Metasploit also has built-in auxiliary modules for JBoss enumeration, one of which is auxiliary/scanner/http/jboss_status. This module looks for the status page, which shows the status history of the application server running. We can use the following command in msfconsole to load the module:

use auxiliary/scanner/http/jboss_status
show options

The following screenshot shows the output of the preceding command:

The preceding screenshot shows the options required by the module to run the auxiliary. Once we set the options and then run the auxiliary, as in the following screenshot, the server will confirm that the application server is JBoss-based on the discovered status page:

The module looks for text on the page with the following regex:

The module does the following:

1. It sends a GET request to the server to look for the /status page (the default page is set to the Target_uri option).
2. If it finds a 200 OK response from the server, it looks for the Tomcat Status string in the HTML <title> tag.
3. If the tag is found, the module looks for data according to the regex, as in the preceding screenshot.

When the module executes, the source IP, destination IP, and called page are stored by JBoss. This information is then printed out. We can have a look for it in the /status page, as in the following screenshot:

The jboss_status module looks for this specific information to fingerprint the instance of JBoss AS.