OWASP Zed Attack Proxy Primer

Introduction

Otherwise known as ZAP, the OWASP Zed Attack Proxy is a web proxy application used to intercept, analyze and manipulate web traffic. It is a free and open source alternative to Burp Suite. When it comes to performing a penetration test against a web application, a web proxy is the number tool needed. It can uncover hidden information in server responses that you may not notice, it can analyze the traffic looking for indicators of misconfigurations and it can quickly map out entire sites at the click of a button. You launch your proxy, which will run on localhost on port 8080 by default although this can be configured to different values as necessary.

Continue reading “OWASP Zed Attack Proxy Primer”

CUDA Support for Hashcat on Parrot OS

I’ve always struggled with anything relating to video drivers in Linux to begin with, but one of the things that has always bothered me most about it was never being able to get GPU support for hash cracking. Today, after way too long of failing, I finally got it working so I figured it would make a good post in case there are other driver-challenged folk out there.

Continue reading “CUDA Support for Hashcat on Parrot OS”

Taking Good Notes

UPDATE: Cherry Tree has been replaced in my workflow with Joplin. I like it more, and may do a write up on that soon.

While performing a penetration test, it’s easy to get tunnel vision trying to get a shell and leave yourself high and dry when it comes to completing your report at the end. It is important to keep detailed notes on what actions you take, when you take them, from what system you are taking them from and what system you are taking them against.

Continue reading “Taking Good Notes”

Tools Overview

When it comes to information security, there is no shortage of tools for the job. It can easily be overwhelming when you are just starting off, and one important thing to try and avoid is decision paralysis. While some tools are certainly more effective than others, it can be a good idea to simply find one for what you are wanting to do and stick with it for long enough to learn how to use it. This way you have ONE solution to a problem, even if it’s not always the best solution. As you gain more experience and learn what each tool is actually doing, you will naturally begin to switch your tools out for ones that work better for you.

Continue reading “Tools Overview”

CherryTree – Notes for Anything

One of the most important aspects of any job is your ability to stay organized and keep good notes. This is especially true during penetration tests. During a typical testing engagement, you will compile an enormous amount of data concerning what you did, when you did it, what systems you were doing to, and what the results were. You then need to be able take that information and convey it in a manner that the client will understand and be able to take action on. These may be folk on the business side of the house, who may not be receptive to overly technical presentations, they could be the business IT staff who prefer overly technical presentations that tell them how to reproduce and/or fix the issue, or possibly both.

Continue reading “CherryTree – Notes for Anything”