Apache Tomcat, or simply Tomcat, is one of the most widely used servers for Java web applications in the world. It is also very common to find a Tomcat server with some configurations left by default, among those configurations. It is surprisingly usual to find that a server has the web application manager exposed, this is the application that allows the administrator to start, stop, add, and delete applications in the server.
In this recipe, we will use a Metasploit module to perform a dictionary attack over a Tomcat server in order to obtain access to its manager application.
Before we start using the Metasploit Framework, we will need to start the database service in a root terminal run:
service postgresql start
- Start the Metasploit's console:
msfconsole - When it starts, we need to load the proper module and type the following in the
msf>prompt:use auxiliary/scanner/http/tomcat_mgr_login - We may want to see what parameter it uses:
show options
- Now, we set our target hosts:
set rhosts 192.168.56.102 - To make it work a little faster, but not too fast, we increase the number of threads:
set threads 5 - Also, we don't want our server to crash due to too many requests, so we lower the brute force speed:
set bruteforce_speed 3 - The rest of the parameters work just as they are for our case, let's run the attack:
run
After failing in some attempts, we will find a valid password; the one marked with a green "[+]" symbol:
By default Tomcat uses the TCP port 8080 and has its manager application in /manager/html. That application uses basic HTTP authentication. The Metasploit's auxiliary module we just used (tomcat_mgr_login) has some configuration options worth mentioning here:
BLANK_PASSWORDS: Adds a test with blank password for every user triedPASSWORD: It's useful if we want to test a single password with multiple users or to add a specific one not included in the listPASS_FILE: The password list we will use for the test.- Proxies: This is the option we need to configure if we need to go through a proxy to reach our target or to avoid detection.
RHOSTS: The host, hosts (separated by spaces), or file with hosts (file:/path/to/file/with/hosts) we want to test.RPORT: This is the TCP port in the hosts being used by Tomcat.STOP_ON_SUCCESS: Stop trying a host when a valid password is found in it.TARGERURI: Location of the manager application inside the host.USERNAME: Define a specific username to test, it can be tested alone or added to the list defined inUSER_FILE.USER_PASS_FILE: A file containing "username password" combinations to be tested.USER_AS_PASS: Try every username in the list as its password.