If we have performed a penetration test against an Apache Tomcat server and we have managed to gain access then we might want to consider to place a web backdoor in order to maintain our access.Apache Tomcat accepts .WAR file types so our backdoor must have this file extension.In case that we don’t have a WAR backdoor already in our disposal we can use Metasploit to create one very fast.

The first thing that we have to do is to create the WAR file.That WAR file will carry a common metasploit payload that will connect back to us once it is executed.Our Apache Tomcat is on a Linux host so for this example we will use a linux payload.

Creating the WAR Backdoor


The LHOST of course is our local IP address and we have used the name pentestlab for the war file.Once we execute this command the metasploit will insert the payload on a .jsp file and it will save it as pentestlab.war.However the metasploit will use a random name for the .jsp backdoor so we need to know before we upload it the name.A quick method is to extract the pentestlab.war file in order to see the exact file name of the .jsp backdoor.

WAR File extraction to find the name of the .jsp file


The next step is to go to Apache Tomcat Manager and to upload it.

Uploading the WAR File


Now that the backdoor has been uploaded we need to use the netcat utility and to put it on the listen mode.So we need to execute the following command: nc -l -v -p 4444 which it will listen for any incoming connection on port 4444.The backdoor that the metasploit has created by default it will use the 4444 for connections so everything now it is ready.We access the backdoor from our web browser which in this example will be in the following url:

and we have a reverse shell connection with the web server.

netcat – incoming connection from backdoor



As we saw we can use the Metasploit Framework in order to create fast a simple backdoor for our target.This can help us in a situation where we want to maintain a connection with the server and we don’t have already a WAR backdoor for deployment in our files.