WEBVTT 00:00:00.960 --> 00:00:03.540 Hello and welcome back to RedBlue Labs. 00:00:03.540 --> 00:00:04.980 Today's video is going to be a little bit 00:00:04.980 --> 00:00:06.240 different than the ones I've done in the 00:00:06.240 --> 00:00:08.160 past, where I'm actually going to be 00:00:08.160 --> 00:00:10.860 doing a walkthrough on a TryHackMe 00:00:10.860 --> 00:00:13.980 room. The room of choice for me today is 00:00:13.980 --> 00:00:17.820 actually "Introduction to OWASP Zap," and I 00:00:17.820 --> 00:00:20.100 chose this room because I personally 00:00:20.100 --> 00:00:24.180 really enjoy ZAP. I like 00:00:24.180 --> 00:00:26.640 the features that it has, and when I 00:00:26.640 --> 00:00:29.519 had this paragraph here, 00:00:29.519 --> 00:00:30.779 apparently the person who made this 00:00:30.779 --> 00:00:33.420 room prefers it over Burp. And honestly, 00:00:33.420 --> 00:00:35.219 it's a personal preference kind 00:00:35.219 --> 00:00:37.739 of thing. Many, many people use Burp. Some 00:00:37.739 --> 00:00:40.020 people use ZAP. I'm one of those people 00:00:40.020 --> 00:00:43.079 that uses ZAP regularly. 00:00:43.079 --> 00:00:45.840 Just a heads up, I do plan on editing 00:00:45.840 --> 00:00:48.120 this video, so it's going to be 00:00:48.120 --> 00:00:50.700 fairly fluid as I walk through 00:00:50.700 --> 00:00:54.239 things. So there you go. Now you know. 00:00:54.239 --> 00:00:55.980 If you're not familiar with 00:00:55.980 --> 00:01:00.660 what ZAP is, it's a proxy where you have 00:01:00.660 --> 00:01:04.440 your browser pointing to a proxy server 00:01:04.440 --> 00:01:06.180 that's running locally, so maybe on your 00:01:06.180 --> 00:01:08.760 Kali machine, and then you will 00:01:08.760 --> 00:01:11.100 go onto the website. So, you're sending 00:01:11.100 --> 00:01:13.200 traffic through the proxy over the 00:01:13.200 --> 00:01:15.659 website, and the website is going to 00:01:15.659 --> 00:01:17.280 go through the proxy back to you. So, 00:01:17.280 --> 00:01:19.080 you've got like a person in the middle 00:01:19.080 --> 00:01:21.720 that's handling that traffic, and then 00:01:21.720 --> 00:01:23.939 while that traffic's being handled, you 00:01:23.939 --> 00:01:26.040 can actually manipulate the data. 00:01:26.040 --> 00:01:28.619 So, let's go ahead and start our room. Oh, I 00:01:28.619 --> 00:01:30.600 got to join the room. And start that 00:01:30.600 --> 00:01:32.780 machine. 00:01:35.159 --> 00:01:36.299 And we're going to start off with the 00:01:36.299 --> 00:01:39.540 first one. So, ZAP stands for 00:01:39.540 --> 00:01:43.380 Zed Attack Proxy. 00:01:43.380 --> 00:01:44.640 Woo. 00:01:44.640 --> 00:01:46.860 Day 148. 00:01:46.860 --> 00:01:49.740 So let's see if I can do that right now. 00:01:49.740 --> 00:01:51.720 Still waiting 18 seconds. 00:01:51.720 --> 00:01:54.180 Task 1 is done. 00:01:54.180 --> 00:01:55.979 Go to task 2. 00:01:55.979 --> 00:01:58.079 ZAP is a great tool that's totally slept 00:01:58.079 --> 00:02:00.659 on. You know, that is 00:02:00.659 --> 00:02:02.159 totally true. 00:02:02.159 --> 00:02:05.399 Go ahead and give this section a read. 00:02:05.399 --> 00:02:09.200 I've read the task. 00:02:11.940 --> 00:02:14.400 Installation. 00:02:14.400 --> 00:02:16.980 Okay, so I've actually already gone ahead 00:02:16.980 --> 00:02:19.260 and done that. 00:02:19.260 --> 00:02:21.120 There's a couple of ways you can 00:02:21.120 --> 00:02:24.060 do it. They've got the the tool right 00:02:24.060 --> 00:02:25.140 here. So, 00:02:25.140 --> 00:02:26.400 pretty straightforward. Just go to the 00:02:26.400 --> 00:02:28.800 website, and connect it into your Kali, 00:02:28.800 --> 00:02:31.140 and go ahead and just download it. I 00:02:31.140 --> 00:02:32.940 already have it installed, so that's 00:02:32.940 --> 00:02:34.260 easy to 00:02:34.260 --> 00:02:36.180 complete, 00:02:36.180 --> 00:02:38.700 and then open it up. 00:02:38.700 --> 00:02:42.020 Let's go over my machine, 00:02:44.340 --> 00:02:45.720 and I'm going to 00:02:45.720 --> 00:02:48.440 open it up. 00:02:50.879 --> 00:02:53.160 Hit the Windows button or the Command 00:02:53.160 --> 00:02:56.239 button, ZAP, 00:02:57.710 --> 00:02:59.690 power it on. 00:03:04.319 --> 00:03:07.140 Eventually, your ZAP will turn on, and you 00:03:07.140 --> 00:03:08.580 are ready to proceed with the rest of 00:03:08.580 --> 00:03:10.260 the room. 00:03:10.260 --> 00:03:13.700 Let's go check out task 4, 00:03:15.239 --> 00:03:17.280 and this task looks like we're doing 00:03:17.280 --> 00:03:21.659 an automated scan. Let's go 00:03:21.659 --> 00:03:23.459 ahead and run the command that it's 00:03:23.459 --> 00:03:26.000 asking for. 00:03:29.400 --> 00:03:32.519 Set up the Ajax spider. Looks like in 00:03:32.519 --> 00:03:34.200 task 5, we are actually going to be doing 00:03:34.200 --> 00:03:36.659 some manual scanning and we need to have 00:03:36.659 --> 00:03:39.840 our browser pointing to our ZAP proxy. 00:03:39.840 --> 00:03:42.239 So, there's a number of steps 00:03:42.239 --> 00:03:43.980 to do this, and actually, 00:03:43.980 --> 00:03:46.860 what will make this easier is in the 00:03:46.860 --> 00:03:48.659 dropdown that you see right now, I 00:03:48.659 --> 00:03:50.280 actually have a video that I've made 00:03:50.280 --> 00:03:51.900 where 00:03:51.900 --> 00:03:53.940 I actually go through this entire 00:03:53.940 --> 00:03:57.540 process. So, I'm going to skip ahead, and if 00:03:57.540 --> 00:03:58.620 you already have this set up, then that's 00:03:58.620 --> 00:04:00.599 great. Or, if you want to watch that video 00:04:00.599 --> 00:04:04.860 that I've made, go ahead and do that. 00:04:04.860 --> 00:04:09.480 What IP do we use for the proxy? Well, we 00:04:09.480 --> 00:04:11.700 would be pointing it to ourselves. So, 00:04:11.700 --> 00:04:17.000 that could be localhost or a bit--it's 00:04:18.000 --> 00:04:22.560 this one right over here. Bingo bango. 00:04:22.560 --> 00:04:25.220 With task 6, it looks like we are 00:04:25.220 --> 00:04:27.180 scanning an authenticated web 00:04:27.180 --> 00:04:29.040 application. So, 00:04:29.040 --> 00:04:32.040 in THM here, they give us some 00:04:32.040 --> 00:04:35.100 credentials that we need to use on the 00:04:35.100 --> 00:04:36.540 machine that they've got for us. So, let's 00:04:36.540 --> 00:04:41.340 go down and give the page here a read, 00:04:41.340 --> 00:04:44.400 and we are going to 00:04:44.400 --> 00:04:46.979 open up our browser on our Kali machine 00:04:46.979 --> 00:04:48.120 here. 00:04:48.120 --> 00:04:50.220 And here we go. We've got our 00:04:50.220 --> 00:04:51.840 spot here 00:04:51.840 --> 00:04:54.660 to authenticate. 00:04:54.660 --> 00:04:56.100 They're going to put in the credentials 00:04:56.100 --> 00:04:59.900 that TryHackMe has given me 00:05:00.479 --> 00:05:02.820 and authenticate. Let's go back and take 00:05:02.820 --> 00:05:04.919 a peek at the instructions here. 00:05:04.919 --> 00:05:07.500 Looks like we have or on the page that 00:05:07.500 --> 00:05:10.820 we need to be, and we need to go down to 00:05:10.820 --> 00:05:13.500 DVWA security 00:05:13.500 --> 00:05:16.080 as instructed. 00:05:16.080 --> 00:05:19.440 And I just want to do a double check here, 00:05:19.440 --> 00:05:22.259 navigate to that tab and set the 00:05:22.259 --> 00:05:24.539 security level to low and then hit 00:05:24.539 --> 00:05:26.280 submit. 00:05:26.280 --> 00:05:28.919 And after that, we're going to pass our 00:05:28.919 --> 00:05:31.979 authentication token into ZAP so that we 00:05:31.979 --> 00:05:34.199 can use the tool to scan authenticated 00:05:34.199 --> 00:05:36.120 pages. Great. 00:05:36.120 --> 00:05:39.919 Let's do that. 00:05:41.639 --> 00:05:43.620 Low 00:05:43.620 --> 00:05:46.880 and submit. 00:05:47.280 --> 00:05:49.520 Okay, 00:05:51.660 --> 00:05:53.759 so we are going to open up the inspector 00:05:53.759 --> 00:05:56.060 here. 00:06:07.800 --> 00:06:10.500 Go to storage, 00:06:10.500 --> 00:06:14.280 and I'm going to grab the session key 00:06:14.280 --> 00:06:16.560 cookie here. 00:06:29.720 --> 00:06:33.120 And in ZAP, open the HTTP Sessions tab with the new 00:06:33.120 --> 00:06:35.699 tab button, which is that one there, and 00:06:35.699 --> 00:06:37.740 set the authenticated session to 00:06:37.740 --> 00:06:39.960 active. You might actually notice a 00:06:39.960 --> 00:06:41.940 slight disconnect between what you're 00:06:41.940 --> 00:06:44.100 seeing in the PHP session right now and 00:06:44.100 --> 00:06:45.660 what you saw about ten seconds earlier. 00:06:45.660 --> 00:06:48.720 They do look different. And the reason 00:06:48.720 --> 00:06:49.860 for that is because I actually 00:06:49.860 --> 00:06:52.800 rerecorded doing this particular task, 00:06:52.800 --> 00:06:54.840 and I wanted to make it pretty 00:06:54.840 --> 00:06:57.840 straightforward to see how we can see in 00:06:57.840 --> 00:07:01.620 ZAP the exact same session compared 00:07:01.620 --> 00:07:03.660 to the session that we can see in the 00:07:03.660 --> 00:07:06.660 inspector of the browser. So, that's what 00:07:06.660 --> 00:07:09.860 you're seeing on the screen right now. 00:07:12.600 --> 00:07:15.020 Because we have an authenticated session 00:07:15.020 --> 00:07:17.460 in our 00:07:17.460 --> 00:07:20.220 ZAP here, we're able to actually do a 00:07:20.220 --> 00:07:22.680 scan against our target and receive a 00:07:22.680 --> 00:07:25.740 lot more information because we now, 00:07:25.740 --> 00:07:29.520 at this point, have an authentication 00:07:29.520 --> 00:07:32.539 on the target. 00:07:39.900 --> 00:07:42.780 Alright, so that was task 6, and now 00:07:42.780 --> 00:07:44.580 we're moving on to task 7, which is 00:07:44.580 --> 00:07:47.160 brute-force directories. Let's open up 00:07:47.160 --> 00:07:49.199 the challenge and take a look at what 00:07:49.199 --> 00:07:50.880 are the requirements here. 00:07:50.880 --> 00:07:53.099 And so, essentially, we can actually use 00:07:53.099 --> 00:07:55.080 word lists 00:07:55.080 --> 00:07:59.039 and ZAP to do some brute-forcing to 00:07:59.039 --> 00:08:00.900 figure out what kind of directories, 00:08:00.900 --> 00:08:03.660 some directory enumeration that are on 00:08:03.660 --> 00:08:08.340 the web server. Let's go down. And when we 00:08:08.340 --> 00:08:10.500 have our sites here, when we do a 00:08:10.500 --> 00:08:12.900 right-click and we do a forced browse 00:08:12.900 --> 00:08:16.080 site, we can actually do this, do 00:08:16.080 --> 00:08:18.000 directory enumeration. I actually have 00:08:18.000 --> 00:08:19.379 another video where I do the exact same 00:08:19.379 --> 00:08:21.200 thing. So, you can see that in the dropdown 00:08:21.200 --> 00:08:22.979 as well if you want to be able to 00:08:22.979 --> 00:08:24.840 specifically watch that. But we're going 00:08:24.840 --> 00:08:26.220 to do the exact same thing here, and it's 00:08:26.220 --> 00:08:28.620 pretty straightforward. Let's go 00:08:28.620 --> 00:08:30.259 ahead and 00:08:30.259 --> 00:08:32.219 do a 00:08:32.219 --> 00:08:37.880 forced browse on our target system here. 00:08:50.899 --> 00:08:53.519 And then we just have to pick the 00:08:53.519 --> 00:08:56.279 list that we want. So, I'll use 00:08:56.279 --> 00:08:57.360 this one. 00:08:57.360 --> 00:09:00.660 But really, word lists are all over the 00:09:00.660 --> 00:09:02.339 place. You can use whatever word list 00:09:02.339 --> 00:09:05.420 works best for you. 00:09:07.140 --> 00:09:09.800 And hit play. 00:09:12.540 --> 00:09:16.460 Task 6 or task 7 complete. 00:09:19.200 --> 00:09:22.620 Okay, task 8. Let's check out 00:09:22.620 --> 00:09:25.320 what we've got here for brute-force web 00:09:25.320 --> 00:09:27.240 login. 00:09:27.240 --> 00:09:30.060 So, just like with the brute-force 00:09:30.060 --> 00:09:32.640 directories, we can actually use Hydra 00:09:32.640 --> 00:09:35.040 for this as well. But what we're doing in 00:09:35.040 --> 00:09:36.480 this room is demonstrating that we can 00:09:36.480 --> 00:09:38.700 use ZAP to do some of the similar tasks 00:09:38.700 --> 00:09:39.980 as well. 00:09:39.980 --> 00:09:42.740 What we're going to be doing also is 00:09:42.740 --> 00:09:45.720 fuzzing again. So, let's take a peek 00:09:45.720 --> 00:09:47.399 at some of the instructions that they 00:09:47.399 --> 00:09:51.060 give us here. So, we have a a login. So, 00:09:51.060 --> 00:09:52.500 we're going to be demonstrating on the 00:09:52.500 --> 00:09:55.380 brute-force part of things, and we're 00:09:55.380 --> 00:09:58.920 going to be doing an attack and fuzz on 00:09:58.920 --> 00:10:01.620 the spot, the moment in time when we are 00:10:01.620 --> 00:10:05.100 actually inputting the credentials. So, in 00:10:05.100 --> 00:10:06.420 here, they do 00:10:06.420 --> 00:10:10.200 find a test 1, 2, 3, and 00:10:10.200 --> 00:10:12.060 we'll do something similar to that. 00:10:12.060 --> 00:10:15.000 I have my own technique or word that I 00:10:15.000 --> 00:10:16.620 like to look for, and that's fine. You'll 00:10:16.620 --> 00:10:17.760 have your own that you like 00:10:17.760 --> 00:10:18.779 as well. 00:10:18.779 --> 00:10:20.339 So, we're going to find the GET and we're 00:10:20.339 --> 00:10:21.720 going to do a fuzz. 00:10:21.720 --> 00:10:24.420 Alright, then. I actually did all this in 00:10:24.420 --> 00:10:26.580 another video, so you'll see it in 00:10:26.580 --> 00:10:28.500 this dropdown on the screen here. 00:10:28.500 --> 00:10:30.899 Now, what's unique is that actually Kali 00:10:30.899 --> 00:10:33.899 comes with its own--it comes with tons 00:10:33.899 --> 00:10:35.700 of word lists, but it comes with a one 00:10:35.700 --> 00:10:37.680 called FastTrack. I've actually never 00:10:37.680 --> 00:10:41.279 used FastTrack. I use my own word lists, 00:10:41.279 --> 00:10:43.800 and that's fine too. But for this 00:10:43.800 --> 00:10:45.480 particular challenge, we will be using 00:10:45.480 --> 00:10:49.860 the fasttrack.txt. 00:10:49.860 --> 00:10:52.680 Alright, let's open up our ZAP machine 00:10:52.680 --> 00:10:55.320 and 00:10:55.320 --> 00:10:59.579 navigate to the HTTP for this. So, I'm 00:10:59.579 --> 00:11:01.019 going to 00:11:01.019 --> 00:11:04.339 open up my browser here. 00:11:15.240 --> 00:11:17.399 And because my browser is pointing to my 00:11:17.399 --> 00:11:20.820 proxy server, I'm going to see 00:11:20.820 --> 00:11:24.360 the websites actually populate inside of 00:11:24.360 --> 00:11:25.920 my sites here, and you can see them 00:11:25.920 --> 00:11:28.760 popping up there right now. 00:11:29.040 --> 00:11:32.068 And according to the instructions on TryHackMe, 00:11:32.068 --> 00:11:35.470 we will need to go to brute-force. 00:11:36.600 --> 00:11:38.820 And at this point, we're going to 00:11:38.820 --> 00:11:40.920 actually input 00:11:40.920 --> 00:11:42.600 some data that we're going to catch. So, 00:11:42.600 --> 00:11:45.060 we can see it populating here, which is 00:11:45.060 --> 00:11:46.516 great. 00:11:49.500 --> 00:11:52.795 I'm going to actually expand this, 00:11:55.320 --> 00:11:58.680 and we're going to send something to it. 00:11:58.680 --> 00:12:01.064 RedBlue. 00:12:02.711 --> 00:12:04.361 Password. 00:12:05.579 --> 00:12:09.260 And then I'm going to hit enter. 00:12:15.240 --> 00:12:17.220 So, it says incorrect, 00:12:17.220 --> 00:12:19.361 and that is fine. 00:12:22.320 --> 00:12:24.899 What I like to do, actually, is knowing 00:12:24.899 --> 00:12:28.140 because I know that I put RedBlue in 00:12:28.140 --> 00:12:32.300 there, I actually like to search on that 00:12:32.300 --> 00:12:37.740 and search for all, and then hit enter. 00:12:37.740 --> 00:12:40.920 And I've got a post here. We found the 00:12:40.920 --> 00:12:42.839 post where 00:12:42.839 --> 00:12:45.180 my password and name was put in there. 00:12:45.180 --> 00:12:48.720 Let's open up resend. And you can see my 00:12:48.720 --> 00:12:51.660 username here and the password there. So, 00:12:51.660 --> 00:12:53.480 what we're going to do is actually fuzz 00:12:53.480 --> 00:12:57.240 on that password there. 00:12:57.240 --> 00:12:59.160 So, we've got it selected, I'm going to 00:12:59.160 --> 00:13:00.600 remove that because I just do that every 00:13:00.600 --> 00:13:02.940 time. I'm going to double-click, and we're 00:13:02.940 --> 00:13:07.019 going to add the word list that it 00:13:07.019 --> 00:13:08.700 is recommending. So, in this case, it was 00:13:08.700 --> 00:13:09.997 FastTrack. 00:13:11.279 --> 00:13:14.820 We'll find word lists. 00:13:14.820 --> 00:13:17.880 File. Select. 00:13:17.880 --> 00:13:20.339 Bingo bango. 00:13:20.339 --> 00:13:22.680 Okay. 00:13:22.680 --> 00:13:24.180 Add. 00:13:24.180 --> 00:13:26.040 Okay. 00:13:26.040 --> 00:13:28.019 Options. 00:13:28.019 --> 00:13:31.160 Follow redirects 00:13:33.000 --> 00:13:36.499 and we are going to start the fuzzer. 00:13:45.060 --> 00:13:49.820 And we will investigate each of these 00:13:50.040 --> 00:13:53.000 reflected. 00:14:04.680 --> 00:14:06.720 We had a couple options that were 00:14:06.720 --> 00:14:08.040 good. Security 00:14:08.040 --> 00:14:12.980 and password. Let's try both of those. 00:14:17.279 --> 00:14:19.760 Password. 00:14:24.959 --> 00:14:29.180 So, we can see that this one is in fact 00:14:29.180 --> 00:14:31.620 the password that actually worked when 00:14:31.620 --> 00:14:33.839 we brute-forced it. So, it's just straight 00:14:33.839 --> 00:14:36.320 up password. 00:14:36.899 --> 00:14:39.300 There you go. So, that was 00:14:39.300 --> 00:14:43.040 brute-forcing with web login. 00:14:43.040 --> 00:14:45.300 ZAP extensions. 00:14:45.300 --> 00:14:47.639 So, ZAP's really cool and that it has 00:14:47.639 --> 00:14:49.260 a ton of extensions that we can actually 00:14:49.260 --> 00:14:51.540 add to 00:14:51.540 --> 00:14:56.100 our tool. And in this page, this part 00:14:56.100 --> 00:14:56.880 here, they're actually giving us 00:14:56.880 --> 00:14:59.459 instructions on where to find some of 00:14:59.459 --> 00:15:01.199 these tools. So, I recommend going ahead 00:15:01.199 --> 00:15:03.540 and actually locating these things, and 00:15:03.540 --> 00:15:04.920 and testing them out if you're enjoying 00:15:04.920 --> 00:15:07.139 ZAP. Then, learn more about these 00:15:07.139 --> 00:15:08.880 things, and maybe you can even build your 00:15:08.880 --> 00:15:12.229 own scripts that we can add. But for TryHackMe, 00:15:12.229 --> 00:15:13.620 we are 00:15:13.620 --> 00:15:16.980 happy with knowing that we can do that. 00:15:16.980 --> 00:15:19.260 Let's go on to task 10. 00:15:21.300 --> 00:15:24.720 And it's more documentation, though, 00:15:24.720 --> 00:15:27.779 I kind of find it funny about this 00:15:28.920 --> 00:15:31.380 particular section is that it... 00:15:31.380 --> 00:15:32.940 The author's, like, "Yeah that's pretty 00:15:32.940 --> 00:15:35.279 much all there is." Which is kind 00:15:35.279 --> 00:15:37.139 of true. Because Burp is so 00:15:37.139 --> 00:15:39.060 popular, it's got so much documentation 00:15:39.060 --> 00:15:40.560 on it, 00:15:40.560 --> 00:15:43.079 it's just so widely adopted that ZAP 00:15:43.079 --> 00:15:44.699 sort of has been put into the 00:15:44.699 --> 00:15:45.839 background. 00:15:45.839 --> 00:15:47.160 But I don't think that should be the 00:15:47.160 --> 00:15:49.199 case. It is actually a pretty cool tool, 00:15:49.199 --> 00:15:52.260 and it's been around a while, and it has... 00:15:52.260 --> 00:15:55.740 I just, I just, I enjoy using sound. 00:15:55.740 --> 00:15:57.899 There you go. So, we can finish this room 00:15:57.899 --> 00:16:01.579 with a completed. 00:16:02.519 --> 00:16:04.740 And bingo bango. There you go. We have 00:16:04.740 --> 00:16:08.519 finished the introduction to ZAP 00:16:08.519 --> 00:16:10.429 room. Thanks for watching.