Apache Tomcat is one of the most widely used servers for Java web applications in the world. It is also very common to find a Tomcat server with some configurations left by default. Among those configurations, it is surprisingly common to find that a server has the manager web application exposed, that is, the application that allows the administrator to start, stop, add, and delete applications in the server.

In this recipe, we will use a Metasploit module to perform a dictionary attack over a Tomcat server in order to obtain access to its manager application.