Vulnerability & Exploit Database

Back to search

Apache Tomcat User Enumeration

This module enumerates Apache Tomcat's usernames via malformed requests to j_security_check, which can be found in the web administration package. It should work against Tomcat servers 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18. Newer versions no longer have the "admin" package by default. The 'admin' package is no longer provided for Tomcat 6 and later versions.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name



  • Heyder Andrade <heyder.andrade [at]>
  • Leandro Oliveira <leandrofernando [at]>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/scanner/http/tomcat_enum msf auxiliary(tomcat_enum) > show actions ...actions... msf auxiliary(tomcat_enum) > set ACTION <action-name> msf auxiliary(tomcat_enum) > show options and set options... msf auxiliary(tomcat_enum) > run

Related Vulnerabilities