1
00:00:00,180 --> 00:00:02,150
Hello everybody and welcome back.

2
00:00:02,160 --> 00:00:07,320
And now let us perform another scan or another attack on our OWASP virtual machine.

3
00:00:07,740 --> 00:00:14,720
So, start off your Metasploit framework console. We will perform once again

4
00:00:14,720 --> 00:00:17,170
nmap on this framework,

5
00:00:17,180 --> 00:00:21,840
oh pardon me, on this OWASP virtual machine in order to see the available services running.

6
00:00:21,890 --> 00:00:24,530
So, then we will choose which one

7
00:00:24,740 --> 00:00:25,820
we will attack.

8
00:00:25,820 --> 00:00:28,860
Now in this tutorial I already chose,

9
00:00:28,870 --> 00:00:33,730
so we will attack the Tomcat server. But let us first run the attack itself.

10
00:00:33,740 --> 00:00:43,480
So 192.168.1.2 to, and this should finish in a few seconds, and we will attack the Tomcat funding

11
00:00:43,490 --> 00:00:47,240
on port 8080.

12
00:00:47,280 --> 00:00:53,220
Now there is an auxiliary module that is in this Metasploit framework that can be used to attack it.

13
00:00:53,220 --> 00:00:55,350
So let's let this finish.

14
00:00:55,350 --> 00:01:03,470
So here it is, and we can see on Port 8080/tcp there is Apache Tomcat running.

15
00:01:03,490 --> 00:01:09,330
So what we will basically do is we will actually brute force the Tomcat server.

16
00:01:09,400 --> 00:01:18,370
So let us actually search for Tomcat and see what kind of available exploits and auxiliary modules

17
00:01:18,400 --> 00:01:18,940
we have.

18
00:01:19,270 --> 00:01:23,770
So, right now we are only interested in the auxiliary part.

19
00:01:23,860 --> 00:01:25,680
So, what we want to use is,

20
00:01:25,690 --> 00:01:26,680
let me just find it.

21
00:01:26,680 --> 00:01:28,570
I believe it is this one.

22
00:01:28,570 --> 00:01:36,610
So it is auxiliary/scanner/http/tomcat_mgr_login. Tomcat application manager log in utility.

23
00:01:36,610 --> 00:01:44,320
So I believe it is this one. As we can see, this one doesn't have the date of when it came into the

24
00:01:44,320 --> 00:01:45,670
Metasploit as well.

25
00:01:45,670 --> 00:01:47,620
It is ranked as normal.

26
00:01:47,680 --> 00:01:49,540
So, let us use that one.

27
00:01:49,540 --> 00:01:58,120
So we use...now if you do not want to copy the module you can just type it. So, auxiliary and then tab to complete,

28
00:01:58,540 --> 00:02:04,900
scan and then tab to complete, http and then tomcat_mgr_login.

29
00:02:05,560 --> 00:02:11,110
So once you click enter on that one you can just check it with show options.

30
00:02:11,110 --> 00:02:22,690
So we can see what are the available options that we have here. Now this one has even more options than

31
00:02:22,690 --> 00:02:27,350
the previous two attacks or two scans that we did in the previous video.

32
00:02:27,400 --> 00:02:31,650
So let us see what we can do with this. BLANK_PASSWORDS is false.

33
00:02:31,650 --> 00:02:33,640
BRUTEFORCE_SPEED,

34
00:02:33,650 --> 00:02:39,340
now brute force speed we will leave on five, or let's actually try to enlarge it to see if it can actually

35
00:02:39,340 --> 00:02:51,880
go faster. So, set BRUTEFORCE_SPEED, and let's set it on 8.

36
00:02:51,950 --> 00:02:58,420
It is actually from zero to five, I just noticed, so we cannot set that to eight. But we can try to set

37
00:02:58,420 --> 00:03:04,910
threads to more so it actually goes faster. So we will set brute force back to five since five is the

38
00:03:04,910 --> 00:03:08,010
maximum that it can go. The other options:

39
00:03:08,020 --> 00:03:09,610
DB_ALL_CRED, DB_ALL_PASS,

40
00:03:09,640 --> 00:03:13,690
DB_ALL_USERS are not required and we will not put them. Password

41
00:03:13,700 --> 00:03:20,480
we do not need since we want to specify the password file list and the user name file list. As we can

42
00:03:20,480 --> 00:03:21,980
see by default,

43
00:03:21,980 --> 00:03:28,380
this auxiliary module has a PASS_FILE already listed. It is in usr/share/metasploit-

44
00:03:28,450 --> 00:03:33,740
framework/data/wordlists and then tomcat_mgr_default_users.txt.

45
00:03:33,890 --> 00:03:37,070
So this is file a containing passwords one per line.

46
00:03:37,070 --> 00:03:42,070
It is not like in the previous video that we had in the same list we had usernames and passwords.

47
00:03:42,110 --> 00:03:46,370
Here we have it split in a password list and in a user list.

48
00:03:46,550 --> 00:03:50,210
So we will stick with this one since it is by default.

49
00:03:50,360 --> 00:03:55,250
I guess it has some good Tomcat default passwords and users. Proxies

50
00:03:55,250 --> 00:03:59,750
we do not need. What we do need, and what we will always need, is the RHOSTS.

51
00:03:59,750 --> 00:04:03,890
So we need to select the RHOSTS which is our targets IP address.

52
00:04:04,490 --> 00:04:14,570
So it is one 192.168.1.2, press enter. So we selected the RPORT is 8080 unless it

53
00:04:14,570 --> 00:04:15,950
is running on some other port.

54
00:04:15,950 --> 00:04:24,830
Now since we did the nmap scan on our OWASP virtual machine we know that it indeed is the port 8080. So we

55
00:04:24,830 --> 00:04:26,570
will leave it on that.

56
00:04:26,720 --> 00:04:28,010
It is also a required thing.

57
00:04:28,010 --> 00:04:33,540
So these two things will always be required. You cannot perform scan without this.

58
00:04:34,280 --> 00:04:36,100
So that's important to know.

59
00:04:36,110 --> 00:04:40,370
The next thing SSL is not required. Stop on success.

60
00:04:40,370 --> 00:04:47,810
Now stop on success we want to set to true since we do not need to continue brute forcing it after we

61
00:04:47,810 --> 00:04:49,670
find the user name and password.

62
00:04:49,670 --> 00:04:58,070
So let us change that. So set STOP_ON_SUCCESS from false to true, and it is set as well.

63
00:04:58,070 --> 00:05:03,930
The next thing TARGETURI is manager/html, which is good.

64
00:05:04,310 --> 00:05:07,090
So this is a good path, I believe.

65
00:05:07,100 --> 00:05:07,930
Let me just check.

66
00:05:07,960 --> 00:05:17,810
So if we go to Firefox, this is basically the path to the login page of the Tomcat server. We go right

67
00:05:17,810 --> 00:05:26,300
here and we go to 192.168.1.2. We need to specify the port

68
00:05:26,300 --> 00:05:33,580
since Tomcat is running on port 8080, and then we go manager/html

69
00:05:34,130 --> 00:05:34,830
Let's see.

70
00:05:35,060 --> 00:05:37,820
Yeah, of course, it does prompt us with a user name and password.

71
00:05:37,820 --> 00:05:40,820
So basically what we are brute forcing Is this right here.

72
00:05:40,820 --> 00:05:45,910
Once we find the user name and password for this we will be able to change the settings on

73
00:05:45,920 --> 00:05:48,380
Tomcat server, web server.

74
00:05:48,380 --> 00:05:51,420
So let us close this for now.

75
00:05:51,590 --> 00:05:57,440
You can see we got the error 401 unauthorized since we didn't specify the user name and password.

76
00:05:57,860 --> 00:06:03,230
But, that is soon about to change, hopefully, if we find the correct user name and the correct password.

77
00:06:03,680 --> 00:06:07,560
So did we set the the stop on success to true?

78
00:06:07,580 --> 00:06:12,490
We did. The next thing that we need is the verbose which is set to true.

79
00:06:12,530 --> 00:06:13,460
That is good.

80
00:06:13,550 --> 00:06:19,310
The user file, we also have, it is containing users. As it says, file contains one per line. So let

81
00:06:19,320 --> 00:06:20,120
us check...

82
00:06:20,370 --> 00:06:27,170
first clear this. And then type show options once again in order to double check that we successfully

83
00:06:27,320 --> 00:06:31,010
set everything as we need. So everything is set.

84
00:06:31,010 --> 00:06:35,000
And now what we want to do is click here run or exploit.

85
00:06:35,000 --> 00:06:38,460
So you can use both of those words and just press your enter.

86
00:06:39,140 --> 00:06:42,490
We can see it goes relatively fast.

87
00:06:42,710 --> 00:06:44,900
It actually went faster than I thought.

88
00:06:44,930 --> 00:06:45,920
So let me see.

89
00:06:45,920 --> 00:06:49,450
Did you even select the number of threats to be larger.

90
00:06:49,450 --> 00:06:50,680
We didn't even select that.

91
00:06:50,690 --> 00:06:52,720
So let's actually try.

92
00:06:53,030 --> 00:06:57,880
First of all, we did find the user name and password as we can see a plus sign right here. It says login

93
00:06:57,890 --> 00:07:06,200
successful, root and owaspbwa. Root is the user name and password is owaspbwa, which we will

94
00:07:06,200 --> 00:07:06,950
soon check.

95
00:07:06,980 --> 00:07:12,470
But let me just try to run this, it went too fast.

96
00:07:12,690 --> 00:07:17,600
So set threads to 5 for example, and let's actually try to exploit it.

97
00:07:17,600 --> 00:07:21,210
once again. While it goes the same speed,

98
00:07:21,250 --> 00:07:22,100
okay.

99
00:07:22,190 --> 00:07:23,440
It doesn't really matter.

100
00:07:23,530 --> 00:07:27,280
What matters is that we successfully brute forced the Tomcat.

101
00:07:27,280 --> 00:07:34,150
And now let's actually use this username and this password to log in to the web server. So we reload

102
00:07:34,150 --> 00:07:35,070
this page.

103
00:07:35,140 --> 00:07:45,070
It will ask us for user name which is root, and the password which is owaspbwa. We press here OK, and

104
00:07:45,070 --> 00:07:52,840
we can see that we successfully logged into Tomcat web application manager, where we can now change

105
00:07:52,870 --> 00:07:55,540
all of these settings if we want to.

106
00:07:55,720 --> 00:07:58,590
And this shouldn't be available to us at all

107
00:07:58,600 --> 00:08:04,690
as a user of the website. So that'll be about it for this attack.

108
00:08:04,690 --> 00:08:13,360
We covered the Tomcat auxiliary module. So scanner/

109
00:08:13,420 --> 00:08:19,960
http/tomcat_mgr_login, which we used to brute force the Tomcat on port 8080,

110
00:08:20,500 --> 00:08:26,770
and we successfully did it. So that would be it for this tutorial. In the next tutorials we will start

111
00:08:26,770 --> 00:08:32,710
off with some of the exploit modules and we will try to exploit some of the more advanced things, such

112
00:08:32,710 --> 00:08:37,530
as PHP injection, command injection, we want to get the Meterpreter shell back.

113
00:08:37,540 --> 00:08:46,240
We will also at the end start exploiting the Windows host machine. So that would be about it for this

114
00:08:46,240 --> 00:08:49,210
tutorial and I hope I see you in the next one. Bye!