Hello and welcome back to RedBlue Labs. Today's video is going to be a little bit different than the ones I've done in the past, where I'm actually going to be doing a walkthrough on a TryHackMe room. The room of choice for me today is actually "Introduction to OWASP Zap," and I chose this room because I personally really enjoy ZAP. I like the features that it has, and when I had this paragraph here, apparently the person who made this room prefers it over Burp. And honestly, it's a personal preference kind of thing. Many, many people use Burp. Some people use ZAP. I'm one of those people that uses ZAP regularly. Just a heads up, I do plan on editing this video, so it's going to be fairly fluid as I walk through things. So there you go. Now you know. If you're not familiar with what ZAP is, it's a proxy where you have your browser pointing to a proxy server that's running locally, so maybe on your Kali machine, and then you will go onto the website. So, you're sending traffic through the proxy over the website, and the website is going to go through the proxy back to you. So, you've got like a person in the middle that's handling that traffic, and then while that traffic's being handled, you can actually manipulate the data. So, let's go ahead and start our room. Oh, I got to join the room. And start that machine. And we're going to start off with the first one. So, ZAP stands for Zed Attack Proxy. Woo. Day 148. So let's see if I can do that right now. Still waiting 18 seconds. Task 1 is done. Go to task 2. ZAP is a great tool that's totally slept on. You know, that is totally true. Go ahead and give this section a read. I've read the task. Installation. Okay, so I've actually already gone ahead and done that. There's a couple of ways you can do it. They've got the the tool right here. So, pretty straightforward. Just go to the website, and connect it into your Kali, and go ahead and just download it. I already have it installed, so that's easy to complete, and then open it up. Let's go over my machine, and I'm going to open it up. Hit the Windows button or the Command button, ZAP, power it on. Eventually, your ZAP will turn on, and you are ready to proceed with the rest of the room. Let's go check out task 4, and this task looks like we're doing an automated scan. Let's go ahead and run the command that it's asking for. Set up the Ajax spider. Looks like in task 5, we are actually going to be doing some manual scanning and we need to have our browser pointing to our ZAP proxy. So, there's a number of steps to do this, and actually, what will make this easier is in the dropdown that you see right now, I actually have a video that I've made where I actually go through this entire process. So, I'm going to skip ahead, and if you already have this set up, then that's great. Or, if you want to watch that video that I've made, go ahead and do that. What IP do we use for the proxy? Well, we would be pointing it to ourselves. So, that could be localhost or a bit--it's this one right over here. Bingo bango. With task 6, it looks like we are scanning an authenticated web application. So, in THM here, they give us some credentials that we need to use on the machine that they've got for us. So, let's go down and give the page here a read, and we are going to open up our browser on our Kali machine here. And here we go. We've got our spot here to authenticate. They're going to put in the credentials that TryHackMe has given me and authenticate. Let's go back and take a peek at the instructions here. Looks like we have or on the page that we need to be, and we need to go down to DVWA security as instructed. And I just want to do a double check here, navigate to that tab and set the security level to low and then hit submit. And after that, we're going to pass our authentication token into ZAP so that we can use the tool to scan authenticated pages. Great. Let's do that. Low and submit. Okay, so we are going to open up the inspector here. Go to storage, and I'm going to grab the session key cookie here. And in ZAP, open the HTTP Sessions tab with the new tab button, which is that one there, and set the authenticated session to active. You might actually notice a slight disconnect between what you're seeing in the PHP session right now and what you saw about ten seconds earlier. They do look different. And the reason for that is because I actually rerecorded doing this particular task, and I wanted to make it pretty straightforward to see how we can see in ZAP the exact same session compared to the session that we can see in the inspector of the browser. So, that's what you're seeing on the screen right now. Because we have an authenticated session in our ZAP here, we're able to actually do a scan against our target and receive a lot more information because we now, at this point, have an authentication on the target. Alright, so that was task 6, and now we're moving on to task 7, which is brute-force directories. Let's open up the challenge and take a look at what are the requirements here. And so, essentially, we can actually use word lists and ZAP to do some brute-forcing to figure out what kind of directories, some directory enumeration that are on the web server. Let's go down. And when we have our sites here, when we do a right-click and we do a forced browse site, we can actually do this, do directory enumeration. I actually have another video where I do the exact same thing. So, you can see that in the dropdown as well if you want to be able to specifically watch that. But we're going to do the exact same thing here, and it's pretty straightforward. Let's go ahead and do a forced browse on our target system here. And then we just have to pick the list that we want. So, I'll use this one. But really, word lists are all over the place. You can use whatever word list works best for you. And hit play. Task 6 or task 7 complete. Okay, task 8. Let's check out what we've got here for brute-force web login. So, just like with the brute-force directories, we can actually use Hydra for this as well. But what we're doing in this room is demonstrating that we can use ZAP to do some of the similar tasks as well. What we're going to be doing also is fuzzing again. So, let's take a peek at some of the instructions that they give us here. So, we have a a login. So, we're going to be demonstrating on the brute-force part of things, and we're going to be doing an attack and fuzz on the spot, the moment in time when we are actually inputting the credentials. So, in here, they do find a test 1, 2, 3, and we'll do something similar to that. I have my own technique or word that I like to look for, and that's fine. You'll have your own that you like as well. So, we're going to find the GET and we're going to do a fuzz. Alright, then. I actually did all this in another video, so you'll see it in this dropdown on the screen here. Now, what's unique is that actually Kali comes with its own--it comes with tons of word lists, but it comes with a one called FastTrack. I've actually never used FastTrack. I use my own word lists, and that's fine too. But for this particular challenge, we will be using the fasttrack.txt. Alright, let's open up our ZAP machine and navigate to the HTTP for this. So, I'm going to open up my browser here. And because my browser is pointing to my proxy server, I'm going to see the websites actually populate inside of my sites here, and you can see them popping up there right now. And according to the instructions on TryHackMe, we will need to go to brute-force. And at this point, we're going to actually input some data that we're going to catch. So, we can see it populating here, which is great. I'm going to actually expand this, and we're going to send something to it. RedBlue. Password. And then I'm going to hit enter. So, it says incorrect, and that is fine. What I like to do, actually, is knowing because I know that I put RedBlue in there, I actually like to search on that and search for all, and then hit enter. And I've got a post here. We found the post where my password and name was put in there. Let's open up resend. And you can see my username here and the password there. So, what we're going to do is actually fuzz on that password there. So, we've got it selected, I'm going to remove that because I just do that every time. I'm going to double-click, and we're going to add the word list that it is recommending. So, in this case, it was FastTrack. We'll find word lists. File. Select. Bingo bango. Okay. Add. Okay. Options. Follow redirects and we are going to start the fuzzer. And we will investigate each of these reflected. We had a couple options that were good. Security and password. Let's try both of those. Password. So, we can see that this one is in fact the password that actually worked when we brute-forced it. So, it's just straight up password. There you go. So, that was brute-forcing with web login. ZAP extensions. So, ZAP's really cool and that it has a ton of extensions that we can actually add to our tool. And in this page, this part here, they're actually giving us instructions on where to find some of these tools. So, I recommend going ahead and actually locating these things, and and testing them out if you're enjoying ZAP. Then, learn more about these things, and maybe you can even build your own scripts that we can add. But for TryHackMe, we are happy with knowing that we can do that. Let's go on to task 10. And it's more documentation, though, I kind of find it funny about this particular section is that it... The author's, like, "Yeah that's pretty much all there is." Which is kind of true. Because Burp is so popular, it's got so much documentation on it, it's just so widely adopted that ZAP sort of has been put into the background. But I don't think that should be the case. It is actually a pretty cool tool, and it's been around a while, and it has... I just, I just, I enjoy using sound. There you go. So, we can finish this room with a completed. And bingo bango. There you go. We have finished the introduction to ZAP room. Thanks for watching.