Take a look at the Zed Attack Proxy (ZAP) web proxy tool.
- [Instructor] Zed Attack Proxy is another web proxy tool…which comes as part of Kali.…Let's take a look at it.…I'll select Applications, Web Application Analysis,…OWASP ZAP,…OK, we have the main ZAP page.…Let's check Tools, Options,…and from the option list select Local Proxy.…We can see that ZAP is set up to proxy on port 8080.…
I'll open Iceweasel and I'll configure it for Proxy.…To do that, we go to Preferences,…Advanced, Network, Settings.…Manual Proxy Configuration, 127.0.0.1,…Port 8080, OK.…We're ready to go.…I'll connect through to the Hacme Casino…on my external Windows 10 system.…
OK, I'll log in as Bobby Blackjack.…OK, I'll go to ZAP and see what happened.…We can see the Casino site that was accessed…in the left panel and the conversation in the bottom panel.…I'll go to the Post-Request for account log in,…and in the top right panel I'll select the Request tab.…
OK, we can see the cookie…in the top part of the request panel,…and the plain text credentials in the lower part.…I'll now get ZAP to hold all requests for me…
This course teaches you what session hijacking is, and how black-hat hackers use it to attack an organization. Learn how TCP, web, and wireless protocols work and how hackers exploit them. Find out how to use built-in Windows and Linux tools, as well as specialized third-party solutions such as Zed Attack Proxy (ZAP) and Cain, to detect and shore up vulnerabilities. Author and cybersecurity expert Malcolm Shore also discusses remote hijacking, which allows hackers to take control of drones or even vehicles.
Note: This course maps to the Session Hijacking domain of the Certified Ethical Hacking exam. Review the exam objectives at the EC-Council's website.
- Hijacking a network session, such as a Telnet session
- Understand web sessions
- Intercepting sessions via man-in-the-middle or man-in-the-browser attacks
- Downgrading a session by stripping SSL
- Using ARP poisoning through Subterfuge
- Hijacking an HTTP session through cookies
- Using hijacking defense tools: Zed Attack Proxy and Cain
- Service hijacking (DNS and SSH)
- Hijacking in the physical world: cars and drones