用的metasploit是4.5.0,安装在fedora 9上面。mssqlserver2000 + sp4安装在XP+sp3上面。关闭xp的防火墙,启动mssqlserver2000,新建SQL Server注册。然后运行metasploit。启动msfconsole要花好20秒左右,第一次不知道,还以为安装错了呢。
[root@localhost app]# pwd
/opt/metasploit-4.5.0/app
[root@localhost app]# msfconsole
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
=[ metasploit v4.5.0-release [core:4.5 api:1.0]
+ -- --=[ 1000 exploits - 624 auxiliary - 168 post
+ -- --=[ 262 payloads - 28 encoders - 8 nops
msf >
如上所示
msf > use scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.109
RHOSTS => 192.168.1.109
msf auxiliary(mssql_ping) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) > run
[*] SQL Server information for 192.168.1.109:
[+] ServerName = 20100617-1003
[+] InstanceName = MSSQLSERVER
[+] IsClustered = No
[+] Version = 8.00.194
[+] tcp = 1433
[+] np = \\20100617-1003\pipe\sql\query
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) >
截图如下:
要服务器端关闭防火墙才可以扫描到mssqlserver的服务,如果开着防火墙就扫描不到了。