# Enumeration

#### Topics

> 1. [Lab Setup & Configuration](https://dev-angelist.gitbook.io/home/common-services-pentest/web-services-80-443-8080/tomcat/lab-setup-and-configuration)
> 2. [Enumeration](https://dev-angelist.gitbook.io/home/common-services-pentest/web-services-80-443-8080/tomcat/enumeration)
> 3. [Exploitation](https://dev-angelist.gitbook.io/home/common-services-pentest/web-services-80-443-8080/tomcat/exploitation)
> 4. [Mitigation & Hardening](https://dev-angelist.gitbook.io/home/common-services-pentest/web-services-80-443-8080/tomcat/mitigation-and-hardening)

## Enumeration

After completing the setup, begin the enumeration phase.

On Kali Linux, use `netdiscover` to identify machines in the network:

```bash
sudo netdiscover
```

After identifying the victim machine's IP address, perform further enumeration using Nmap:

```bash
nmap -sV <tomcat_target_ip> -p 8080
```

It usually runs on **port 8080**

**Common Tomcat error:**

<figure><img src="https://book.hacktricks.xyz/~gitbook/image?url=https%3A%2F%2F129538173-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-L_2uGJGU7AVNRcqRvEi%252Fuploads%252FUqp1zgDQYp4IVVf3LIt2%252Fimage.png%3Falt%3Dmedia%26token%3D87cf63e6-12c4-4b91-9285-6060f1c14011&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=3045e0b4&#x26;sv=2" alt=""><figcaption></figcaption></figure>

## **Version Identification** <a href="#version-identification" id="version-identification"></a>

To find the version of Apache Tomcat, a simple command can be executed:

Copy

```
curl -s http://<tomcat_target_ip>:8080/docs/ | grep Tomcat 
```

This will search for the term "Tomcat" in the documentation index page, revealing the version in the title tag of the HTML response.

## **Default Credentials**

The **/manager/html** directory is highly sensitive, as it allows WAR file uploads for potential code execution. Common credentials to test include:

* `admin:admin`
* `tomcat:tomcat`
* `admin:`
* `admin:s3cr3t`
* `tomcat:s3cr3t`
* `admin:tomcat`

You can test these using:

```bash
msf> use auxiliary/scanner/http/tomcat_mgr_login
```

Another directory to monitor is **/manager/status**, which reveals the Tomcat and OS version, aiding in vulnerability assessment.

## **Brute Force Attacks**

To brute force the **/manager/html** directory, use tools like Hydra:

```bash
hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f <tomcat_target_ip> http-get /manager/html
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/home/common-services-pentest/web-services-80-443-8080/tomcat/enumeration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.