Attacking Tomcat's passwords with Metasploit
Apache Tomcat, or simply Tomcat, is one of the most widely used servers for Java web applications in the world. It is also very common to find a Tomcat server with some configurations left by default, among those configurations. It is surprisingly usual to find that a server has the web application manager exposed, this is the application that allows the administrator to start, stop, add, and delete applications in the server.
In this recipe, we will use a Metasploit module to perform a dictionary attack over a Tomcat server in order to obtain access to its manager application.
Getting ready
Before we start using the Metasploit Framework, we will need to start the database service in a root terminal run:
service postgresql start
How to do it...
Start the Metasploit's console:
msfconsoleWhen it starts, we need to load the proper module and type the following in the
msf>prompt:use auxiliary/scanner/http/tomcat_mgr_loginWe may want to see what parameter...
