Wednesday, 23 March 2016

Features in Using OWASP Zed Attack Proxy (ZAP)

Background

In last post we saw how to setup ZAP proxy - 
 In this post I will show you some of the features of ZAP proxy that I have explored so far.


Spider And Active Scan

Whenever you decide to attack an URL that you see in ZAP's home page ZAP will crawl the page, find out other relevant links that the base URL may refer to in response. It also figures out GET/POST requests applicable. This is basically spider attack.

For demo purposes I am going to attack following URL - 
  • http://ch01.mybluemix.net/ch01/

It' a simple problem where you have to exploit few vulnerabilities to guess the password :)



Next ZAP will scan all the relevant applicable URL with test request params. It shows various attributes like response code, response bytes etc. You can also see the raw request/response with right click the request entry in Active scan. You can also see list of applicable URLs in the left panel.



 NOTE : One good trick to inspect irregular behavior is to inspect the size of response and inspect further the ones you see fishy.

Resend Request

Another useful feature is "Resend" . Just right click the request on left panel and select resend. You can then edit the request as per your wish (edit request params, headers add cookies etc) and send.




 Encode/Decode/Hash

This is a very handy feature that I loved in ZAP. Input a String and it will give you it's Encoding/Decoding/Hash whatever you need -

You can access this from Tools -> Encode/Decode/Hash




 Fuzzer

If you don't know what fuzzing is -

"Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. "

More details -
 ZAP has an in build fuzzer that you can use. Simply
select the URL you want to fuzz -> Right click -> Attack -> Fuzz

You will need to highlight the area you want to fuzz and select add payload. The highlighted area can be anything - request parameter, cookie value, header etc. Also payload can be anything list of strings, scripts to be injected random values , alphabets etc.


Sample example is screenshot below -




 In above example I have highlighted "ZAP" which is the password. So I am going to fuzz various values of passwords. Next click Add to add payloads. You can define your own sets of string as well. I am using inbuilt file fuzzer that provided pre defined sets of strings. Finally click "Start Fuzzer" to start fuzzing.

NOTE : Again as I mentioned before it is always advantageous to sort response size to check unusual response to exploit :)


So far I have explored these. Will keep you updated :)
Stay tuned!



Related Links

Monday, 21 March 2016

Using OWASP Zed Attack Proxy (ZAP) and Plug-n-Hack as a proxy for your browser

Background

Some time back we saw how to use Fiddler proxy to intercept traffic from local browser or you Android devices. 
Recently I came across a more powerful proxy tool called OWASP Zed Attack Proxy or ZAP . It's not just a proxy tool. It is a tool used for ethical hacking. You can use it to attack sites and find vulnerabilities. Using ZAP you can do various things like -
etc.

You can read more about ZAP on their home page -

NOTE : You should use these ethical hacking tools only on sites that you have permission for. Using these on other sites may be treated as an offense.

In this post I am going to show you how to set up a simple proxy to redirect your browser traffic through ZAP.

 You can download the software from here. You can choose the download based on your operating system.

Once you download, install and open ZAP it would look something like below -



Using ZAP as proxy

Before we move on to browser to see how we can use ZAP as a proxy there lets see proxy settings in ZAP itself.
  • Go to Tools -> Options ->Local proxy
Here you can see the Address and port the proxy is listening on. You can manually configure your browser proxy settings to use this.



 Now click on Plug-n-Hack on the ZAP home page or copy the URL pasted in browser.

Click on "Click to setup!"

And install the addon.





 Finally enable the browser to send traffic via our ZAP proxy -



NOTE :  If you are getting - "A provider with this name has already been configured.".




You can manually check the proxy settings.




Also if you want the automatic configuration you can clear it. Also from now on you can use
  • zap
  • pnh
command in firefox console  (Shift + F2)
 



You can use pnh command to clear and remove proxy settings from firefox





You should finally see something like below -



Related Links

Monday, 14 March 2016

Performing ssh login without password using ssh-keygen and ssh-copy-id

Background

In this post we will see how to do a SSH key based authentication where you do not need to enter your password. For demo purpose I am going to start a SSH server on my Linux Ubuntu machine and then connect to it from my same linux machine without password.


Starting SSH server

First lets install openssh server.
  • sudo apt-get install openssh-server


 Now lets take a backup of config file so that we have a good config too look at later (in case we mess things up ;) ) -

Execute the following commands -

  • sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
  • sudo chmod a-w /etc/ssh/sshd_config.factory-defaults
  • sudo gedit /etc/ssh/sshd_config


NOTE : sshd_config is the configuration file for the OpenSSH server. ssh_config is the configuration file for the OpenSSH client. Make sure not to get them mixed up.


Now simply restart ssh server -
  • sudo restart ssh
You can ssh into same machine using localhost just to test your ssh server setup -



Sure you can do the same from any other machine using password




But in this we want to do this without password -


Configuring ssh connection without Password

You need to execute following commands -
  • ssh-keygen
  • ssh-copy-id -i ~/.ssh/id_rsa.pub aniket@localhost
1st step creates a new public private key pair on your local machine. 2ms step copies your public key to the remote machine (localhost in this case) and from then on remote machine will remember your identity. 






As you can see post copying the public key to servers authorized keys you no longer need password to connect to your SSH server.


Related Links

Saturday, 12 March 2016

How to install Node and npm to run node.js programs in Linux

Background

    In one of the previous posts - 
we saw how to install node and npm on widows and also saw running a demo program. In windows it is as simple as downloading the installer and running it. In this post we will see how to install the same in Linux using command line.



Installing Node and NPM on your Linux machine

I am using Ubuntu so I am going to use apt-get to install software’s. You can do the same using yum if you are using fedora or alike.

 First install some of the dependencies that are requied with following command- 

  •  sudo apt-get install python-software-properties python g++ make
Next you will need to add repository to install node and npm from - 
  • sudo add-apt-repository ppa:chris-lea/node.js


Next get an update
  • sudo apt-get update
Now finally install nodejs
  • sudo apt-get install nodejs



This should install both node and npm for you. You can print their version to confirm they are installed -





Now lets quickly test it. Create a file called server.js and following contents in it -

 var http = require('http');
 http.createServer(function (req, res) {
    res.writeHead(200, {'Content-Type': 'text/plain'});
    res.end('Hello World\n');
 }).listen(1337, "127.0.0.1");
 console.log('Server running at http://127.0.0.1:1337/');


Now save it as run it -

You should see following in command promt -

aniket@aniket-Compaq-610:~/programs$ node server.js
Server running at http://127.0.0.1:1337


Now go to browser and hit following url -
  • http://127.0.0.1:1337
You should see - Hello World

That means our server is up and running

Related Links

t> UA-39527780-1 back to top