Tomcat Application Manager Login Utility
This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass.
Rank
- Normal
Authors
- MC < mc [at] metasploit.com >
- Matteo Cantoni < goony [at] nothink.org >
- jduck < jduck [at] metasploit.com >
Vulnerability References
- CVE-2009-3843
- OSVDB-60317
- BID-37086
- CVE-2009-4189
- OSVDB-60670
- http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-ac...
- http://www.zerodayinitiative.com/advisories/ZDI-09-085/
- CVE-2009-4188
- BID-38084
- CVE-2010-0557
- http://www-01.ibm.com/support/docview.wss?uid=swg21419179
- CVE-2010-4094
- http://www.zerodayinitiative.com/advisories/ZDI-10-214/
- CVE-2009-3548
- OSVDB-60176
- BID-36954
- http://tomcat.apache.org/
- CVE-1999-0502
Development
Similar Modules
- auxiliary/scanner/http/adobe_xml_inject
- auxiliary/scanner/http/apache_userdir_enum
- auxiliary/scanner/http/axis_local_file_include
- auxiliary/scanner/http/axis_login
- auxiliary/scanner/http/backup_file
- auxiliary/scanner/http/barracuda_directory_traversal
- auxiliary/scanner/http/blind_sql_query
- auxiliary/scanner/http/brute_dirs
- auxiliary/scanner/http/cert
- auxiliary/scanner/http/cisco_device_manager
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(tomcat_mgr_login) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(tomcat_mgr_login) > run
Module Options
| BLANK_PASSWORDS | Try blank passwords for all users (default: true) |
| BRUTEFORCE_SPEED | How fast to bruteforce, from 0 to 5 (default: 5) |
| PASSWORD | A specific password to authenticate with |
| PASS_FILE | File containing passwords, one per line (default: /home/svn/jobs/msf3/data/wordlists/tomcat_mgr_default_pass.txt) |
| Proxies | Use a proxy chain |
| RHOSTS | The target address range or CIDR identifier |
| RPORT | The target port (default: 8080) |
| STOP_ON_SUCCESS | Stop guessing when a credential works for a host |
| THREADS | The number of concurrent threads (default: 1) |
| URI | URI for Manager login. Default is /manager/html (default: /manager/html) |
| USERNAME | A specific username to authenticate as |
| USERPASS_FILE | File containing users and passwords separated by space, one pair per line (default: /home/svn/jobs/msf3/data/wordlists/tomcat_mgr_default_userpass.txt) |
| USER_AS_PASS | Try the username as the password for all users (default: true) |
| USER_FILE | File containing users, one per line (default: /home/svn/jobs/msf3/data/wordlists/tomcat_mgr_default_users.txt) |
| VERBOSE | Whether to print output for all attempts (default: true) |
| VHOST | HTTP server virtual host |
| BasicAuthPass | The HTTP password to specify for basic authentication |
| BasicAuthUser | The HTTP username to specify for basic authentication |
| DOMAIN | The domain to use for windows authentification |
| DigestAuthIIS | Conform to IIS, should work for most servers. Only set to false for non-IIS servers |
| DigestAuthPassword | The HTTP password to specify for digest authentication |
| DigestAuthUser | The HTTP username to specify for digest authentication |
| FingerprintCheck | Conduct a pre-exploit fingerprint verification |
| MaxGuessesPerService | Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used. |
| MaxGuessesPerUser | Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is different from one at 10.2.2.2:22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used. |
| MaxMinutesPerService | Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used. |
| NTLM::SendLM | Always send the LANMAN response (except when NTLMv2_session is specified) |
| NTLM::SendNTLM | Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses |
| NTLM::SendSPN | Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required |
| NTLM::UseLMKey | Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent |
| NTLM::UseNTLM2_session | Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session |
| NTLM::UseNTLMv2 | Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true |
| REMOVE_PASS_FILE | Automatically delete the PASS_FILE on module completion |
| REMOVE_USERPASS_FILE | Automatically delete the USERPASS_FILE on module completion |
| REMOVE_USER_FILE | Automatically delete the USER_FILE on module completion |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| ShowProgress | Display progress messages during a scan |
| ShowProgressPercent | The interval in percent that progress should be shown |
| UserAgent | The User-Agent header to use for all requests |
| WORKSPACE | Specify the workspace for this module |
| HTTP::header_folding | Enable folding of HTTP headers |
| HTTP::method_random_case | Use random casing for the HTTP method |
| HTTP::method_random_invalid | Use a random invalid, HTTP method for request |
| HTTP::method_random_valid | Use a random, but valid, HTTP method for request |
| HTTP::pad_fake_headers | Insert random, fake headers into the HTTP request |
| HTTP::pad_fake_headers_count | How many fake headers to insert into the HTTP request |
| HTTP::pad_get_params | Insert random, fake query string variables into the request |
| HTTP::pad_get_params_count | How many fake query string variables to insert into the request |
| HTTP::pad_method_uri_count | How many whitespace characters to use between the method and uri |
| HTTP::pad_method_uri_type | What type of whitespace to use between the method and uri (accepted: space, tab, apache) |
| HTTP::pad_post_params | Insert random, fake post variables into the request |
| HTTP::pad_post_params_count | How many fake post variables to insert into the request |
| HTTP::pad_uri_version_count | How many whitespace characters to use between the uri and version |
| HTTP::pad_uri_version_type | What type of whitespace to use between the uri and version (accepted: space, tab, apache) |
| HTTP::uri_dir_fake_relative | Insert fake relative directories into the uri |
| HTTP::uri_dir_self_reference | Insert self-referential directories into the uri |
| HTTP::uri_encode_mode | Enable URI encoding (accepted: none, hex-normal, hex-all, hex-random, u-normal, u-all, u-random) |
| HTTP::uri_fake_end | Add a fake end of URI (eg: /%20HTTP/1.0/../../) |
| HTTP::uri_fake_params_start | Add a fake start of params to the URI (eg: /%3fa=b/../) |
| HTTP::uri_full_url | Use the full URL for all HTTP requests |
| HTTP::uri_use_backslashes | Use back slashes instead of forward slashes in the uri |