http-default-accounts-fingerprints: Tomcat, add support for host-manager

[cnotin]

Tomcat has two common management applications: "manager" and "host-manager".
Host manager is at "/host-manager/html" and with the "Tomcat Host Manager Application" realm.
See:
https://github.com/apache/tomcat/blob/3e5ce3108e2684bc25013d9a84a7966a6dcd6e14/webapps/manager/WEB-INF/web.xml#L153
https://github.com/apache/tomcat/blob/3e5ce3108e2684bc25013d9a84a7966a6dcd6e14/webapps/host-manager/WEB-INF/web.xml#L99

[nnposter]

This is definitely a valid enhancement.

This implementation might work in most instances but there is a fundamental weakness in that you are really trying to leverage the same fingerprint for two different applications that do not inherently share the same authorization base.

As an example, imagine that a Tomcat instance has user mymanager in role manager-gui and also user myadmin in role admin-gui and let's assume that these are hypothetically Tomcat default accounts.

1. According to your code, the script will first probe path /manager/html/ and finds user mymanager.
2. It will flag this path as correct for this Tomcat instance.
3. It will not find user myadmin on path /manager/html/ because it does not have the appropriate role.
4. The script finishes the testing of default users in the fingerprint, never proceeding to probe the rest of the paths, hence never finding myadmin.

A better approach might be to split the fingerprint into two, which is what I have in my NNDefaccts fingerprint set:

1. The script will first test the fingerprint for Manager against path /manager/html/ and finds user mymanager.
2. It flags this path as correct for this Tomcat Manager instance.
3. It will not test for user myadmin on path /manager/html/ because it is not part of this fingerprint (and even if it were, it still lacks the appropriate role).
4. The script finishes the testing of default users in the fingerprint, never proceeding to probe the rest of the paths.
5. The script then moves onto the fingerprint for Host Manager.
6. It finds user myadmin on path /host-manager/html/.
7. It flags this path as correct for this Tomcat Host Manager instance.
8. The script finishes the testing of the fingerprint for Host Manager.

[cnotin]

Thanks for the detailed feedback. Indeed it's better this way!
I see that you made it that way in your repo, do you intend to change it here too, or how do you suggest we proceed? Should I update my PR?

[nnposter]

My fingerprint set is not a working clone of what is in Nmap but a separate, GPL-licensed product, which makes it unsuitable for merging into Nmap. I would suggest two paths forward:

• Either keep the current single-fingerprint design and just add the missing path of /tomcat/host-manager/html/.
• Or, split the fingerprint as discussed and update the PR. (Again, for licensing reasons you cannot just copy my code.)

I am fine with either approach.

[cnotin]

I split the fingerprint since it's better as you said.
I also added a few URLs for manager as shown in https://github.com/apache/tomcat/blob/master/webapps/manager/WEB-INF/web.xml

I copied the credential for "host manager" from "manager". I did not copy your own.

[nnposter]

Committed as r37772. Thank you for contributing to Nmap!

[cnotin]

Thanks for suggestions!