1
00:00:00,390 --> 00:00:02,640
Welcome to Part Five of this module

2
00:00:05,530 --> 00:00:07,720
the O WASP Z attack.

3
00:00:07,720 --> 00:00:17,140
Proxy also known as zap is a popular free security tool that is actively maintained by volunteers.

4
00:00:17,140 --> 00:00:23,650
It comes prepackaged with Kali 2.0 and is entirely open source.

5
00:00:23,650 --> 00:00:29,800
It is designed to help you find security vulnerabilities in your web applications while you are developing

6
00:00:29,800 --> 00:00:32,770
and testing those applications.

7
00:00:32,770 --> 00:00:38,740
It is a solid tool for experienced pen testers to use for manual security testing.

8
00:00:38,770 --> 00:00:42,460
It's also very simplified for beginners.

9
00:00:42,640 --> 00:00:46,480
Oh WASP zap can be found under applications.

10
00:00:46,480 --> 00:00:48,670
Web application analysis.

11
00:00:48,790 --> 00:00:53,050
Oh WASP because this tool takes rather a long time to load.

12
00:00:53,050 --> 00:00:55,510
I've gone ahead and started it already.

13
00:00:55,510 --> 00:01:03,310
The first time you launch the program you will be prompted to agree to a user agreement and there is

14
00:01:03,310 --> 00:01:06,020
no other special configuration required.

15
00:01:06,040 --> 00:01:09,920
Just be aware that it doesn't tend to load very quick.

16
00:01:10,090 --> 00:01:15,760
Zap is cross platform so it can be used on Windows Linux and Macs.

17
00:01:15,850 --> 00:01:18,310
It is entirely free and open source.

18
00:01:18,310 --> 00:01:27,190
As I said so unlike burps sweep there is no licensed edition zap does require java to run.

19
00:01:27,340 --> 00:01:34,450
This video is intended to be a very generalized overview of Zap and what it can do for you right away.

20
00:01:34,450 --> 00:01:41,530
You probably notice that this tool bears a striking resemblance to burps sweet and that is no accident.

21
00:01:41,590 --> 00:01:49,480
Zap performs many of the same functions as burps sweet at least the community addition although it has

22
00:01:49,480 --> 00:01:55,710
fewer tabs and features that isn't to suggest that this tool isn't worth your time.

23
00:01:55,750 --> 00:02:00,740
In fact it works at least as well as burp in terms of the areas of its functionality.

24
00:02:00,910 --> 00:02:06,700
But if you've been working with burp sweet for a while now you weren't likely to see anything here that

25
00:02:06,700 --> 00:02:09,320
will jump out at you is new and exciting.

26
00:02:09,400 --> 00:02:16,600
Fewer options means that this tool is simpler to use than burp sweet but you don't have the ability

27
00:02:16,600 --> 00:02:23,680
to do things like control the linked depth of your spider ring or send results to the intruder for brute

28
00:02:23,680 --> 00:02:30,660
force hacking I try not to express too much opinion in these presentations but I have to state that

29
00:02:30,680 --> 00:02:37,640
this makes zap the inferior offering out of the box because once you get used to having full control

30
00:02:37,640 --> 00:02:44,810
and burp it's hard to deal with issues such as for example the spider ing process going on forever because

31
00:02:44,810 --> 00:02:47,790
the length depth is simply out of control.

32
00:02:47,840 --> 00:02:52,850
Now you can expand the functionality of Zap which I'll talk about a little bit later.

33
00:02:52,850 --> 00:02:57,880
There are many different plugins and add ons that can be included.

34
00:02:57,890 --> 00:03:04,240
What you're seeing here is just what comes prepackaged with Carly Linux.

35
00:03:04,250 --> 00:03:10,670
That being said having the ability to generate reports with this tool in various formats for free is

36
00:03:10,670 --> 00:03:16,210
pretty nice and can make for some very pretty presentations after a penetration test.

37
00:03:16,450 --> 00:03:22,370
And that isn't something you can really do with burps sweet community additions ease of use was a priority

38
00:03:22,370 --> 00:03:28,850
of the developers who created zap which makes it very simple for beginners to demonstrate its use.

39
00:03:28,850 --> 00:03:34,670
I will be attacking a Met split able to machine that I have running in the background for more details

40
00:03:34,730 --> 00:03:37,230
about how to setup this machine.

41
00:03:37,250 --> 00:03:40,160
Please see the prior modules as always.

42
00:03:40,160 --> 00:03:45,830
Never use this program against any target that you do not personally own or have written permission

43
00:03:45,830 --> 00:03:47,130
to pen test.

44
00:03:47,210 --> 00:03:53,180
One other small addendum to note I'm going to assume that you have watched the prior videos in this

45
00:03:53,180 --> 00:04:00,380
module covering the burp suite community additions so I will not be explaining the theory behind these

46
00:04:00,380 --> 00:04:02,410
processes all over again.

47
00:04:02,510 --> 00:04:06,560
Please see the prior video on spider ring in burp suite.

48
00:04:06,560 --> 00:04:12,340
If you have any questions about these processes that this video doesn't answer by itself.

49
00:04:13,010 --> 00:04:16,720
Alright so as I said zap is very easy to use.

50
00:04:17,470 --> 00:04:23,670
You just enter the Web you are all of the target.

51
00:04:23,920 --> 00:04:28,030
That of course you have permission to test against and click the attack button.

52
00:04:28,030 --> 00:04:36,890
In this case we'll be using the IP of our met a spoiler tool box which for me is 10 0 0 8.

53
00:04:36,910 --> 00:04:44,630
Now I will quickly point out that our target is going to be motility.

54
00:04:44,630 --> 00:04:53,400
This is a vulnerable Web application a that is hosted on met exploited all to so it is a very convenient

55
00:04:53,400 --> 00:04:54,390
target.

56
00:04:54,390 --> 00:04:58,620
If you've been watching other videos you will have seen me do this already.

57
00:04:58,650 --> 00:05:03,150
I'm going to narrow our target by copying motility

58
00:05:07,270 --> 00:05:16,430
and I'm going to put in slash and guess it won't let me paste it so until day

59
00:05:19,670 --> 00:05:24,390
if I simply scanned 10 dot 0.01 8.

60
00:05:24,530 --> 00:05:30,590
It would scan the entire met a spoil machine which is running several different vulnerable Web applications

61
00:05:30,950 --> 00:05:34,010
so that would take a very long time.

62
00:05:34,190 --> 00:05:38,860
By narrowing down the motility we'll just get a select few results.

63
00:05:39,110 --> 00:05:40,610
And now we click the attack button.

64
00:05:42,770 --> 00:05:48,820
Right away we can see that the requests are already piling up in the spider ring tab.

65
00:05:48,840 --> 00:05:56,400
This will take a few minutes and I may make small cuts to this recording in order to save time.

66
00:05:56,690 --> 00:06:03,860
As I expressed at the start of this video there is no way in the prepackaged edition to control the

67
00:06:03,860 --> 00:06:14,830
length depth of the spider ring process so that can make this a rather lengthy procedure and now we

68
00:06:14,830 --> 00:06:17,460
can see that it has added an active scan tab

69
00:06:20,410 --> 00:06:21,360
and forgive me.

70
00:06:21,380 --> 00:06:23,150
The system is going to be slow.

71
00:06:23,150 --> 00:06:30,960
This is being done inside a virtual box and again the length depth doesn't just apply to the spider

72
00:06:30,980 --> 00:06:33,230
it also applies to the active scan.

73
00:06:33,230 --> 00:06:39,800
There are ways to limit this but this is basically automated scanning to look for attack vectors.

74
00:06:39,800 --> 00:06:46,460
Very straightforward and very powerful although it would also be very obvious to anyone looking at logs.

75
00:06:46,490 --> 00:06:52,280
This is very useful because it allows you to spot vulnerabilities and test them out with other tools

76
00:06:52,820 --> 00:06:55,460
or even your own web browser against the target.

77
00:06:55,550 --> 00:07:02,540
What you are seeing now is in fact running a whole lot of active scanning and if we just let it go it

78
00:07:02,540 --> 00:07:04,500
could take hours.

79
00:07:04,580 --> 00:07:09,950
You can see the progress bar is progressing with painful slowness.

80
00:07:09,950 --> 00:07:14,060
All of these items are being checked against a database of vulnerabilities

81
00:07:18,070 --> 00:07:19,020
over here.

82
00:07:19,060 --> 00:07:23,950
You can see that we have been spider ing all through the site getting all of the information that we

83
00:07:23,950 --> 00:07:28,940
might require in order to get into the site itself in the alerts tab.

84
00:07:28,950 --> 00:07:35,020
We can see what potentially exploitable problems have been found.

85
00:07:35,020 --> 00:07:41,550
So when you look over here you can see what sort of information you can get off the web server there.

86
00:07:41,560 --> 00:07:46,630
These are sorted into terms of priority and assigned to flag the red flag.

87
00:07:46,630 --> 00:07:56,010
So the ones that are most interesting because they are deemed high risk.

88
00:07:56,190 --> 00:08:03,880
Those are your best bet for things to attack against a description of the weakness is included and you

89
00:08:03,880 --> 00:08:08,560
can expand the target to see individual get requests

90
00:08:12,420 --> 00:08:22,180
so we can see that this risk is assessed as being high confidence medium if we scroll down here again

91
00:08:22,180 --> 00:08:29,840
forgive the slowness we can get a more detailed explanation of the threat

92
00:08:35,360 --> 00:08:42,250
and you get the idea that being said while this may seem like a very easy way to generate a laundry

93
00:08:42,250 --> 00:08:46,190
list of exploitable attacks against a target web application.

94
00:08:46,360 --> 00:08:52,900
Be aware that you may need to confirm some of these with additional tools zap sometimes gives false

95
00:08:52,900 --> 00:08:56,670
positives that won't be the case here with Metis Floyd label.

96
00:08:56,680 --> 00:09:03,270
But it is something to think about and that is indicated by the confidence level right here if you have

97
00:09:03,270 --> 00:09:09,470
a web application server it is advisable to run this tool against your own site and then look online

98
00:09:09,480 --> 00:09:11,540
to see what these warnings mean.

99
00:09:11,550 --> 00:09:17,690
If the description is not clear enough through this method it's possible to find sites that are vulnerable

100
00:09:17,690 --> 00:09:25,350
to things like S Q Well injection and brute forcing another thing that we can do is highlight the Web

101
00:09:25,350 --> 00:09:26,250
you are El

102
00:09:31,870 --> 00:09:34,930
in these requests copy them

103
00:09:38,520 --> 00:09:40,770
and then paste them into our web browser

104
00:09:51,820 --> 00:09:57,490
and this can give us more information about a particular result and how it might be hacked.

105
00:09:57,520 --> 00:09:59,470
Sometimes this information is useful.

106
00:09:59,500 --> 00:10:05,040
Sometimes it isn't and of course you do have to know what you're looking at.

107
00:10:05,120 --> 00:10:11,810
So hopefully this gives you an idea of what this tool does and how to use it as you can see the scans

108
00:10:11,810 --> 00:10:17,930
are still running and if I had not narrowed the target to just multiple a day the spider in process

109
00:10:17,930 --> 00:10:21,890
would have been virtually endless as a system administrator.

110
00:10:21,890 --> 00:10:27,860
This tool allows you to find ways to harden your security from the black hat side of things.

111
00:10:27,860 --> 00:10:35,200
It allows a bad actor to find ways to attack seemingly well protected servers with enterprise firewalls.

112
00:10:35,210 --> 00:10:41,570
By learning how best to encode and encrypt their attacks it also helps an attacker to know how to avoid

113
00:10:41,570 --> 00:10:49,060
tripping any host intrusion detection systems that may be in place then advanced their attack more smoothly.

114
00:10:49,110 --> 00:10:55,200
It is also worth pointing out that this application has many plugins and add ons available for it.

115
00:10:55,260 --> 00:11:01,650
It is made to be an expandable framework so while you may not see a brute forcing tab or anything equivalent

116
00:11:01,650 --> 00:11:08,640
to burp suite intruder in the prepackaged version it is possible to download plugins and add ons to

117
00:11:08,640 --> 00:11:16,010
grant zap that sort of functionality zap is also unique in that it has excellent smart card support.

118
00:11:16,040 --> 00:11:23,340
So if the app you are testing uses tokens or smart cards for authentication that's something to consider

119
00:11:24,710 --> 00:11:32,990
zap also has the capability to compare two sessions which is very useful if your application supports

120
00:11:32,990 --> 00:11:38,120
multiple roles and this is not possible with the burps suite community edition.

121
00:11:38,330 --> 00:11:45,980
It can even invoke external apps where supported and you can import results back in this app which is

122
00:11:45,980 --> 00:11:51,420
pretty handy and again not something you can do in the community edition of burps sweet.

123
00:11:51,440 --> 00:11:57,740
So to conclude this presentation I'll just say that while SAP is rather simplistic out of the box users

124
00:11:57,740 --> 00:12:04,280
who do not wish to purchase the burp sweet commercial Edition may find zap to be an acceptable substitution

125
00:12:04,550 --> 00:12:07,760
once additional plugins and add ons are installed.

126
00:12:07,820 --> 00:12:12,890
However always do your due diligence and never download a plug in or an add on from an untrustworthy

127
00:12:12,890 --> 00:12:15,200
source without first verifying it.

128
00:12:16,190 --> 00:12:23,270
Finally it is possible to configure your browser to proxy via his app in exactly the same way as you

129
00:12:23,270 --> 00:12:24,720
would with burp suite.

130
00:12:24,890 --> 00:12:28,840
For more information on how to do this please see the prior module.

131
00:12:28,850 --> 00:12:35,000
Be aware that you can only use one such program at a time so you can't do this with both burps sweet

132
00:12:35,090 --> 00:12:39,510
and zap simultaneously and that about covers it.

133
00:12:39,510 --> 00:12:43,340
This is a very simple application although quite powerful.

134
00:12:43,380 --> 00:12:47,380
I hope you find it useful in your penetration testing thank you.