Complete Metasploit Guide (part-4 Bruteforcing Tomcat with msf Auxiliary)
Hello everybody and welcome back. And now let us perform another scan or another attack on our OWASP virtual machine. So, start off your Metasploit framework console. We will perform once again Nmap on this OWASP virtual machine in order to see the available services running.
we will attack the Tomcat server. But let us first run the Nmap. So 192.168.56.101 is my OWASP IP address
we will attack the Apache Tomcat funding on port 8080. Now there is an auxiliary module that is in this Metasploit framework that can be used to attack it. So here it is, and we can see on Port 8080/tcp there is Apache Tomcat running. So what we will basically do is we will actually brute force the Tomcat server.
So let us actually search for Tomcat and see what kind of available exploits and auxiliary modules we have. So, right now we are only interested in the auxiliary part.
so type
#search tomcat
So, what we want to use is
auxiliary/scanner/http/tomcat_mgr_login
Tomcat application manager log in utility. As we can see, this one doesn't have the date of when it came into the Metasploit as well. It is ranked as normal. So, let us use that one. now if you do not want to copy the module you can just type it. So, auxiliary and then tab to complete, scan, and then tab to complete, http, and then tomcat_mgr_login.
#use auxiliary/scanner/http/tomcat_mgr_login
So once you click enter on that one you can just check it with show options.
So we can see what are the available options that we have here. Now this one has even more options So let us see what we can do with this.
BLANK_PASSWORDS is false.
BRUTEFORCE_SPEED, now brute force speed we will leave on five which is max.
We can try to set threads to more so it actually goes faster.
The other options: DB_ALL_CRED, DB_ALL_PASS, DB_ALL_USERS are not required and we will not put them. Password we do not need since we want to specify the password file list and the user name file list.
As we can see by default, this auxiliary module has a PASS_FILE already listed. It is in usr/share/metasploit- framework/data/wordlists and then tomcat_mgr_default_users.txt. So this is a file containing passwords one per line.
we will attack the Tomcat server. But let us first run the Nmap. So 192.168.56.101 is my OWASP IP address
we will attack the Apache Tomcat funding on port 8080. Now there is an auxiliary module that is in this Metasploit framework that can be used to attack it. So here it is, and we can see on Port 8080/tcp there is Apache Tomcat running. So what we will basically do is we will actually brute force the Tomcat server.
So let us actually search for Tomcat and see what kind of available exploits and auxiliary modules we have. So, right now we are only interested in the auxiliary part.
so type
#search tomcat
So, what we want to use is
auxiliary/scanner/http/tomcat_mgr_login
Tomcat application manager log in utility. As we can see, this one doesn't have the date of when it came into the Metasploit as well. It is ranked as normal. So, let us use that one. now if you do not want to copy the module you can just type it. So, auxiliary and then tab to complete, scan, and then tab to complete, http, and then tomcat_mgr_login.
#use auxiliary/scanner/http/tomcat_mgr_login
So once you click enter on that one you can just check it with show options.
So we can see what are the available options that we have here. Now this one has even more options So let us see what we can do with this.
BLANK_PASSWORDS is false.
BRUTEFORCE_SPEED, now brute force speed we will leave on five which is max.
We can try to set threads to more so it actually goes faster.
The other options: DB_ALL_CRED, DB_ALL_PASS, DB_ALL_USERS are not required and we will not put them. Password we do not need since we want to specify the password file list and the user name file list.
As we can see by default, this auxiliary module has a PASS_FILE already listed. It is in usr/share/metasploit- framework/data/wordlists and then tomcat_mgr_default_users.txt. So this is a file containing passwords one per line.
we have it split in a password list and in a user list. So we will stick with this one since it is by default. I guess it has some good Tomcat default passwords and users.
Proxies we do not need.
What we do need, and what we will always need, is the RHOSTS. So we need to select the RHOSTS which is our targets IP address. So it is one 192.168.56.101, press enter.
So we selected the RPORT as 8080 unless it is running on some other port. Now since we did the Nmap scan on our OWASP virtual machine we know that it indeed is port 8080. So we will leave it on that. It is also a required thing. So these two things will always be required. You cannot perform a scan without this. So that's important to know.
The next thing SSL is not required.
Stop on success.
Now stop on the success we want to set to true since we do not need to continue brute-forcing it after we find the user name and password. So let us change that. So set STOP_ON_SUCCESS from false to true,
The next thing TARGETURI is manager/html, which is good. So this is a good path, but let's just check. So if we go to the browser, this is basically the path to the login page of the Tomcat server. We go right here and we go to 192.168.56.101. We need to specify the port since Tomcat is running on port 8080, and then we go manager/html
Let's see. Yeah, of course, it does prompt us with a user name and password. So basically what we are brute-forcing Is this right here. Once we find the user name and password for this we will be able to change the settings on the Tomcat server, web server. So let us close this for now. we got the error 401 unauthorized since we didn't specify the user name and password. But, that is soon about to change, hopefully, if we find the correct user name and the correct password.
The next thing that we need is verbose which is set to true.
So everything is set.
And now what we want to do is click here run or exploit. So you can use both of those words and just press your enter.
We can see it goes relatively fast. It actually went faster than I thought. we did find the user name and password as we can see a plus sign right here.
It says login successful, root and owaspbwa. Root is the user name and password is owaspbwa, which we will soon check. But let me just try to run this, it went too fast.
And now let's actually use this username and this password to log in to the webserver. So we reload this page. It will ask us for the user name which is the root, and the password which is owaspbwa. We press here OK, and we can see that we successfully logged into Tomcat web application manager, where we can now change all of these settings if we want to. And this shouldn't be available to us at all as a user of the website. So that'll be about it for this attack. We covered the Tomcat auxiliary module.
We used scanner/http/tomcat_mgr_login, which we used to brute force the Tomcat on port 8080, and we successfully did it. So that would be it for this tutorial. In the next tutorials we will start off with some of the exploit modules and we will try to exploit some of the more advanced things, such as PHP injection, command injection, we want to get the Meterpreter shell back. So that would be about it for this tutorial and I hope I see you in the next one.
Happy Hacking..
