37.139,0:15:39.060 popular, it's got so much documentation 0:15:39.060,0:15:40.560 on it, 0:15:40.560,0:15:43.079 it's just so widely adopted that ZAP 0:15:43.079,0:15:44.699 sort of has been put into the 0:15:44.699,0:15:45.839 background. 0:15:45.839,0:15:47.160 But I don't think that should be the 0:15:47.160,0:15:49.199 case. It is actually a pretty cool tool, 0:15:49.199,0:15:52.260 and it's been around a while, and it has... 0:15:52.260,0:15:55.740 I just, I just, I enjoy using sound. 0:15:55.740,0:15:57.899 There you go. So, we can finish this room 0:15:57.899,0:16:01.579 with a completed. 0:16:02.519,0:16:04.740 And bingo bango. There you go. We have 0:16:04.740,0:16:08.519 finished the introduction to ZAP 0:16:08.519,0:16:10.429 room. Thanks for watching.