By default, Tomcat uses TCP port 8080 and has its manager application in /manager/html. That application uses basic HTTP authentication. Metasploit's auxiliary module we just used (tomcat_mgr_login) has some configuration options worth mentioning here:

• BLANK_PASSWORDS: Adds a test with a blank password for every user tried
• PASSWORD: Useful if we want to test a single password with multiple users or to add a specific one not included in the list
• PASS_FILE: The password list we will use for the test
• Proxies: If we need to go through a proxy to reach our target, or to avoid detection, this is the option we need to configure
• RHOSTS: The host, hosts (separated by spaces), or file with hosts (file: /path/to/file/with/hosts) we want to test
• RPORT: The TCP port in the hosts being used by Tomcat
• STOP_ON_SUCCESS: Stop trying a host when a valid password is found for it
• TARGERURI: Location of the manager application inside the host

• USERNAME: Defines a specific username to test; it can be tested alone or added to the list defined in USER_FILE
• USER_PASS_FILE: A file containing username/password combinations to be tested
• USER_AS_PASS: Try every username in the list as its password