1
00:00:00,180 --> 00:00:06,660
So a lot like regular pin testing, you first have to gather information at the reconnaissance, you

2
00:00:06,660 --> 00:00:09,830
know, on the target web application, a website before you attack it.

3
00:00:10,080 --> 00:00:15,930
And we can achieve this using a variety of scanning tools that we can use on a colonics machines that

4
00:00:15,930 --> 00:00:16,680
come by default.

5
00:00:16,680 --> 00:00:23,340
For the most part, these Web application scanners can actually take an IP address and automate scanning

6
00:00:23,520 --> 00:00:25,440
to discover potential vulnerabilities.

7
00:00:25,740 --> 00:00:29,480
So two very similar Web application scanning tools.

8
00:00:29,490 --> 00:00:30,780
I personally like myself.

9
00:00:30,990 --> 00:00:36,330
I use each one for specific purposes, but they are called Zap Emberg.

10
00:00:37,230 --> 00:00:42,140
O.W. is actually made zap and Burp is its own standalone application.

11
00:00:42,480 --> 00:00:44,640
Are very, very similar functionality.

12
00:00:45,240 --> 00:00:48,930
But they have some features between them that, you know, that separate them apart.

13
00:00:49,080 --> 00:00:55,230
And like I said, I use for specific things and we're going to be using berp and I use that for certain

14
00:00:55,230 --> 00:00:55,620
things.

15
00:00:55,620 --> 00:00:57,290
And that's what I'm going to show you guys as well.

16
00:00:57,420 --> 00:01:03,180
And they typically can discover the same information and perform some of the same functions, but some

17
00:01:03,180 --> 00:01:04,830
people prefer one over the other.

18
00:01:05,550 --> 00:01:09,170
But it is worth noting that Bert has the paid edition with a lot more features.

19
00:01:09,180 --> 00:01:15,330
Well, that is 100 percent free because otherwise he just wants people to make more secure applications

20
00:01:15,330 --> 00:01:16,490
and that's why that is free.

21
00:01:16,680 --> 00:01:20,620
So let's actually go over and check out that, OK?

22
00:01:20,730 --> 00:01:26,550
So back in our colonics machine so you can just touch the you can just click on the icon over here and

23
00:01:26,550 --> 00:01:29,000
you just type in zap and it should come up.

24
00:01:29,000 --> 00:01:30,870
The should already be installed on the system.

25
00:01:30,870 --> 00:01:34,830
If it's not, you can just go online and, you know, go install that.

26
00:01:34,980 --> 00:01:37,740
So just a few seconds, let it load up.

27
00:01:38,040 --> 00:01:39,600
So one zap opens up.

28
00:01:39,600 --> 00:01:41,100
You're going to get this right here.

29
00:01:41,880 --> 00:01:45,330
You can go ahead and no, don't worry about persisting recession.

30
00:01:45,570 --> 00:01:48,200
So this is the interface of that.

31
00:01:48,600 --> 00:01:51,720
So it's very honestly straightforward.

32
00:01:51,720 --> 00:01:52,970
It's not too complicated.

33
00:01:52,980 --> 00:01:56,070
I mean, you might see a lot of icons right now, but you really get used to it.

34
00:01:56,070 --> 00:01:56,610
You really do.

35
00:01:57,420 --> 00:02:01,220
Sibylla, what I use that for is just the automated scanning feature.

36
00:02:01,230 --> 00:02:06,870
So you want to click right here when you see automated scan, it already has a copy right there for

37
00:02:06,870 --> 00:02:06,990
you.

38
00:02:07,020 --> 00:02:16,470
So what we're going to do, we're going to put the the the IP address for our metastable machine that

39
00:02:16,470 --> 00:02:19,500
one six eight five six one two four.

40
00:02:19,800 --> 00:02:26,040
And we're going to scan actually, let's just get this address and just see what happens right here

41
00:02:26,610 --> 00:02:31,050
so you can keep all this other stuff the same and you just hit attack.

42
00:02:32,040 --> 00:02:36,690
And what is going to do is going to go through and it's doing all kinds of different things.

43
00:02:36,690 --> 00:02:38,610
It's going to map out.

44
00:02:39,210 --> 00:02:45,690
It's going to map out the words, I see what you are ls exists is going to scan specific parts like

45
00:02:45,690 --> 00:02:49,170
pages that it finds for security vulnerabilities.

46
00:02:49,170 --> 00:02:55,620
And you just want to give it time so you can see like right here found almost a thousand new URLs.

47
00:02:55,770 --> 00:03:03,210
And because this little machine has a lot of it has a few different things posted on it to make it acceptable

48
00:03:03,210 --> 00:03:04,310
for you to practice on.

49
00:03:04,860 --> 00:03:09,540
So you see this finding a lot of your URLs and it's only through scanning those and it's going to pop

50
00:03:09,540 --> 00:03:14,940
up with alerts over here and it shows you all the different vulnerabilities that it's finding and is

51
00:03:14,940 --> 00:03:16,590
updating in real time.

52
00:03:17,220 --> 00:03:22,480
So like, for example, you see private IP disclosure right here.

53
00:03:22,510 --> 00:03:23,460
You can read about it.

54
00:03:23,460 --> 00:03:30,150
It shows you exactly where it happens, like right here, shows you where the code that it happens.

55
00:03:30,510 --> 00:03:36,150
And then it gives you a little bit of detail on a private IP address has been, you know, found in

56
00:03:36,150 --> 00:03:37,710
HCB response body.

57
00:03:37,890 --> 00:03:39,810
So that's interesting information.

58
00:03:40,440 --> 00:03:43,440
There's a lot of different things like crosseyed scripting protection.

59
00:03:43,440 --> 00:03:50,820
Is it enabled if you want to look at some of these pages that have this, to have that flag this and

60
00:03:50,820 --> 00:03:57,210
see if they're maybe potentially susceptible to cross scripting, which we're going to go over some

61
00:03:57,210 --> 00:03:57,400
of that.

62
00:03:58,290 --> 00:04:00,750
And it just keeps it keeps on finding stuff like memory.

63
00:04:00,780 --> 00:04:01,920
It doesn't matter floatable.

64
00:04:01,920 --> 00:04:03,270
So it's very exploitable.

65
00:04:03,930 --> 00:04:09,990
So when you do that, when uses in a real well, you might actually you might not actually find a ton

66
00:04:09,990 --> 00:04:14,040
of vulnerabilities, but it can find some definitely

67
00:04:16,680 --> 00:04:22,860
important or useful information for when you're going through and trying to find bugs and vulnerabilities

68
00:04:22,860 --> 00:04:23,650
in a Web site.

69
00:04:23,730 --> 00:04:28,020
Also, if you click on very weak sites, you hit the little area right here and it has it kind of like

70
00:04:28,260 --> 00:04:32,430
in a hierarchy format and you can see the different sites that you've actually scanned.

71
00:04:32,440 --> 00:04:35,640
So this has our one four address.

72
00:04:35,910 --> 00:04:42,330
And this show is sort of where what what is this and what they found there, all the different things

73
00:04:42,330 --> 00:04:45,030
like that, a lot of good information.

74
00:04:45,030 --> 00:04:49,900
So you really want to be able to look through this kind of stuff, started to take some notes and figure

75
00:04:49,900 --> 00:04:53,400
out, hey, this a vulnerability here, maybe I should check that out.

76
00:04:54,690 --> 00:04:55,710
Very, very useful tool.

77
00:04:55,720 --> 00:04:57,750
So one other thing that you can do.

78
00:04:58,410 --> 00:04:59,720
We're going to do this with berp.

79
00:05:00,280 --> 00:05:10,960
But you can also capture any requests that you send out and actually modify them before the Senate sends

80
00:05:10,960 --> 00:05:15,190
a very interesting feature, you do that with this section right here and we're going to go over that

81
00:05:15,190 --> 00:05:15,790
with Berp.

82
00:05:15,800 --> 00:05:20,260
We're not going to use that word Zapotec, throw it out there that you actually can, you know, capture

83
00:05:20,260 --> 00:05:28,000
your HTP request that you're actually sending out and actually modify them, you know, as you need

84
00:05:28,000 --> 00:05:31,390
or as you see fit, you know, maybe to get past security features.

85
00:05:31,390 --> 00:05:33,250
So we're going to go over that in.

86
00:05:33,580 --> 00:05:39,220
So that is a very good tool or points on a lot of different vulnerabilities and is definitely something

87
00:05:39,220 --> 00:05:44,410
that you want to have in your tool kit when you're doing web application testing.

88
00:05:44,740 --> 00:05:49,180
OK, so one of the thing I wanted to show you guys really quickly, so the application that we're going

89
00:05:49,180 --> 00:05:55,030
to be attacking against and learning how to hack websites, but is the dam vulnerable Web application?

90
00:05:55,240 --> 00:06:01,490
And you can find that at the IP address of the machine, then put a fossilize devoir.

91
00:06:01,510 --> 00:06:06,790
So I launched an attack on this one and it found some very interesting stuff down here.

92
00:06:06,790 --> 00:06:08,080
So you can kind of check it out.

93
00:06:08,920 --> 00:06:11,230
So McGray here, this is a directory browsing.

94
00:06:11,230 --> 00:06:15,010
So, you know, it's possible to the directory listing.

95
00:06:15,010 --> 00:06:22,990
So directly, directory listing may reveal, you know, hidden scripts like files, backup source files,

96
00:06:23,010 --> 00:06:29,830
ATC, and they may have sensitive information and it gives you the information on where you can actually

97
00:06:29,830 --> 00:06:30,150
do that.

98
00:06:30,160 --> 00:06:33,320
So it's points where he is the URL up.

99
00:06:33,340 --> 00:06:35,310
DeVita was like DeVita way.

100
00:06:35,680 --> 00:06:43,030
So let's open up a Web browser and let's actually go ahead and try this out to see if it actually worked

101
00:06:43,030 --> 00:06:43,240
out.

102
00:06:43,240 --> 00:06:55,030
So Web browsers open when I said I want to succeed or fail safes, I want to force Azis DV enter and

103
00:06:55,030 --> 00:06:55,930
the what up.

104
00:06:55,930 --> 00:06:59,270
Oh hey, we found a directory listing, so that's pretty cool.

105
00:06:59,300 --> 00:07:06,460
So now we can actually, you know, browse the directory, probably download files, see what's on here.

106
00:07:06,970 --> 00:07:08,510
So it's pretty useful.

107
00:07:08,830 --> 00:07:09,610
That's pretty neat.

108
00:07:09,610 --> 00:07:12,520
So automated the entire process of finding something like this.

109
00:07:12,680 --> 00:07:16,920
And honestly, this is all things you might find out a while, to be honest, in the real world.

110
00:07:16,930 --> 00:07:22,720
So a lot of people had their thing set up very, very insecurely.

111
00:07:22,720 --> 00:07:24,320
You will be shocked.

112
00:07:25,030 --> 00:07:26,350
So, yeah.

113
00:07:26,350 --> 00:07:32,800
And then like like just like before Erra disclosure, that's usually an issue of all kinds of different,

114
00:07:32,800 --> 00:07:38,740
like, you know, maybe cross site request forgery is going to work for the page that it was found here.

115
00:07:38,980 --> 00:07:44,680
So very useful to information leaks, all kinds of stuff, so very useful tool.

116
00:07:44,680 --> 00:07:50,050
You definitely want to make sure that you have this in your tool kit when you're actually doing your

117
00:07:50,050 --> 00:07:51,610
initial scanning for Web apps.