Metasploitable Tomcat
In this recipe, we will explore how to use Metasploit to attack a Tomcat server using the Tomcat Manager Login module. Tomcat, or Apache Tomcat, is an open source web server and servlet container used to run Java Servlets and Java Server Pages (JSP). The Tomcat server is written in pure Java. We will use Metasploit in order to brute force a Tomcat login.
Getting ready
The following requirement needs to be fulfilled:
A connection to the internal network
Metasploitable running in our hacking lab
Wordlist to perform dictionary attack
How to do it...
Let's begin the recipe by opening a terminal window:
Open a command prompt.
Launch the MSFCONSOLE:
msfconsoleSearch for all the available Tomcat modules:
search tomcat
Use the Tomcat Application Manager Login Utility:
use auxiliary/scanner/http/tomcat_mgr_loginShow the available options of the module:
show optionsNote
Notice that we have a lot of items that are set to yes and are required. We will utilize their defaults.
Set
Pass_File...
