This cybersecurity tool is
amazing. You need to deploy it. Not only is it free and open source,
which I don't know how that's possible, but you're gonna learn so much about
hacking and security while also protecting your stuff. It's a no-brainer. I deployed the server in about five
minutes and then deployed agents to all of my computers and servers,
Mac, windows, Lennox. Now these agents are like the tattletales
in school. They tell me everything. Things like security configuration
are all my devices misconfigured? I don't know, but I do Now it'll check
for known vulnerabilities, malware, and then this is kind of nuts. It can track a directory and see if any
changes occurred, files added removed, documents edited, and
this is even crazier. It can track the changes to the
Windows registry. Are you kidding me? It's amazing. So all these devices send all the
information to my server and I can see everything from one
location. I get alerts, which can come at me via
email or Slack or whatever. I can do things in response to
those alerts. Active response. So not only can I detect a brute force
attack, I can do something about it. Block that IP, address. This
server or this tool is called waza. It's a type of cybersecurity
tool called asim, security Information and Event Management.
But I so badly wanna call it a siem. I'm gonna call it a siem. I don't care. This type of tool is what the blue team
or defensive side of cybersecurity will use to defend against the bad guys to
stop the hackers. So on this video, I'm gonna show you how to deploy this
cuz you need to. It's amazing. Again, not only will you be
protecting your stuff, but you're gonna learn so much and it's
also kind of addicting. And seriously, this is something you could probably put
on your resume. This is a project like, hey, I run my own seam,
sim seam seam seams. Pretty cool, doesn't it? <laugh>,
I That was lame. I'm sorry. So you're convinced, let's talk about
what you need. Really only two things. A Linux server or computer and something
to monitor. So other computers, most flavors of Lennox are supported.
I'll be installing it on Ubuntu. And more specifically, I'll be on a cloud
machine in ano. That's what I prefer. So I can monitor everything with
ease and also it's ridiculously easy. I'll walk you through it here in
a bit. But it can also be on-prem, on a server you already have. Or
it can be on a Docker container. Lemme get some room here, already
got a room, scoot down. There we go. And they even have an ova for
easy deployment on virtual box. Now as far as system
requirements for the Wza server, lemme show you what they
recommend. At minimum, they want two gigs of RAM and two CPU
cores. That'll work for most people. If you got a lot of devices, if you're
gonna be collecting lots of logs, you wanna go larger. Four gigs of
Ram and eight CPU cores. Now again, I'm gonna walk you through the cloud
option and then also sprinkle in a little bit of dog or two just for fun. Oh,
almost forgot the most important thing. Coffee. Everything in it requires
coffee. It's just the rules. Network. Chuck.coffee first. All we'll set
up. Waza or wsu, I'm not sure. I'm just gonna call it waza in the cloud. So let's head on over to od.com/network
chuck or check the link below. Now not only is LY node
the sponsor of this video, but they are my favorite cloud provider.
Like I'm not lying, check this up. I have way too many virtual machines in
the cloud because I just go in here and spin up something.
Anytime I have a project, anytime I wanna mess with
something, I just go to LE Node, spin up a quick virtual machine in
seconds. Now if you're new to LE Node, this is gonna be free for
you. For the first 60 days, they're gonna give you $100 credit
to go crazy and play around with it. So if you haven't already, go ahead and get signed up right now
and then get signed in and meet me back here. Now the other reason I love Le Node is
they make deploying virtual machines like waza. Super stinking easy. Check this
out. I'm gonna go to create Lin node. I'll click on Marketplace and then
I'll search for waza. There it is. Let's go and click on that and just
have it selected and we'll scroll down a bit. Now time for just a little bit of config
First put an email address then for the SSL certificate. Then a limited
pseudo user account, Bernard hack. Well this can be
anything. Just make it up. Put a password in and we'll scroll
down just a little bit until we see. Select an image. We're
using Ubuntu Perfect region. Select somewhere close to
you. Leno is a cloud provider. So they have data centers everywhere. Pick somewhere close to you so it'll
be nice and fast. I'm in Dallas. And finally our LE node plan. From
here, let's click on share. At cpu, they're cheaper. And here we have our
plans or the size of our virtual machine. Now normally I would pick this one
right here. It's five bucks a month, super cheap. But for waza, you want
something a bit beefier, a bit bigger, something more like the
LE node, four gigabyte. Now if you don't select the four gigabyte
option for this WASA installation, it just won't work. I tried it.
So just make sure you select this. Now if you do wanna go for a smaller
option, like the LE node, two gigabyte, I actually got that working with
Docker and it worked pretty well. I'll walk you through that here in a
second. Well, let's go ahead and do this. It's really not much more. It's
so easy. So select four gigabyte. Scroll down just a bit, label
this sucker, whatever you want. Enter a root password. And finally we'll scroll down and click
on create LE node at the bottom right. Ready, set, go. Now
it's gonna do its thing. It's gonna bake you a VM in
the cloud. Quick coffee break, it'll be a few minutes. And once you
see that your LE node is running, we can try and connect to it. Over
here we have our SSH access command. We're gonna go ahead and copy this
right here and then launch your terminal Windows, Mac and Linux. It'll all
work. And paste that in there. Enter, accept all fingerprints. Put
your password in and we're in. But it may not be quite ready. Waza is
still going through its installation. We can monitor it kind of right
now by typing in H top H T O P. And we'll see right at the top there,
the top process. D P K G or D package. That's how apps on Linux are installed
and that's what's happening right now. So we can kinda sit there and
watch that until that stops. And we can try to connect here
in a moment and like see here, we have some wza stuff there. The
WZA index year is being installed. There's a bunch of pieces to
it. It's amazing. But again, quick coffee break and
watch the magic happen. Now at this point it's been about
six minutes. Let's see if it's done. And we'll start with grabbing
our password. By the way, I hit control C to get out of that, if we type in LS dash al
and our terminal here, we should see a dot deployment
dash secrets dot txc file. There it has our secrets or our
passwords. Let's go ahead and cap that. Cats dot deployment secrets,
blah blah. Got it. Bam. There's our passwords right there. The first one we want is the
admin password at the top. Got our admin username and our admin
password. Cool, keep that there. Let's go back to our
LE node dashboard here. And we're gonna grab our LE node reverse
DNS name or R D N S. So here Leno node. Click on the network tab. Scroll down just a little bit until
we see the IP addresses section. And then we have the reverse DNS right
here. There it is. Just go and grab that, copy it. Open a new tab and go to https colon
whack whack paste that in <laugh> <laugh>. Here we go. It's there. Now let's get
logged in. Use your name admin password. Let's grab that from the terminal
there. It's copy and paste. It's gonna check and make sure things
are good. Almost there or good. Awesome. This seems pretty cool. Last time
I'll do that joke. Probably not. Seems like a ock. Sorry <laugh>.
It's terrible. Now before we move on, I'm gonna show the docker
install. It's super easy. If you don't care about that,
that's fine. Just skip ahead. I've got timestamps below. Now
here's the docker install. Perfect. Four on-prem or a smaller machine on LE
node, which is what I'll be doing here. Leno. I'm gonna click on create le node. I'll just deploy a standard
Ubuntu 2204 lts machine, shared cpu. I know that the LE
node, two gigabyte plan will work. I tried it on the one gig, the containers
just wouldn't run. Don't try it. But the two gig plan, it worked great.
So click that, label it something fun, put a password in and then click on
create le node. How fast was that? Now if you're doing this on-prem, just have a server that's running Docker
and of course if you want to run the ova, I'll put a link below and wass
documentation. After a moment or two, you should see that your machine is
running. Let's go and connect to it. We'll grab our SSH access command over
here. Just copy that. Launch my terminal, paste it, head enter, accept all
fingerprints, password. And we're in. Couple things we'll do real quick.
First we'll update our repositories. Pseudo a P t update. Now many of you're
gonna go, why is he doing pseudo? You're route. I always do pseudo
cause I don't know what you're using. You may not be root right now. I just
wanna make it simple. Anyways, I digress. Pseudo PT update to update our
repositories. Once that finishes up, we'll do a pseudo PT and
install docker.io and docker dash compose. We'll do
a dash y at the end. This is going to install docker
and Docker compose. So let's go. Should be fairly quick. More of a coffee
sip here. Awesome, it is finished. The next step, I've got a link below. Go ahead and pull up the Waza
documentation for a docker deployment. Well one two punch this real quick. First we'll clone the get repository
one command. Let's copy that. Go back to your terminal, paste that
command assuming you have get installed. Most oss do clone. Awesome type in Ls. We'll see a new directory
called waza Docker. Let's go ahead and CD into that cd,
waza, Docker type in LS once more. And we have one more
directory we wanna jump into. It's the single node directory because
we're deploying one single node or computer cd single node. Perfect. Now the next thing we'll have to do is
generate some self sign certificates. They make that super easy for us. They even have a Docker compose
file to run and do that for us. And all we have to do is
copy and paste this command. So copy this command right here,
paste that in there, hit enter. It's gonna pull those images down.
Run, compose. And then that was it. That's done. Now for our next step, all we have to do is do the
docker dash compose command with the up option. And then we'll do a
dash D to launch it in the background. This will do everything for us. This
is our last step in deploying this. It's super easy. I love docker. Ready,
set, go. This will take a moment. It's deploying a multi-tier
application, pulling all the images, a lot of stuff going on. Little coffee
break. We'll give it some time here. Okay, deployment is done, done, done. Let's confirm real quick
by typing in docker stats. Get a realtime view of those suckers
running. Let's go get logged in. Let's check it out. We'll get
back to our Leno dashboard here. Go to the network tab. Scroll
down just a little bit, find our reverse DNS name right
here in the IP addresses section. Go ahead and copy that and we'll
open up a new tab. Type in https, colon whack whack, paste that in
there. Let's go. Fingers crossed. Okay, this is a self-signed cert. We'll get
this little error message. No big deal. Should proceed. Was that sorry. Um,
this video has so many lame jokes. Let's get logged in. Default. Login will
be admin password will be according to. Was it documentation? What
was it? Was it <laugh>? Sorry. Sorry, not sorry. Oh, it's uh, secret
password. Capital S. Capital P. Easy enough. Just gotta check and make
sure things are good. Almost. Okay, things are good. Now that
we have, was it installed? Let's get some agents added.
Computers that we can monitor. So right here we'll click on add
agent right here in the dashboard. And then right here we'll have
the option to deploy a new agent. Go ahead and click on that. This
is super straightforward and easy. We'll start with the
Linux host first. Again, I'm gonna do Ubuntu and we'll do
a Windows after this. By the way, Ubuntu 15 or more architecture is X 86. But notice we have options
for everything. It's awesome. Then we'll put our was a
server address in here. This will simply be your LE node, reverse DNS name if you did it with
me or it could be an IP address. Just something that the agent can have
access to. So I'll copy that server. Address the F Q D N fully qualified
domain name just like this. I will name that agent. It's optional
but I like to Callie underscore Linux. We'll select a group. I'll
put it in the default group. And then on step six they give you one
command to install the agent. Super cool. Super easy. Let's copy that. Copy command. And then here in Cali I'll launch my
terminal. Paste that command head, enter pseudo password and it's done.
Cool. One more thing we have to do, getting back to the was a dashboard.
We need to enable this as a service. We'll just copy this. Command
all system, CTL commands, paste those commands in there,
head enter and done. Awesome. So now getting back to the WASA dashboard. We can go to the top left here on
this drop down and click on agents. There it is right there. My first little
guy, Callie Lennox, his IP address os. And it's gonna show us so much more.
Oh, I can't wait to show you this, but first, before we do that,
let's add Windows real quick. But notice how fast and easy this
is and Windows. It's just as easy. Let's go ahead and do
uh, deploy new agent. Once more this time we'll
click on Windows. Goodness, they still have Windows
XP in here. <laugh>. I guess you need a scene
for this man. But anyways, I'm on Windows seven or more or
greater. No Windows arm support, sad, fully qualified domain name would be our
same. I uh, domain name or IP address. Again, just something your agent can have
access to. I'll name it default group. And finally at step six, just like Linux, we're gonna have our little
one-liner command using PowerShell. Keeping in mind you will need to run
this as administrator cause you will need admin privileges. So I'll
just copy that command, jump into my Windows computer here. So here in Windows I'll
launch my Windows terminal. Keeping in mind I'll have
to launch it as admin. So right click this and click on run as
administrator. Pace my command in there, hit enter. Gonna do its thing.
And then one more command. We'll have to start the
service here on Windows. Just like Linux net start was a SVC
was a is starting and we're off to the races. Let's go check Waza, the Waza
dashboard. We'll go to our agents. Oh there it is. It's still coming up. Let's click on refresh over here on
the right. Refresh, refresh, refresh. Come on. Connect. I'm impatient.
And after a billion refreshes. No, I'm just kidding. It was like
three. Um, it's up. Awesome. And here's our two machines at Lennox
and Windows. And you know what, I wanna add one more
just for fun. Ready Go. It was seriously actually
almost that fast. So here we have our agents and now let's
click on one of these and see what's going on. This is gonna be fun.
So I'm gonna click on the new one. I just added the Circs network. Chuck,
that's from my CIRCS search video. It's a public box and it's
gonna be kind of fun to look at. It's click on that guy. And here's our
agent dashboard for this one computer, this one server. There's a lot going on. But just keep in mind
at the top here in Waza, we kind of have breadcrumbs
and I love this. We've got agents and we're drilled down
into the specific agent we're looking at. And then here at the
dashboard, so much going on. Now I'm not gonna show you
everything. There's way too much, way too much fun to be had. But I will point out a few
things that are like kind of wow. First the Mitre framework.
The Mitre attack framework. We won't go too deep into this, but just know it's a database of hacking
techniques that hackers will use to attack machines. This will look at
that framework and tell you, Hey, your machine might be vulnerable to this, these tactics or your machine is
actively being attacked in these ways. And notice, um, some things
are happening to mine. We'll take a look at those here in
a bit. And then quick drive by here. Compliance. Many companies have to obey
certain compliance standards like pci, gdpr, nist, hipaa. This will
check all your computers, all your servers and tell you what's
going on. That's kind of crazy. Now, you may not care about policies. You
should if you wanna get into security, but it may not be important for
you right now. Scroll down a bit. What about configuration? Is your server
or your computer configured securely? Do you know that for a fact?
Well this will tell you <laugh>. It has a module called SCA
or secure configuration. I think it's audit or assessment,
secure configuration assessment. And it will pull out a C I S assessment. This is for buntu Linux and
tell you how good you are. Um, 39% on my score failed 715 of these. Now let me give you like kind of
a baseline for what that means. Let's jump into this report.
Notice here in the breadcrumbs, I did jump into the security configuration
assessment section and it'll tell me all the things I failed at. Let me
actually sort by. Uh, good stuff. It's gonna be a small list. And
most of this is like default. So like App Armor is installed cool, but it'll go deeper and tell you things
like hey you should disable USB storage. If that drill down to SSH cuz you can
search for specific things like that. Keyword <laugh>. It'll tell me things
like, hey don't install Telenet. U F W is not enabled.
Disable ssh sh root login. So not only is it showing
you like hey you're insecure, but it's also teaching you. Cause
if I click on any one of these, it'll tell me like, Hey
here's the rationale, here's
why we're telling you this. Here's how you fix it,
here's how you check it. And then it shows you all the mire
techniques that can be used against having that misconfiguration. That's so
freaking powerful. Are you kidding me? It's okay, I'm getting a little
excited coffee, you'll calm me down. That's just one module speed mode. Let's
get back to our agent dashboard here. Here on the menu we have security events
showing you things like authentication failures, which could be brute force
attacks. It'll show you top five alerts. It'll give you a list of
security alerts. Super powerful. And then here's something you're not
gonna see right away. If I click on more, we have vulnerabilities. It'll check your system for
vulnerabilities but it's
not enabled by default. I'll show you how to do
this here in a moment. But I have another system I already
had up and running and if I look at vulnerabilities for that one, it's gonna check all my
applications and tell me like, Hey, are there known CBEs out there
or common vulnerabilities? And I've got a bunch <laugh> like
a lot. But just look at this, deploy this for your house or your
servers or whatever you have and play security admin. Go in here and go,
oh wow, I've got 170 critical CDEs. I should go figure out how to fix
those. The learning opportunity. Are you kidding me? And then here
on my server I already had going. I do wanna show you one thing here on one
of my Windows hosts or Windows agents. This is kind of fun. I have my daughter's
computer here, this is amazing. Check this out. I'll click on Chloe. And the one thing you're gonna love
about Windows Host is the integrity monitoring module. Oh my gosh,
thing's amazing. Check it out. The sucker's gonna monitor all the
important files and registry keys that are normally modified when
something's being hacked. It's gonna look at things and tell
you when things are being adjusted. So like check this out. If I go to events, it'll tell me each time a
register key is changed. Like this one was deleted firewall
policy. I don't know why that happened. Now some of these are automatic,
like the Windows OS is doing it, but others can be bad
<laugh>. It's gotta crazy. And it's not just registry keys.
If I go to inventory over here, I can see that it has
inventory of the files, it's monitoring and all the registry keys, it's monitoring and what they're
currently set to. Is it not insane? And here in a moment I'll
show you how you can s uh, monitor specific keys and get alerts on
those keys and files too. It's so fun. Now at this point your seam
seems to be doing great. I lied, I was gonna do it one more time.
It seems to be doing pretty good. Pretty much all you
have to do is set it up, connect an agent to it and it collects
information and you can go crazy and learn cybersecurity and
start to protect your stuff. But you can also tinker with this quite
a bit. You can enable more modules, set up more alerts, monitor more
things. So if you're interested in that, we're gonna walk through
a few more options here. Now the first thing we'll do is look
at file monitoring through Windows. It's so powerful and so cool. So
back here at the WASA incense, I deployed with you
right now in this video. Couple things real quick just
before we jump into that. If I click on the home icon, it's gonna take me to the WASA dashboard
and it's gonna show me like all the modules I could jump into. So for example,
if I wanna jump into security events, it's gonna show me security events. But right now it's being
filtered to look at one agent. I can unpin that to where it's showing
me everything from every agent. That's pretty cool. And you can do that
with most modules. Let's go back home. Now let's click on Waza once
more. Will Waza drop down here? Let's click on agents. Now again,
I'm not going over everything. Every little thing you can do and you
don't have to know all these things, but you can play around
with it. You can go crazy. I'm just giving you enough to get
started and have a little bit of fun and things I got really excited about.
So let's click on agents here. We'll click on my Windows machine. A couple things I'm gonna
show you real quick. If I click on Integrity Monitoring, this is the module that
we'll use to monitor files. Notice I don't have any events right now. I've got it filtered right now by the
last 24 hours and I've just connected this thing, nothing's happened.
But if I go to the inventory, I can see that it already has scanned
and inventoried all the default files. It'll look for in the
directories. And my registry keys. I believe it's set to scan
everything every 12 hours. And if it notices a change, it'll let
you know. It'll alert you. Pretty cool. But with files we can also do real
time notification and rule set. Check this out. I'm gonna jump into my Windows host and
change some configuration for the agent file. Now you can find that here.
I'm gonna go to my Windows Explorer, go to my C Drive, go
to program files X 86. Now if this is all like weird for
you, like oh man Windows file system, I don't know what's going on. I do detail a lot of what this means
and how it's organized in my Windows Fundamentals course on my academy.
Check it out, link below. Anyways, let's continue. It's an X 86 and
in a folder called OS sec Agent, jump in there. Continue.
You gotta have admin access. If I scroll down just a bit,
I'll see a file named os sec.com. That's your configuration
file for your agent. Let's go to open that with notepad.
Open with notepad. Oh, by the way, you can do the same thing on Linux.
I'll put documentation below. It's pretty much the same process, just
editing the same type of agent file. But let's walk through this
real quick here in this file, I'm just gonna search for sis check
to get to the SIS check section. That's hard to say.
<laugh>. And here right uh, you can see that I have the file
integrity monitoring section. And you can see right here all the
directories that is by default set to monitor. So what we'll do here is we'll just
choose a place amongst all these directory options and we'll add a
little configuration here. We'll type in directories and we'll
add an option that'll give us real time alerts. It's really simple what's
called real time, just like that. Have it equal yes in quotes. We'll add one more option
report underscore changes. Have that equal yes in quotes and
we'll add one more check underscore all and have that equal yes as well. So just to make sure we're
all on the same page here, we're specifying a directory and we're
giving it these options real time. Yes, report changes, yes. And check
all. Yes, we'll close that out. And then add the directory. We're
gonna monitor with all these options. Let's see to our desktop. So we'll do CE colon slash
users slash your username. Mine is network check slash desktop. And then we'll close that out with a
left arrow forward slash directories just like this. So now we'll
save this file, file save. And then we'll restart the service by
launching our terminal as administrator. Right click run as administrator
and we'll say restart service. Dash name waza. Cool.
So that should be good. So I'm gonna open up my
Waza dashboard real quick. Make sure I'm on the events tab.
Notice and look at the last 24 hours, nothing's happened. Let's
change something on our desktop. This is so cool and powerful. I hope
this illustrates how cool this is. She's gonna go to my desktop and I'm
gonna add a new file, new text document. Can you see this? Just take
about five seconds. One, two, let's take a look. Let's
refresh this. <laugh>. There it is. No, it's weird.
I said added, deleted, added. Oh I think because they changed
the name in real time. But look, it monitored that I add a new, uh, a
new file. Um, check this out. So that's, that's one alert. If I change anything
about it, let's open it up. Say, Hey, I'm changing stuff. We'll save it,
we'll see if the new alert comes in. I'll refresh my options
here or refresh my page. There it is sis check event
modified. And it's like, Hey, the check sum changed on this. It'll even tell me down here
what I changed the text I
added. How crazy is that? Now we can do the same kind of
thing with the Windows registry. Now it won't be real time,
they don't have that option, but it will scan every 12 hours.
You can change that interval. Let me share real quick. We can specify.
So right now Pilic was an inventory, right? We can see that it does have
an inventory. Look at our new file. It does have an inventory of registered
keys that automatically monitors, but we can add specific ones
that we want to have seen. So let's add a custom one real quick. I'll open up a red edit here
in Windows to edit my registry. Let's add one inside. Uh, I don't know,
hq, local machine. We'll go to software, maybe classes. And let's add one
right here, right click say New key, we'll say Bernard Hack. Well bam, we'll change the value to something fun. So what I'll do here is I'll right click
this key and say copy key name and then we'll go back to our
agent configuration file. And you'll notice just under that same
kind of section where we're adding directories, we also have
registry keys we can add. So I'll go kind of
towards the bottom here, just underneath the last registry entry
and right before the entry to ignore, I'll line myself up with everything
else, type in Windows registry, paste my key name, and then close it out with a left arrow
forward slash Windows registry and a right arrow. Cool, that
should be all we need. And it'll change the
frequency cuz like I said, it's gonna take 12 hours to find
this. We don't want it to do that. So up here we have frequency that CIS
check is executed by default every 12 hours. 43, 200. Let's change that from that
to 60. So every, every minute. Actually let's do 30 seconds. Let's
be quick. So I'll save this file. I'll restart my service. My was a
service to once some more restart. Service name was a Got it go. Cool. So getting back to our WASA dashboard
here in our integrity monitoring section for our Windows machine. I'm gonna go over here to inventory and
just see if it finds that new registry key. I'll go to registry, I'll search
for, what do we name it Bernard? Nothing yet. Way for it to find
it. There it is right there. So it found the key. It's looking
at it, it's monitoring it. Cool. Now let's go to events. Now you see
that we've got some registry changes, mainly time and we're getting that
because we were setting it to every 30 seconds. Notice nothing about a
registry key here. Let's go change it. Let's go modify it. Hammer Bernard, hack. Well I'll change the value
to something else. Fun or you got hacked. Cool, let's change
it there. It'll take about 30 seconds. Take a little coffee break and
let's monitor our was the dashboard. I'll refresh it a few times. And oh
there it is. Register key modified. How killer is that? Now you may be
wondering, okay, big deal Chuck, I'll barely even know there.
But when does registry is, why do I care if it's
changed? And first of all, the registry like has these settings
for the configuration of your operating system. So if things are changed
here, it's changing everywhere else. Some common things you might see
changed, especially with malware. Is this key here? Does it seem Microsoft
Windows? Where's it at? Where's it at? Windows Current version. There's
a lot of keys in here man. And we have run and run
once these keys are changed, when you add like a new startup
application for your system. So what malware will do is I'll go in
here and add a new key new string value. Call this, I'll call this bad stuff and
I'll just say internet explorer <laugh>. Let's, let's copy that location.
Okay? And looking back at Waza, it does monitor that by default. And
here in the events, if I refresh it, there it is. Register
key added and modified. There's the name of it right there. Bad
stuff. That's pretty powerful, right? The next thing I wanna show you actions.
They're so powerful. Check this out. Let's go to our agents here and I'll
jump into my Linux machine here. Circs Network, Chuck. Now let's go to
security events and I'll jump to events. Now there'll be a lot of events
here because this machine's public. Now I'm getting things like attempt
to log in using a non-existent user. Getting Bruteforce from Russia using
the user name Pie <laugh>. That's funny. Anyways, we can do something with that.
And actually I wanna try it myself. I'm gonna try in brute force, I'm gonna launch my Callie Linux machine
here and I'll use hydro to brute force the login and I'll use the
username, uh, Bernard Hack. Well and we'll see if
it sees us. Ready, set, go after a pseudo password. Here
we go. Okay, it's attacking. We should see a log. Let's go look at
the logs here. Security events. Events. This happened just now. Let's
see if it was us. Use your name. Bernard Hack Wall. So there,
there we are. How cool was that? Let's stop that nonsense. Let's real
quick. See if I try to log into it. Okay, so I, I'm getting a password
prompt so I'm not being blocked. So clearly I can sit here and just try
and try and try again to my heart's content. But what if I had our seam actively
respond to that and add it to the block list, drop it, add it to the firewall.
We can do that. Check it out. It's called active response, which
can be used for so many things. But I wanna demo this real
quick. Now, to change this, we're gonna go to the
configuration of our was a server. So we're gonna go here to the was a menu, go to management and then
click on configuration. From here we're gonna go to the top
right and click on edit configuration. And we're gonna scroll down a bit until
we see a section called active response. Actually, you know, why am I tripping?
I'm just gonna search for it. Active response. Cool, there
it is. Active response. So scroll down a bit until
I see this right here. It's kinda giving you a format
for what it should look like. And I'm gonna copy this config from
the documentation. Thank you Waza. Check it out here. Command is firewall,
drop location, the server. It's uh, the rule is executing on and then it's
gonna look at a rule or it's looking for a rule. This rule is what
triggers this firewall drop. Now when we tried to brute force what
rule was triggered? Let's go find out. I'm gonna jump to uh, our
agents. Go back to my circ Circs, go to security Events. Events and
let's see, it was just earlier, right? Like at 33. Yeah. So here's the alert.
You can see yes, it was Bernard Hack. Well and there's the alert ID
right there. The rule ID 57 10. That's what we want it to alert off of. So let's go back to our configuration
thing here and we'll change that rule from 57 63 to 57 10 and this will
time it out or add the firewall rule. And the time out
here is 180 seconds. It'll block the attacker for 180
seconds. Pretty cool. So let's save that. Click on save, restart our manager. Just
give that a little, little bit of time. Here're starting, please wait,
coffee break. Okay, it's restarted. Now what we wanna do now
is go back to our agent, go back to Search network Chuck and
we'll go to security events and go to events. So last thing we saw agent
started and stopped. Refresh that. Okay, we're here now let's go and try
to brute force it one more time. Actually real quickly, see if we can
log in. So this time I'm gonna use Root. I know a real user on that system.
Let's see if it lets me. Okay, so we're, it's allowing us right now. Now
we don't have to brute force. We can just try to log
in with Bernard Hack. Well what that should do is trigger.
Now it's right now it's 1203. It should trigger that new active
rule. Let's go see. Bam. There it is. So 1203 attempt. Attempt to log in
with non-existent user. Bernard Hack. Well immediately the firewall at drop
active response blocks me. So now, right now for 180 seconds
anyway, if I even try to log in, even with a real user, I
get nothing. I'm blocked. I can't even ping it.
<laugh>, it's kinda crazy. Let's do a continuous ping and see when
it lets me out outta jail here. Oh, we're back. We're back. Okay, so how
cool is that? And just so you know, you can do those active responses based
on a variety of rules. It's so custom. That's why this is so powerful. You can even do it off of like a certain
command was run or a certain log came about in, in the system you can run a
a, an active response. It's so crazy. Now two more things I wanna show you
real quick. First is vulnerabilities. Um, right now if I go to my search network,
Chuck and I go to Vulnerabilities. Nothing there. Why? Because
it's not enabled by default. The system does not search for that. So
it's really, really easy to set this up. We'll go to waza management configuration. Just like before we'll
go to edit configuration. And here we're gonna search for
vulnerability detector. Right there. It tells us enabled. No,
let's change that to yes, we definitely want that. Then we click
on save and restart Manager, confirm now. So once this restarts, notice
the options it has here. It'll run a full scan every six hours. It'll also run on Start when the service
starts up. So once this finishes, we'll restart our service and Windows
and Linux and see what happens. Okay, cool. It's done there.
I'm gonna go to Windows, restart my service here and
we're restart my service here. I restarting was at Agents.
Cool. So now at this point, and if we check our agents, I'll
just go to my Windows machine here, go to vulnerabilities. Cool. So
scan's complete, didn't find anything. Now the reason for that is that my Windows
machine has like no apps installed on it, but just know to enable the vulnerability
scanning you have to enable it on the system, on the Waza server. But the
agents have that configured by default. Now if I go back to my other server that
has all kinds of fun stuff configured, I gotta get logged back in here.
Chloe, she has a bad version of vlc, media player, high severity cde.
Wow, look at that, dude, this is fun. Gives you all the details of
it. Oh my gosh, it's so cool. But I wouldn't have known that if I
didn't have this on her system and it just tells me automatically. Now speaking of telling you automatically
you'll need some sort of alert, right? Waza has that. They've got
email alerts and Slack alerts. I'm gonna show you Slack real
quick. How to set that up. The first one I'll do is open on Slack
and create a new channel just for waza Waza alerts. Now I'll go out to Slack
and create a new app. Now this will not be a tutorial
on how Slack apps work. I'll just walk you through the basics
you need to know about right now. And this goes without saying
you do need a Slack account. So I'll click on create new app
from name it was uh, alerts, select my workspace, create the app. And then all I wanna add really is
an incoming webhook. Activate it. And then at the bottom I'll click
on add new webhook to workspace. I'll click on new channel Waza
Alerts Allow. And that's it. And all I need from this is this
webhook url. I'll copy that, get back to my Wza dashboard. And I'm gonna go back to
that configuration page
where we were at before where we spent a lot of time. Click
on Wza, go to management, and then go to configuration. Same thing
as before. Click on edit configuration. And here I'm gonna search for
integrations or just integration. And it looks like I don't have a
section for that. I'll just add it here. So I'll just go to the top and just under
global and I'll paste this config from the documentation. The only thing I'll change here
is pasting my webhook right there, which I need to copy
again, paste it there. And actually there is one more thing I
wanna change just in case you don't wanna be killed with alerts because this default
<laugh> setting will have a bunch of alerts sent to me based
on like all the events. And of course you can change the severity
level of events that are sent to you or even just specify a specific rule
ID you're looking for. So for example, right underneath here I can add
rule id. And what do you say we do? 57 10. That same rule as earlier that we
are doing the action roll off of. Cool. So we have our web hook in place, the url we have our rule to alert off
of Save it, save and restart manager. Once that is restarted, we'll do
our little test here in a moment. And real quick, look, there's
nothing in the uh, waza alerts yet. It's kind of quiet here.
Cool, it's restarted. Now let's try and log in with
Bernard Hack. Well again, that should block us. And
then over here, BAM was alert. Actually hit my watch too. Was I alert?
Look at that invalid user. Bernard Hack. Well, from this IP address, which I'm
gonna have Nick or Austin block right now, that's awesome, right? So, okay, this is
probably a long video, I realize that. But waza is a powerful tool that will
not only help you protect your family, your own lab, your business, but
it'll teach you a ton about security, about hacking about Blue team and the
fact that it's free and open source that I just did all of this, it costs me
nothing except for the hosting, which you could do it on-prem,
it's gonna be free for you. It's just kind of crazy. So I hope you have as much fun with this
tool as I have and we'll continue to have fun with. Let me know your
thoughts below. What do you think? Let me know how your was a
installation, implementation went. I wanna know all about it.
Anyways, that's all I have. Thank you for joining me in this video. Thank you for having a
little bit of coffee with me. I'll see you in the next video.