Apache Tomcat, or simply Tomcat, is one of the most widely used servers for Java web applications in the world. It is also very common to find a Tomcat server with some configurations left by default, among those configurations. It is surprisingly usual to find that a server has the web application manager exposed, this is the application that allows the administrator to start, stop, add, and delete applications in the server.
In this recipe, we will use a Metasploit module to perform a dictionary attack over a Tomcat server in order to obtain access to its manager application.
Before we start using the Metasploit Framework, we will need to start the database service in a root terminal run:
service postgresql start
msfconsole
msf>
prompt:use auxiliary/scanner/http/tomcat_mgr_login
show options
set rhosts 192.168.56.102
set threads 5
set bruteforce_speed 3
run
After failing in some attempts, we will find a valid password; the one marked with a green "[+]" symbol:
By default Tomcat uses the TCP port 8080 and has its manager application in /manager/html
. That application uses basic HTTP authentication. The Metasploit's auxiliary module we just used (tomcat_mgr_login
) has some configuration options worth mentioning here:
BLANK_PASSWORDS
: Adds a test with blank password for every user triedPASSWORD
: It's useful if we want to test a single password with multiple users or to add a specific one not included in the listPASS_FILE
: The password list we will use for the test.RHOSTS
: The host, hosts (separated by spaces), or file with hosts (file:/path/to/file/with/hosts
) we want to test.RPORT
: This is the TCP port in the hosts being used by Tomcat.STOP_ON_SUCCESS
: Stop trying a host when a valid password is found in it.TARGERURI
: Location of the manager application inside the host.USERNAME
: Define a specific username to test, it can be tested alone or added to the list defined in USER_FILE
.USER_PASS_FILE
: A file containing "username password" combinations to be tested.USER_AS_PASS
: Try every username in the list as its password.18.188.139.172