By default, Tomcat uses TCP port 8080 and has its manager application in /manager/html. That application uses basic HTTP authentication. Metasploit's auxiliary module we just used (tomcat_mgr_login) has some configuration options worth mentioning here:
- BLANK_PASSWORDS: Adds a test with a blank password for every user tried
- PASSWORD: Useful if we want to test a single password with multiple users or to add a specific one not included in the list
- PASS_FILE: The password list we will use for the test
- Proxies: If we need to go through a proxy to reach our target, or to avoid detection, this is the option we need to configure
- RHOSTS: The host, hosts (separated by spaces), or file with hosts (file: /path/to/file/with/hosts) we want to test
- RPORT: The TCP port in the hosts being used by Tomcat
- STOP_ON_SUCCESS: Stop trying a host when a valid password is found for it
- TARGERURI: Location of the manager application inside the host
- USERNAME: Defines a specific username to test; it can be tested alone or added to the list defined in USER_FILE
- USER_PASS_FILE: A file containing username/password combinations to be tested
- USER_AS_PASS: Try every username in the list as its password