OpenSkillIndex← back to search

Hacktricks-skills ajp-pentesting

Pentest Apache JServ Protocol (AJP) services on port 8009. Use this skill whenever the user mentions AJP, Tomcat port 8009, Ghostcat vulnerability, or needs to enumerate/exploit AJP endpoints. This skill covers AJP protocol enumeration, CVE-2020-1938 Ghostcat exploitation, and AJP proxy setup for accessing Tomcat Manager.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp/SKILL.MD
source content

AJP Pentesting Skill

A comprehensive guide for pentesting Apache JServ Protocol (AJP) services, typically running on port 8009.

What is AJP?

AJP (Apache JServ Protocol) is a binary wire protocol optimized for communication between web servers (like Apache) and servlet containers (like Tomcat). It's designed for performance with persistent TCP connections.

Key characteristics:

  • Default port: 8009/tcp
  • Binary packet-oriented protocol
  • Used for Apache ↔ Tomcat communication
  • Often exposed unintentionally in production environments

Quick Start

# Check if AJP port is open
nmap -p 8009 <TARGET_IP>

# Full enumeration with AJP scripts
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <TARGET_IP>

Enumeration

Automated Nmap Scanning

Use the 

enumerate-ajp.sh
script for comprehensive AJP enumeration:

./scripts/enumerate-ajp.sh <TARGET_IP>

This runs:

  • ajp-auth
    - Check for authentication requirements
  • ajp-headers
    - Extract server headers
  • ajp-methods
    - Discover supported HTTP methods
  • ajp-request
    - Send test requests

Manual Enumeration

# Basic port check
nmap -p 8009 <IP>

# Version detection
nmap -sV -p 8009 <IP>

# Full AJP script suite
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>

Brute Force

If authentication is detected, attempt brute force attacks against the AJP endpoint. Refer to generic brute force techniques for credential testing.

CVE-2020-1938 Ghostcat Vulnerability

Critical LFI vulnerability affecting Apache Tomcat that allows reading arbitrary files including 

WEB-INF/web.xml
(often contains credentials).

Affected Versions

  • Tomcat 9.0.0 - 9.0.30
  • Tomcat 8.5.0 - 8.5.50
  • Tomcat 7.0.0 - 7.0.99

Patched Versions

  • Tomcat 9.0.31+
  • Tomcat 8.5.51+
  • Tomcat 7.0.100+

Exploitation

If the target is running a vulnerable version:

  1. Check Tomcat version via nmap or banner grabbing
  2. Use the exploit from Exploit-DB #48143
  3. Target sensitive files: 
    • WEB-INF/web.xml
      - Often contains database credentials
    • WEB-INF/classes/*
      - Application source code
    • /etc/passwd
      - System files (if accessible)

Example Exploitation

# Using the Ghostcat exploit
python3 ghostcat.py <TARGET_IP> 8009 /WEB-INF/web.xml

# Or with curl through AJP proxy (see below)
curl http://127.0.0.1/WEB-INF/web.xml

AJP Proxy Setup

To interact with AJP endpoints using standard HTTP tools, set up an AJP proxy.

Option 1: Nginx with AJP Module

Use the 

setup-nginx-ajp-proxy.sh
script for automated setup:

./scripts/setup-nginx-ajp-proxy.sh <TARGET_IP>

Manual Nginx Setup

  1. Clone and compile Nginx with AJP module:
git clone https://github.com/dvershinin/nginx_ajp_module.git
cd nginx-version
sudo apt install libpcre3-dev
./configure --add-module=`pwd`/../nginx_ajp_module \
  --prefix=/etc/nginx \
  --sbin-path=/usr/sbin/nginx \
  --modules-path=/usr/lib/nginx/modules
make
sudo make install
  1. Configure Nginx (
    /etc/nginx/conf/nginx.conf
    ):
upstream tomcats {
    server <TARGET_IP>:8009;
    keepalive 10;
}

server {
    listen 80;
    location / {
        ajp_keep_conn on;
        ajp_pass tomcats;
    }
}
  1. Start Nginx:
sudo nginx
# Test with
curl http://127.0.0.1

Option 2: Dockerized Nginx AJP Proxy

Quick setup using Docker:

git clone https://github.com/ScribblerCoder/nginx-ajp-docker
cd nginx-ajp-docker

# Edit nginx.conf and replace TARGET-IP with your target
docker build . -t nginx-ajp-proxy
docker run -it --rm -p 80:80 nginx-ajp-proxy

Option 3: Apache AJP Proxy

Apache can also serve as an AJP proxy using the 

mod_ajp
module. Configure similarly to Nginx but with Apache's configuration syntax.

Common Attack Scenarios

1. Access Tomcat Manager

If AJP is exposed and Tomcat Manager is accessible:

  1. Set up AJP proxy (Nginx or Docker)
  2. Access 
    http://127.0.0.1/manager/html
  3. Brute force credentials if needed
  4. Deploy malicious WAR files for RCE

2. File Disclosure via Ghostcat

  1. Identify vulnerable Tomcat version
  2. Use Ghostcat exploit to read 
    WEB-INF/web.xml
  3. Extract credentials from configuration
  4. Pivot to other services

3. Information Gathering

  1. Enumerate AJP with nmap scripts
  2. Extract server headers and methods
  3. Identify Tomcat version
  4. Check for known vulnerabilities

Safety and Ethics

  • Only test systems you have explicit authorization to pentest
  • AJP exploitation can lead to full system compromise
  • Document all findings and report vulnerabilities responsibly
  • Be aware that accessing AJP ports may trigger IDS/IPS alerts

References