warnning disclaimer
this post does not promote or encourage any illegal activities all contents provided by the post is meant for educational purpose
Hello everybody and welcome back. And now let us perform another scan or another attack on our virtual machine. So, start off your Metasploit framework console.
Starting Metasploit framework
We will perform once again nmap on this framework, oh pardon me, on this OWASP virtual machine in order to see the available services running. So, then we will choose which one we will attack. Now in this tutorial I already chose, so we will attack the Tomcat server.
But let us first run the attack itself. So 192.168.1.2 to, and this should finish in a few seconds, and we will attack the Tomcat funding on port 8080. Now there is an auxiliary module that is in this Metasploit framework that can be used to attack it. So let's let this finish. So here it is, and we can see on Port 8080/tcp there is Apache Tomcat running
Apache Tomcat
So what we will basically do is we will actually brute force the Tomcat server. So let us actually search for Tomcat and see what kind of available exploits and auxiliary modules we have. So, right now we are only interested in the auxiliary part. So, what we want to use is, let me just find it. I believe it is this one. So it is auxiliary/scanner/http/tomcat_mgr_login. Tomcat application manager log in utility.
So I believe it is this one. As we can see, this one doesn't have the date of when it came into the Metasploit as well. It is ranked as normal. So, let us use that one. So we use...now if you do not want to copy the module you can just type it. So, auxiliary and then tab to complete, scan and then tab to complete, http and then tomcat_mgr_login. So once you click enter on that one you can just check it with show options.
So we can see what are the available options that we have here. Now this one has even more options than the previous two attacks or two scans that we did in the previous video. So let us see what we can do with this. BLANK_PASSWORDS is false. BRUTEFORCE_SPEED, now brute force speed we will leave on five, or let's actually try to enlarge it to see if it can actually go faster. So, set
BRUTEFORCE_SPEED, and let's set it on 8. It is actually from zero to five, I just noticed, so we cannot set that to eight. But we can try to set threads to more so it actually goes faster.
So we will set brute force back to five since five is the maximum that it can go. The other options: DB_ALL_CRED, DB_ALL_PASS, DB_ALL_USERS are not required and we will not put them. Password we do not need since we want to specify the password file list and the user name file list
As we can see by default, this auxiliary module has a PASS_FILE already listed. It is in usr/share/metasploit- framework/data/wordlists and then
tomcat_mgr_default_users.txt. So this is file a containing passwords one per line. It is not like in the previous video that we had in the same list we had usernames and passwords. Here we have it split in a password list and in a user list. So we will stick with this one since it is by default. I guess it has some good Tomcat default passwords and users. Proxies we do not need. What we do need, and what we will always need, is the RHOSTS. So we need to select the RHOSTS which is our targets IP address. So it is one 192.168.1.2,
press enter. So we selected the RPORT is 8080 unless it is running on some other port. Now since we did the nmap scan on our OWASP virtual machine we know that it indeed is the port 8080. So we will leave it on that. It is also a required thing. So these two things will always be required. You cannot perform scan without this. So that's important to know. The next thing SSL is not required. Stop on success. Now stop on success we want to set to true since we do not need to continue brute forcing it after we find the user name and password. So let us change that. So set STOP_ON_SUCCESS from false to true, and it is set as well. The next thing TARGETURI is manager/html, which is good. So this is a good path, I believe. Let me just check. So if we go to Firefox, this is basically the path to the login page of the Tomcat server
. We go right here and we go to 192.168.1.2. We need to specify the port since Tomcat is running on port 8080, and then we go manager/html Let's see. Yeah, of course, it does prompt us with a user name and password. So basically what we are brute forcing Is this right here. Once we find the user name and password for this we will be able to change the settings on Tomcat server, web server. So let us close this for now. You can see we got the error 401 unauthorized since we didn't specify the user name and password. But, that is soon about to change, hopefully, if we find the correct user name and the correct password
. So did we set the the stop on success to true? We did. The next thing that we need is the verbose which is set to true. That is good. The user file, we also have, it is containing users. As it says, file contains one per line. So let us check... first clear this. And then type show options once again in order to double check that we successfully set everything as we need. So everything is set. And now what we want to do is click here run or exploit. So you can use both of those words and just press your enter. We can see it goes relatively fast. It actually went faster than I thought. So let me see.
Did you even select the number of threats to be larger. We didn't even select that. So let's actually try. First of all, we did find the user name and password as we can see a plus sign right here. It says login successful, root and owaspbwa. Root is the user name and password is owaspbwa, which we will soon check. But let me just try to run this, it went too fast.
So set threads to 5 for example, and let's actually try to exploit it. once again. While it goes the same speed, okay. It doesn't really matter. What matters is that we successfully brute forced the Tomcat. And now let's actually use this username and this password to log in to the web server. So we reload this page. It will ask us for user name which is root, and the password which is owaspbwa. We press here OK, and we can see that we successfully logged into Tomcat web application manager, where we can now change all of these settings if we want to. And this shouldn't be available to us at all as a user of the website. So that'll be about it for this attack.
We covered the Tomcat auxiliary module. So scanner/ http/tomcat_mgr_login, which we used to brute force the Tomcat on port 8080, and we successfully did it. So that would be it for this tutorial. In the next tutorials we will start off with some of the exploit modules and we will try to exploit some of the more advanced things, such as PHP injection, command injection, we want to get the Meterpreter shell back
We will also at the end start exploiting the Windows host machine. So that would be about it for this tutorial and I hope I see you in the next one. Bye!