Mt.exe. A good thing, power is very powerful

xiaoxiao2021-03-06 69

The author is unknown ...

test environment:

Host 192.168.0.1, operating system Windows XP SP1 Professional (due to its own optimization, deleting a lot of functions, there may be incorrect places when testing)

Client 192.168.0.2, operating system Windows 2000 professional version, the other party is not a computer, this system has been used for more than 1 year, but there is no problem)

Network environment: NIC, 8029-8139, dual-machine interconnection.

Mt.exe is a network management software, in accordance with YY3, "Seven fights are coming, it is convenient to picture." But this convenient is really too convenient, with this 40K one Program, you can delete more than a few M in our computer, let's take a look at this program:

D: /> mt.exe

USAGE: Mt.exe

Opintion:

-filter --- Change TCP / IP FILTER TO ON / OFF Status.

-addport --- Add ports to the filter 'allowed portlist.

-setport --- set ports as the filter 'allowed portlist.

--Nicinfo --- List TCP / IP Interface Info.

-pslist --- list active processes.

-pskill --- Kill A Specified Process.

-dlllist --- List dlls of a specified process.

-SYSINFO --- List system info.

-shutdown --- Shutdown System.

-reboot --- reboot system.

-poweroff --- Turn Off Power.

-logoff --- Logoff Current User's Session.

-CHKTS --- Check Terminal Service Info.

-setupts --- Install Terminal Service.

-remts --- Remove Terminal Service.

-chgtsp --- RESET TERMINAL Service Port.

-CLOG --- Clean System Log.

--enumsrv --- list all services.

-querysrv --- List Detail Info of A Specified Service.

-Instsrv --- Install a service.

-CFGSRV --- Changes The Configuration of a Service.

-RemSrv --- Remove a Specified Service.

-startsrv --- Start a Specified Service.

-stopsrv --- Stop A Specified Service.

-Netget --- Download from HTTP / FTP.

-redirect --- Port Redirect.

-Chkuser --- List All Account, Sid And Anti Clone.

-clone --- Clone from admin to dest.

-never --- Set Account Looks Like Never logged on.

-killuser --- Del Account. Even "guest" account.

-su --- Run Process as local_system privilege.

-findpass --- Show All Logged On User's Pass.

-NetStat --- List TCP Connections.

-killtcp --- Kill TCP Connection.-PSport --- Map Ports to Processes.

-touch --- set the file Times for a specified file.

-secdel --- Secure delete Files and Directory or Zap Free

PACE.

-regshell --- Enter a console registry editor.

-chkdll --- Detect Gina DLL Backdoor.

Everyone can see is 34. His features include most software we usually use. I will come to a test, the conditions and capacity are limited, I hope everyone can point out the shortcomings.

First, mt.exe -filter

USAGE:

Mt -filter ---- Enabld | Disable TCP / IP Filter.

From the above instructions, you can know that this is to turn off TCP / IP filter, let's try it first, enter the command:

D: /> MT-FILTER ON

Enable TCP / IP FILTER SUCCESSFUL!

At this time we look at the TCP / IP screening, open the network connection option, right-click local connection --- Internet Protocol (TCP / IP) Properties ---- Advanced --- Option ---- TCP / IP Screening ----- Property, the situation we see, as shown:

You can see that we have enabled this TCP / IP filter, enter the command again:

D: /> MT-FILTER OFF

Disable TCP / IP FILTER SUCCESSFUL!

View attribute:

With this tool, we don't have to click on the mouse as the trouble, everything is simple.

Second, D: /> MT -ADDPORT

USAGE:

MT -ADDPORT NIC PortList ---- add ports to the allowed portlist.

Use "-nicinfo" get nic number first.

From the description, it is to increase the port that allows communication in the port list, or as above, let's see how this feature is powerful:

V. - PSList --- List Active Processes.

List the activity process, often use PSTools very familiar with this feature, here, I compare this tool and PSTools tools to see how their function is?

D: /> MT-PSLIST

PID path

0 [idle process]

4 L [System]

464 /systemroot/system32/smss.exe

524 /??/c:/windows/system32/csrss.exe

548 /??/c:/windows/system32/winlogon.exe

592 C: /Windows/System32/Services.exe

604 C: /Windows/system32/lsass.exe

780 C: /Windows/system32/svchost.exe

844 C: /Windows/system32/svchost.exe

876 C: / Program files / TGTSOFT / STYLEXP / STYLEXPSERVICE.EXE

932 C: /Windows/system32/svchost.exe

960 C: /Windows/system32/svchost.exe

1128 C: /Windows/system32/alg.exe

1160 C: /Windows/system32/inetsrv/inetinfo.exe

1188 D: /MYSQL/BIN/Mysqld-nt.exe

1280 C: /Windows/system32/nvsvc32.exe

1728 C: /Windows/explorer.exe

212 C: /Windows/System32/CTFMON.EXE

504 D: / Program Files / Microsoft Office / Office10 / WINWORD.EXE

924 D: / Program Files / Myie2 / Myie.exe

1348 C: /Windows/system32/dllhost.exe

1516 C: /Windows/system32/dllhost.exe

1856 C: /Windows/system32/msdtc.exe

1356 C: /Windows/system32/cmd.exe

1004 C: /Windows/system32/conime.exe

1748 D: / Program files / hypersnap-dx 5 / HPRSNAP5.EXE

1272 D: /Mt.exe

We use pslist to get results:

D: / Hack> PSList

PSList v1.12 - process information list

Systems internals - http://www.sysinternals.com

Process Information for Lin:

Name Pid Pri THD HND MEM USER TIME KERNEL TIME ELAPSED TIME

IDLE 0 0 1 0 20 0: 00:00.000 0: 40: 22.453 0: 00: 00.000

System 4 8 56 258 40 0: 00: 00.000 0: 00.098 0: 00.000

SMSS 464 11 3 21 44 0: 00:00.010 0: 00: 00 0: 43: 10.565

CSRSS 524 13 11 416 3892 0: 00: 02.042 0: 00: 14.240 0: 43: 06.449

Winlogon 548 13 19 443 1044 0: 00: 01.171 0: 00: 01.882 0: 43: 04.185

Services 592 9 21 307 940 0: 00: 00.721 0: 01.662 0: 43: 01.582

LSASS 604 9 19 304 1132 0: 00:00.540 0: 00:690 0: 43: 01.532

Svchost 780 8 8 255 824 0: 00:00.200 0: 00: 00.160 0: 42: 58.687

SVCHOST 844 8 55 1214 5740 0: 00: 02.393 0: 00: 01.932 0: 42: 58.457

Stylexpser 876 8 2 38 416 0: 00.070 0: 00:0070 0: 42: 58.357

SVCHOST 932 8 5 46 396 0: 00:00.020 0: 00:00.040 0: 42: 56.705

SVCHOST 960 8 7 90 204 0: 00:00.060 0: 00:00.040 0: 42: 56.244

ALG 1128 8 5 116 220 0: 00:00.020 0: 00:00.060 0: 42: 49.144

inetinfo 1160 8 17 281 864 0: 00:00.210 0: 00:0030 0: 42: 49.054

MySQLD-NT 1188 8 6 81 76 0: 00:00.010 0: 00:00.050 0: 42: 47.602

NVSVC32 1280 8 3 74 92 0: 00:00.090 0: 00: 00.160 0: 42: 45.378

Explorer 1728 8 20 583 19548 0: 00: 11.436 0: 00: 27.519 0: 42: 37.607

CTFMON 212 8 1 109 1596 0: 00:00.340 0: 00: 01.031 0: 42: 26.982

WinWord 504 8 5 394 43428 0: 01: 04.072 0: 0: 25.757 0: 41: 26.194myie 924 8 9 312 3116 0: 00: 09.623 0: 00: 07.460 0: 35: 36.582

DLLHOST 1348 8 23 240 1540 0: 00: 01.982 0: 00:00.460 0: 35: 24.414

DLLHOST 1516 8 15 200 784 0: 00:00.190 0: 00: 00.230 0: 35: 22.912

MSDTC 1856 8 18 149 372 0: 00:00.080 0: 00:00.090 0: 35: 18.896

CMD 1356 8 1 21 592 0: 00: 00.080 0: 00: 00 0: 32: 44.414

Conime 1004 8 1 25 664 0: 00:00.050 0: 00:00.030 0: 32: 42.652

HPRSNAP5 1748 8 6 168 1648 0: 00: 01.932 0: 00: 03.414 0: 18: 38.798

CMD 1548 8 1 20 1392 0: 00.080 0: 00:00.010 0: 00: 28.020

PSList 1716 8 2 82 1672 0: 00:00.030 0: 00:00.050 0: 00:00.400

The result obtained using PULIST:

E: / HACK> PULIST

Process PID User

IDLE 0

System 4

Smss.exe 464 NT Authority / Sys

CSRSS.EXE 524 NT Authority / SYS

Winlogon.exe 548 NT Authority / SYS

Services.exe 592 NT Authority / SYS

LSASS.EXE 604 NT Authority / SYS

SVCHOST.EXE 780 NT Authority / SYS

SVCHOST.EXE 844 NT Authority / SYS

Stylexpservice.exe 876 NT Authority / Sy

Svchost.exe 932

Svchost.exe 960

Alg.exe 1128

inetinfo.exe 1160 NT Authority / SYS

mysqld-nt.exe 1188 NT Authority / SYS

NVSVC32.EXE 1280 NT Authority / SYS

Explorer.exe 1728 lin / lin

CTFMON.EXE 212 lin / lin

Winword.exe 504 lin / lin

Myie.exe 924 lin / lin

Dllhost.exe 1348

DLLHOST.EXE 1516 NT Authority / SYS

Msdtc.exe 1856

cmd.exe 1356 lin / lin

Conime.exe 1004 lin / lin

HPRSNAP5.EXE 1748 LIN / LIN

cmd.exe 1548 lin / lin

Pulist.exe 1788 lin / lin

From the above situation, you can know that the input MT has no PSList function, which can list Name, PID, PRI, THD HND, MEPSED TIME, but it is already very good than PULIST. It is possible to list process names and run paths, which already can meet our usage.

Sixth, D: /> MT-PSKILL

USAGE:

Mt -pskill

It is also one of the PSTools tools. We use myie.exe as a test to see if they can kill this process, first using MT, through the MT-PSLIST above, we know that myie.exe's PID value is 924, so input:

D: /> MT-PSKILL 924

Kill Process Sccuessful! Soon, myie disappeared, that is, by kill, then use pskill.exe, we express fair unity, we still have pslist to get my peer PID value, reopen myie, get its PID value 220, we entered:

D: / Hack> PSKILL 220

PSKILL V1.03 - LOCAL AND Remote Process Killer

http://www.sysinternals.com

Process 220 killed.

It is also very fast to be killed by Kill, indicating that MT and PSKILL functions, using MT can also achieve the same effect as PSKILL.

We have found that the MT is a relatively weak function that does not support the network function as Pskill, and can pass pskill [/ recotecomputer [-u username]] in pskill.

-u Specifies Optional User Name for Login To

Remote computer.

Kill the remote computer process, of course, we can't expect MT to have such a powerful function. After all, we only have only 40K.

Seven, D: /> MT-DLLLIST

USAGE:

MT-DLLLST

List the relevant DLL files in the process, I didn't find this related function software, but we use Windows Optimization Master, let's test it first, this time we choose STYLEXPSERVICE.EXE. Or use MT-PSList to get it PID value 876, enter:

D: /> MT-DLLLIST 876

C: / Program files / TGTSOFT / STYLEXP / STYLEXPSERVICE.EXE

C: /Windows/system32/NTDLL.DLL

C: /windows/system32/kernel32.dll

C: /Windows/system32/User32.dll

C: /Windows/system32/gdi32.dll

C: /Windows/system32/advapi32.dll

C: /Windows/system32/rpcrt4.dll

C: /Windows/system32/ole32.dll

C: /Windows/system32/oleaut32.dll

C: /Windows/system32/msvcrt.dll

C: /windows/system32/Version.dll

C: /Windows/system32/setupapi.dll

C: /Windows/system32/neetapi32.dll

C: /Windows/system32/imm32.dll

C: /windows/system32/lpk.dll

C: /Windows/system32/USP10.DLL

C: /Windows/system32/uxTheme.dll

C: /windows/system32/rsaenh.dll

Open Windows Optimization Master, what is the relevant DLL file it get? As shown:

The DLL related files obtained using MT and the Windows Optimization Master are like a touch, we can definitely use MT definitely more convenient than using Windows Optimization Master.

Eight, MT -SYSINFO

List system information, or use Windows Optimization Master and compared, it is found that there is almost no mistake, it is very accurate, due to the relationship of the page, the data is no longer displayed. This feature and program sysinfo.exe are the same.

Nine, -shutdown --- Shutdown System.

-reboot --- reboot system.

-poweroff --- Turn Off Power.

-logoff --- Logoff Current User's Session.

These four commands don't say, and the system tool shutdown is different. There is no prompt after entering, directly shut down, I have tried it, I still remember saving. 10, -chkts --- Check Terminal Service Info .

-setupts --- Install Terminal Service.

-remts --- Remove Terminal Service.

-chgtsp --- RESET TERMINAL Service Port.

These four commands are related to Terminal, because there is no system version of the server installed, so there is no test.

Eleven, -clog --- Clean System Log.

Used to clear the record, we entered:

D: /> MT-CLOG

USAGE:

MT -CLOG --- Clean Application | Security | System | All Logs.

As can be seen from the above, we can clear the "application" "system" 3 logs, I will choose one, remove the "Application" log with MT, enter:

D: /> MT-CLOG APP

Clean EventLog: Application Successful!

Open the event viewer, as shown in the figure,

It can be seen that the log has been emptied, but MT can't be used to delete the log of the specified IP compared to Xiao's Cleariislog. This may be YY3 does not consider using this tool as that use.

Twelve, -enumsrv --- List all services.

List all services, this test may be different, because I have deleted a lot of services, in order to streamline the system and improve the speed, still come and see,

D: /> MT -ENUMSRV

USAGE:

MT -ENUMSRV ---- List All Win32 | Driver Service

D: /> MT -ENUMSRV SRV

Num ServiceName DisplayName

0 alerter alerter

1 Alg Application Layer Gateway Service

2 Appmgmt Application Management

3 ASPNET_STATE ASP.NET STATE Service

4 Audiosrv Windows Audio

(Omitted most of the following content)

D: /> MT -ENUMSRV DRV

Num ServiceName DisplayName

0 Abiosdsk Abiosdsk

1 ABP480N5 ABP480N5

2 ACPI Microsoft ACPI DRIVER

3 ACPIEC ACPIEC

4 ADPU160M ADPU160M

5 AEC Microsoft Kernel ACOUSTIC Echo Canceller

6 AFD AFD Network Support Environment

7 AHA154X AHA154X

8 AIC78U2 AIC78U2

(Omitted most of the following content)

It's too much, I don't want to say anything, there is only one word - high.

Thirteen, D: /> MT -QUERYSRV

USAGE:

Mt -querysrv ---- Show Detial Info of A Specifies Service.

List the details of the service, we check the information of the system process Alert, type:

D: /> MT -QUERYSRV ALERTER

ServiceName: Alerter

STATUS: STOPPED

ServiceType: Win32 Share Service

START TYPE: DEMAND Start

Logonid: NT Authority / LocalService

FilePath: c: /windows/system32/svchost.exe -k localservice

DisplayName: Alerter

Dependency: lanmanworkstation

Description: Notify the selected user and computer-related system management level alerts. If the service stops, use the management police

The proceedings will not be subject to them. If this service is disabled, any service that directly rely directly does not start. START TYPE: DEMAND Start

Logonid: NT Authority / LocalService

FilePath: c: c: /windows/system32/alg.exe

DisplayName: Application Layer Gateway Service

Dependency:

Description: Supply Third-party protocol plugin for Internet Connection and Internet Connection Firewall

hold

It is very clear, of course, we can also use the MMC to view the details of the service, as shown:

I saw this parameter again, I have forgotten last time.

Fourteen, -instsrv --- install a service.

-CFGSRV --- Changes The Configuration of a Service.

-RemSrv --- Remove a Specified Service.

-startsrv --- Start a Specified Service.

-stopsrv --- Stop A Specified Service.

This is related to the command four and service, put it together, the service program selects the ice server server.exe, I am going to install this tool as a service, then change the configuration, start service, stop service, etc. ,enter:

Fifteen, D: /> MT -NETGET

USAGE:

Mt -NetGet --- Download from HTTP / FTP.

This tool is very practical, until a few months, the forum in the security focus see some people need such a tool, but then they offer VBS files, but unfortunately I can't find those codes now, under DOS Download the software, especially convenient. Built the IIS server, place the server.exe file below the root directory, enter the following

D: /> mt -netget http://192.168.0.1/server.exe f: /server.exe

Download File from http://192.168.0.1/server.exe to f: /server.exe.

Download completed 272992 bytes ......

Downloaded 266.6kb @ 266.6kb / s in 0sec.

File Totalbyte: 266 kb.

Save the downloaded server.exe file in the F disk server.exe file.

Sixteen, D: /> MT -REDIRECT

USAGE:

Mt -Redirect ---- TCP Port Redirector.

This feature is the same as the fpipe, implement port conversion, we test, turn the 80 port of 192.168.0.1 host to 81 port, which input:

D: /> MT -REDirect 192.168.0.1 80 81

------ Waiting Connection -----

Then open a CMD, Telnet to 192.168.0.1 81 port, see this situation, the first CMD shows the connection information,

D: /> MT -REDirect 192.168.0.1 80 81

------ Waiting Connection -----

Accept client ==> 192.168.0.1:3027

Connect to 192.168.0.1 80 surcess!

Thread 1988 Recv 2 bytes.thread 1988 Send 2 bytes.

Thread 1988 RECV 2 bytes.

Thread 1988 Send 2 bytes.

Thread 316 Recv 224 bytes.

Thread 316 seund 224 bytes.

The second CMD also shows the information we need:

HTTP / 1.1 400 Bad Request

Server: Microsoft-IIS / 5.1

Date: WED, 19 May 2004 13:28:53 GMT

Content-Type: Text / HTML

Content-Length: 87

error </ title> </ head> <body> The parameter is incorrect. </ body> </ html> However, this feature is a little unstable, that is, sometimes it can, sometimes it can, this success is also reunited, it is convenient for FPIPE, it is very convenient, placed in fpipe.exe Usage, it is really a few days. 17, D: /> MT-Clone USAGE: Mt -clone <SOURUSER> <Destuser> Clone account, a bit like Xiaoyan's Cloneuser, test, create a new user Yun, now I want to clone the administrator account for the account YUN, type: D: / Hack> MT-Clone Lin Yun Fail to Open Sam Key, completed successfully. D: /> mt -clone lin yun Fail to Open Sam Key, completed successfully. It may not be supported by XP systems. Although it is said that the operation is successful, but in fact, it is still no success, it may also have a defect or I have failed. 18, D: /> MT-NEVER -never --- Set Account Looks Like Never logged on. It can set it to make the user seem to log in. There are 2 users in my system, one is administrator Lin, and the other is a public account 316, now I set the 316 to never log in. D: /> MT-NEVER 316 Require system privilege. Tip has no permissions, so D: /> MT -SU Open the new CMD window, type Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C: / windows / system32> d: D: /> MT-NEVER 316 Fail to set f value. D: /> Net user 316 Username 316 Full name 316 Comment User's comment Country (region) code 000 (system default) Account enabled YES Account expires never Last setting password 2004/5/19 08:22 Password expires never Password can be changed 2004/5/19 08:22 Need password YES Users can change the password YES Allowed workstation All Login script User profile Main directory Last login never Allowable login hours ALL Local group member * Users Global Group Member * NONE The command successfully completed. D: /> It can be seen that it has been revised, although it is displayed for fail to set f value., But it is successful. This feature is the same, but the specific account will be changed to the account to change to the account never landed. Upper system. Successful conditions: You have to have local system rights 18, -killuser --- Del Account. Even "guest" account. Delete the user, enter d: /> mt -killuser ziqikill user: ziqi surcess! This feature has a problem, the input prompt has been deleted, but then in fact, this user does not delete, we entered D: /> net user / Lin user account -------------------------------------------------- ----------------------------- 316 Administrator ASPNET Guest helpassistant iUSR_IMAGE IWAM_IMAGE LIN Support_388945a0 ziqi The command successfully completed. Or can I see Ziqi account, open the control panel, user account, or see this user's figure: But if we will log in in this way, that is, first run MT -SU to get the system's highest permission, under this cmd, we can delete the account, and you can delete the guest user, although I have not activated this account, no Know what the reason is, because I have already logged in it, it is already an Administrator group. Delete the process of the guest: D: /> MT-KILLUSER GUEST Kill User: Guest Success! D: /> net user / User account -------------------------------------------------- ----------------------------- 316 Administrator ASPNET Helpassistant IUSR_IMAGE IWAM_IMAGE Linsupport_388945a0 Yun The command is running, but one or more errors have occurred. 19, -su --- run process as local_system privilege. In the case of the system privilege, enter the MT -SU in the case of the administrator, and then pop up another CMD window. In this window, you can do anything we want to do, this is the highest authority of the system. 20 -regshell --- Enter a console registry editor. Editing the registry in CMD, it is not very convenient to enter under CMD, but sometimes it is also useful, input: D: /> MT-REGSHELL HKLM /> DIR <Subkey> Hardware <Subkey> SAM <Subkey> Security <Subkey> Software <Subkey> system Total: 5 Subkey, 0 Value. HKLM /> quitreg D: /> There is no difference between and the real environment. 21, -NetStat --- List TCP Connections. List all TCP connections, I let 192.168.0.2 open IE, access 192.168.0.1 homepage, then enter: D: /> MT -NETSTAT Num Localip Port Remoteip Port Status 11 192.168.0.1 80 192.168.0.2 1050 ESTABLISHED If you are using NetStat that you bring, the result is the same: D: /> NetStat Active Connections Proto Local Address Foreign Address State TCP Lin: http 192.168.0.2:1050 ESTABLISHED Just use MT to be more direct, more readily understood, such as using port 80 instead of using protocol HTTP. 22, D: /> MT-KILLTCP USAGE: MT-KILLTCP <ConnectionNum> ---- Kill A Specifies TCP Connection. And the above match, if kill192.168.0.2 is connected to this machine (192.168.0.1), you can enter: d: /> MT-KILLTCP 11 WAITING Connection to Be Close Now. Time to enter: D: /> MT -NETSTAT Num Localip Port Remoteip Port Status D: /> It has not seen it has its connection. 23, -chkdll --- detect Gina DLL Backdoor. Check if the Gina Trojans, this problem is very popular, so it is also considered, it is very simple: D: /> MT-CHKDLL Ginadll NOT FOUND. Winlogon NOTIFICATION PACKAGE DLL: HKLM / Software / Microsoft / WINDOWS NT / CURRENTVERSION / WINLOGON / NOTIFY / CRYPT32CHAIN Crypt32.dll HKLM / Software / Microsoft / Windows NT / CurrentVersion / WinLogon / Notify / CryptNet CryptNet.dll HKLM / Software / Microsoft / WINDOWS NT / CURRENTVERSION / WINLOGON / NOTIFY / CSCDLL CSCDLL.DLL HKLM / Software / Microsoft / Windows NT / CurrentVersion / WinLogon / Notify / Sccertprop Wlnotify.dll HKLM / Software / Microsoft / Windows NT / CurrentVersion / Winlogon / Notify / Schedule Wlnotify.dll HKLM / Software / Microsoft / WINDOWS NT / CURRENTVERSION / WINLOGON / NOTIFY / SCLGNTFY SCLGNTFY.DLL HKLM / Software / Microsoft / Windows NT / CurrentVersion / WinLogon / Notify / Senslogn Wlnotify.dll HKLM / Software / Microsoft / Windows NT / CurrentVersion / Winlogon / Notify / Termsrv Wlnotify.dll HKLM / Software / Microsoft / Windows NT / CurrentVersion / Winlogon / Notify / WLballoon Wlnotify.dll Please make sureness. If I have installed Gina Trojans, this will happen: D: /> MT-CHKDLL Ginadll exist: HKLM / Software / Microsoft / WINDOWS NT / CURRENTVERSION / WINLOGON / GINADLL C: /Windows/system32/ntshellgina.dll Soon it was detected, it is very convenient, huh, huh, in fact, my DLL file has been killed by Kill, but has modified the registry, but also shows the power of this tool. 24, - Psport --- Map ports to processes. Display the port of the process, this feature is the same, huh, huh, forget, it is fport.exe, huh, huh, I haven't used it for a long time, still to see what they have different places: D: /> MT-PSPORT Proto Listen Pid Path TCP 0.0.0.0:80 1160 C: /Windows/System32/inetsrv/inetinfo.exe TCP 0.0.0.0:135 780 C: /Windows/system32/svchost.exe TCP 0.0.0.0:0:443 1160 C: /Windows/system32/inetsrv/inetinfo.exetcp 0.0.0.0:1025 1160 C: /Windows/system32/inetsrv/inetinfo.exe TCP 0.0.0.0:1026 4 [System] TCP 0.0.0.0:3025 960 C: /Windows/system32/svchost.exe TCP 0.0.0.0:3027 1252 C: /Windows/system32/msdtc.exe TCP 0.0.0.0:3306 1176 D: /mysql/bin/mysqld-nt.exe TCP 127.0.0.1:3001 1120 C: /Windows/system32/alg.exe TCP 127.0.0.1:3002 844 C: /Windows/system32/svchost.exe TCP 127.0.0.1:3003 844 C: /Windows/system32/svchost.exe TCP 192.168.0.1:139 4 [System] TCP 192.168.0.1:3011 4 [System] UDP 0.0.0.0:500 1160 C: /Windows/system32/inetsrv/inetinfo.exe UDP 0.0.0.0:3456 780 C: /Windows/system32/svchost.exe UDP 127.0.0.1:3020 1160 C: /Windows/system32/inetsrv/inetinfo.exe UDP 127.0.0.1:3026 1160 C: /Windows/system32/inetsrv/inetinfo.exe UDP 192.168.0.1:137 4 [System] UDP 192.168.0.1:138 960 C: /Windows/system32/svchost.exe Get the following results using fport.exe E: / HACK> FPORT / AP Fport V2.0 - TCP / IP Process To Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com PID Process Port Proto Path 1120 -> 3001 TCP 960 -> 3025 TCP 1252 -> 3027 TCP 4 System -> 1026 TCP 4 System -> 139 TCP 4 System -> 3011 TCP 1160 inetinfo -> 1025 TCP C: /Windows/system32/inetsrv/inetinfo.exe 1160 inetinfo -> 443 TCP C: /Windows/system32/inetsrv/inetinfo.exe 1160 inetinfo -> 80 TCP C: /Windows/System32/INetsrv/inetinfo.exe 844 SVCHOST -> 3002 TCP C: /Windows/system32/svchost.exe 844 SVCHOST -> 3003 TCP C: /Windows/system32/svchost.exe 780 SVCHOST -> 135 TCP C: /Windows/system32/svchost.exe 1176 mysqld-nt -> 3306 TCP D: /MYSQL/BIN/Mysqld-nt.exe 960 -> 138 UDP 4 System -> 137 UDP 1160 inetinfo -> 3020 udp c: /windows/system32/inetsrv/inetinfo.exe1160 inetinfo -> 3026 udp c: /windows/system32/inetsrv/inetinfo.exe 1160 inetinfo -> 500 udp c: /windows/system32/inetsrv/inetinfo.exe 780 SVCHOST -> 3456 UDP C: /Windows/system32/svchost.exe It is basically almost the same, but it seems that fport is more powerful, because I use the parameters in the fPort, in order to make 2 more easier compare. There is also a better software, making the GUI, graphic below: 24, -touch --- set the file Times for a specified file. View file modification time, download or copy, transfer will change the final modification time of the file, and use this command to view the final modification time of the file, give an example, we can now see the file mt.exe, as shown, In fact, we use the following command: D: /> MT -TOUCH MT1.EXE Set Filetime Successful. CreationTime: 07/10/2002 Lastaccesstime: 19/05/2004 LastWrittime: 07/10/2002 It can be found that its creation time does not make the CreationTime: 07/10/2002, I believe this will make YY3 to write this program. With this related software, there is steal Touch.exe, you can This file inside the computer has undermined this virus. 25, -chkuser --- list all account, sid and anti clone. This feature can't be tested. Although all users, SID and anti-clone settings are listed, however, once entered, there is an error occurred. 26, -findpass --- Show All Logged On User's Pass. Get all the passwords of the login user, because this command is for NT / 2K Only., I test this feature on the client, and it is easy to get the password: G: / Winnt / System32> MT-FINDPASS Mt -Findpass The Logon Information: Domain: 316-2AS8L1B1FL5 Username: administrator Password: Winyaj G: / Winnt / System32> This is also convenient than FINDPASS.EXE, and does not need to know the PID value of the user process. Postscript: MT is indeed a very good tool, it can make us easily do a lot of things, and don't have to find relevant software everywhere.</div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-90619.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div>New Post(0) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="90619" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: 0.042, SQL: 9</div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = '1mO0QCI3eOvYWPgerivUexKd_2BhaeL7Ye6cgk3pIsdnday0hNd8RMICx4c1QtK5O_2BadMhfsojZ_2F4IAf2PwzoODg_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>