-
hello and welcome back to red blue Labs
-
today's video is gonna be a little bit
-
different than the ones I've done in the
-
past where I'm actually am going to be
-
doing a walk through on a try hack me
-
room the room of choice for me today is
-
actually introduction to owasp zap and I
-
chose this room because I personally
-
really enjoy zap I like
-
the the features that it has and when I
-
read this paragraph here
-
um apparently the person who made this
-
room prefers it over burp and honestly
-
it's a it's a personal preference kind
-
of thing many many people use burp some
-
people use zap I'm one of those people
-
that use zap regularly
-
just a heads up I do plan on editing
-
this video so it's gonna be
-
fairly fluid and as I walk through
-
things so there you go now you know
-
if you're if you're not familiar with
-
what zap is it's a proxy where you have
-
your browser pointing to a proxy server
-
that's running locally so maybe on your
-
Cali machine and then you will
-
go on to the website so you're sending
-
traffic through the proxy over the
-
website and in the website is going to
-
go through the proxy back to you so
-
you've got like a a person in the middle
-
that's handling that traffic and then
-
while that traffic's being handled you
-
can actually manipulate the data
-
so let's go ahead and start arm remove I
-
gotta join the room and start that
-
machine
-
and we're going to start off with the
-
first one so zap stands for
-
Zed attack proxy
-
whoo
-
day 148.
-
so let's see if I can do that right now
-
still waiting 18 seconds
-
task one is done
-
go to task two
-
zap is a great tool that's totally slept
-
on you know that is
-
totally true
-
go ahead and give this section A read
-
I've read the task
-
installation
-
okay so I've actually already gone ahead
-
and done that
-
there's uh there's a couple ways you can
-
do it uh they've got the the tool right
-
here so
-
pretty straightforward just go to the
-
website and connect it into your Cali
-
and go ahead and just download it I
-
already have it installed so and that's
-
that was an easy
-
completed
-
and then open it up
-
let's go over my machine
-
and I
-
open it up
-
hit the Windows button or the command
-
button zap
-
powered on
-
eventually your zap will turn on and you
-
are ready to proceed with the rest of
-
the room
-
let's go check out task four
-
and on this task looks like we're doing
-
a automate automated scan let's let's go
-
ahead and run the command that it's
-
asking for
-
set up the Ajax spider looks like in
-
Task 5 we are actually going to be doing
-
some manual scanning and we need to have
-
our browser pointing to our Zapped proxy
-
so there's a there's a number of steps
-
to do this and actually
-
what will make this easier is in the
-
drop down that you see right now I
-
actually have a video that I've made
-
where
-
I actually go through this entire
-
process so I'm gonna skip ahead and if
-
you already have this set up and that's
-
great or if you want to watch that video
-
that I've made go ahead and do that
-
what IP do we use for the proxy well we
-
would be pointing it to ourselves so
-
that could be localhost or I bet it's
-
this one right over here finger Bango
-
with task six it looks like we are doing
-
scanning an authenticated web
-
application so
-
in THM here they give us some some
-
credentials that we need to use on the
-
machine that they've got for us so let's
-
go down and give the page here a read
-
and we are going to
-
open up our browser on our Cali machine
-
here
-
and here we go we've got our
-
spot here
-
to authenticate
-
they're going to put in the credentials
-
that try Hackney has given me
-
and authenticate let's go back and take
-
a peek at the instructions here
-
looks like we have or on the page that
-
we need to be and we need to go down to
-
dvwa security
-
as instructed
-
and just want to do a double check here
-
navigate to that Tab and set the
-
security level to low and then hit
-
submit
-
and after that we're going to pass our
-
authentication token into zap so that we
-
can use the tool to scan authenticated
-
Pages great
-
let's do that
-
low
-
and submit
-
okay
-
so we are going to open up the inspector
-
here
-
for storage
-
and I'm going to grab the session key
-
here
-
foreign
-
open the HTTP sessions tab with the new
-
tab button which is that one there and
-
set and set the authenticated session to
-
active you might actually notice a
-
slight disconnect between what you're
-
seeing in the PHP session right now and
-
what you saw about 10 seconds earlier
-
they do look different and the reason
-
for that is because I actually
-
re-recorded doing this particular task
-
and I wanted to make it pretty
-
straightforward to see how we can see in
-
zap the the exact same session compared
-
to the session that we can see in the
-
inspector of the browser so that's what
-
you're seeing on the screen right now
-
because we have an authenticated session
-
in our
-
zap here we're able to actually do a
-
scan against our Target and receive a
-
lot more information because we are now
-
at this point have an Authentication
-
on the target
-
all right so that was task six and now
-
we're moving on to task seven which is
-
Brute Force directories Let's Open up
-
The Challenge and take a look at what
-
are the requirements here
-
and so essentially we can actually use
-
word lists
-
and zap to do some brute forcing to
-
figure out what kind of directories so
-
some directory enumeration that are on
-
the web server let's go down and when we
-
have our our sites here when we do a
-
right click and we do a forced browse
-
site we can actually do this do
-
directory enumeration I actually have
-
another video where I do the exact same
-
thing so you can see that in the drop
-
down as well if you want to have a
-
specifically on that uh but we're going
-
to do the exact same thing here and it's
-
it's pretty straightforward let's go
-
ahead and
-
do a
-
forced browse on our Target system here
-
and then we just have to pick the the
-
list that we want so I'll use I'll use
-
this one
-
but really word lists are all over the
-
place you can use whatever word list
-
works best for you
-
and hit play
-
task six or task seven complete
-
okay task number eight let's check out
-
what we've got here for Brute Force web
-
login
-
so just like with the Brute Force
-
directories we can actually use Hydra
-
for this as well but what we're doing in
-
this room is demonstrating that we can
-
use zap to do some of the similar tasks
-
as well
-
the what we're going to be doing also is
-
using fuzzing again so let's take a peek
-
at some of the instructions that they
-
give us here so we have a a login so
-
we're going to be demonstrating on The
-
Brute Force part of things and we're
-
going to be doing an attack and fuzz on
-
the spot the moment in time when we are
-
actually inputting the credentials so in
-
here they do
-
find a test one two three and
-
we'll we'll do something similar to that
-
I have my own technique or word that I
-
like to look for and that's fine you'll
-
have you'll have your own that you like
-
as well
-
so we're gonna find the get and we're
-
gonna do a fuzz
-
or at them I actually did all this in a
-
another video so you'll see it in the in
-
this pop down on the screen here
-
now what's unique is that actually Cali
-
comes with its own uh it comes with tons
-
of word lists but it comes with a one
-
called Fast Track I've actually never
-
used Fast Track I use my own word lists
-
um and that's fine too so but for this
-
particular challenge we will be using
-
the Fast Track Dot txt
-
all right let's open up our zap machines
-
and
-
navigate to the HTTP for this so I'm
-
going to do
-
open up my browser here
-
and because my browser is pointing to my
-
proxy server I'm going to see
-
the websites actually populate inside of
-
my sites here and you can see them
-
popping up there right now
-
and according to the instructions on try
-
Hackney we will need to go to Brute
-
Force
-
and at this point that we're going to
-
actually input
-
some data that we're going to catch so
-
we can see it populating here which is
-
great
-
I'm going to actually expand this
-
and we're going to send something to it
-
red blue
-
and then I'm going to hit enter
-
so it says incorrect
-
and that is fine
-
what I like to do actually is knowing
-
because I know that I put red blue in
-
there I actually like to search on that
-
and search for all and then hit enter
-
and I've got a post here we've found the
-
post where
-
my password and name was put in there
-
let's open up resend and you can see my
-
username here and the password there so
-
what we're going to do is actually fuzz
-
on that password there
-
so we've got it selected I'm going to
-
remove that because I just do that every
-
time I'm going to double click and we're
-
going to add the word list that it
-
is recommended so in this case it was
-
fast track
-
you'll find word lists
-
file select
-
Bingo Bango
-
okay
-
add
-
okay
-
options
-
follow redirects
-
and we are going to start the fuzzer
-
and we will investigate each of these
-
reflected
-
we had we had a couple options that were
-
good security
-
and password let's try both of those
-
password
-
so we can see that this one is in fact
-
the password that actually worked when
-
we brute forced it so it's just straight
-
up password
-
there you go so that was
-
brute forcing with web login
-
zap extensions
-
so this app's really cool in that it has
-
a ton of extensions that we can actually
-
add to
-
our our tool and in this page this part
-
here they're actually giving us
-
instructions on where to find some of
-
these tools so I recommend going ahead
-
and actually locating these things and
-
and testing them out if you're enjoying
-
zap then then learn more about these
-
things and maybe you can even build your
-
own scripts that we can add but for try
-
hack me we are
-
happy with knowing that we can do that
-
let's go on to task 10.
-
and it's more documentation than what I
-
I kind of find funny about this
-
um
-
this particular section is that it
-
the the author's like yeah that's pretty
-
much all there is which is which is kind
-
of true is that because burp is so
-
popular it's got so much documentation
-
on it
-
um it's just so widely adopted that zap
-
sort of has been put into the the
-
background
-
but I don't think that should be the
-
case it is actually a pretty cool tool
-
and it's been around a while and it has
-
I just I just I enjoy using sound
-
there you go so we can finish this room
-
with a completed
-
and bingo bango there you go we have
-
finished the introduction to zath
-
room thanks for watching
