infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add correct doc for tomcat_mgr_login

bug/bundler_fix
wchen-r7 2016-03-07 15:41:03 -06:00
parent c2f99b559c
commit 26b64a0702
1 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
documentation/modules/auxiliary/scanner/http/tomcat_mgr_login.md Normal file
View File

@ -0,0 +1,51 @@
The auxiliary/scanner/http/tomcat_mgr_login works for Tomcat versions that uses HTTP
authentication.
Please note that for Tomcat 7 or newer, the roles required to use the manager application were
changed from the single manager role to the following four roles:
* manager-gui - allows access to the HTML GUI and the status pages.
* manager-script - allows access to the text interface and the status pages.
* manager-jmx - allows access to the JMX and the status pages.
* manager-status - allows access to the status pages only.
Older versions of Tomcat came with default passwords enabled by default. For example:
**Tomcat 4**
```
| Username | Password | Role |
| -------- | -------- | ------------- |
| tomcat | tomcat | tomcat |
| role1 | tomcat | role1 |
| both | tomcat | tomcat, role1 |
```
**Tomcat 5**
Same as Tomcat 4
Newer Tomcat versions have these passwords commented out.
If you are using the default Metasploit credential lists, these usernames and passwords are already
loaded.
## Vulnerable Application
---
To download the vulnerable application, you can find it here:
https://tomcat.apache.org/whichversion.html
## Verification Steps
---
Please see Overview for usage.
1. Do: ```auxiliary/scanner/http/tomcat_mgr_login```
2. Do: ```set RHOSTS [IP]```
3. Set TARGETURI if necessary.
4. Do: ```run```