We could use Hydra or Burp Suite to attack the Tomcat server, but having alternative ways to do things in case something doesn't work as expected, and using alternative tools, should be part of the skill set of any good penetration tester. So, we will use Metasploit in this recipe:
- The vulnerable virtual machine vm_1 has a Tomcat server running on port 8080. Browse to http://192.168.56.11:8080/manager/html:
- We get a basic authentication popup requesting a username and password.
- Open a terminal and start the Metasploit console:
msfconsole
- When it finishes starting, we need to load the proper module. Type the following in the msf> prompt:
use auxiliary/scanner/http/tomcat_mgr_login
- We may want to see what parameter it uses:
show options
- Now, we set our target hosts; in this case, it is only one:
set rhosts 192.168.56.11
- To make it work a little faster, but not too fast, we increase the number of threads. This means requests sent in parallel:
set threads 5
- Also, we don't want our server to crash due to too many requests, so we lower the brute force speed:
set bruteforce_speed 3
- The remainder of the parameters work just as they are for our case, so let's run the attack:
run
- After failing in some attempts, we will find a valid password, the one marked with a green [+] symbol:
