Enumeration

Topics

1. Lab Setup & Configuration

2. Enumeration

3. Exploitation

4. Mitigation & Hardening

Enumeration

After completing the setup, begin the enumeration phase.

On Kali Linux, use netdiscover to identify machines in the network:

sudo netdiscover

After identifying the victim machine's IP address, perform further enumeration using Nmap:

nmap -sV <tomcat_target_ip> -p 8080

It usually runs on port 8080

Common Tomcat error:

Version Identification

To find the version of Apache Tomcat, a simple command can be executed:

Copy

curl -s http://<tomcat_target_ip>:8080/docs/ | grep Tomcat 

This will search for the term "Tomcat" in the documentation index page, revealing the version in the title tag of the HTML response.

Default Credentials

The /manager/html directory is highly sensitive, as it allows WAR file uploads for potential code execution. Common credentials to test include:

• admin:admin

• tomcat:tomcat

• admin:

• admin:s3cr3t

• tomcat:s3cr3t

• admin:tomcat

You can test these using:

msf> use auxiliary/scanner/http/tomcat_mgr_login

Another directory to monitor is /manager/status, which reveals the Tomcat and OS version, aiding in vulnerability assessment.

Brute Force Attacks

To brute force the /manager/html directory, use tools like Hydra:

hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f <tomcat_target_ip> http-get /manager/html