ALOKRAJ- HITECH

Thursday, November 12, 2009

PASSWORD SNIFFER

SmartSniff - Monitoring TCP/IP packets on your network adapter
Mail PassView - Recover POP3/IMAP/SMTP email passwords.
Dialupass - Recover VPN/RAS/Dialup passwords
___________________________________________________________________

SniffPass is small password monitoring software that listens to your network, capture the passwords that pass through your network adapter, and display them on the screen instantly. SniffPass can capture the passwords of the following Protocols: POP3, IMAP4, SMTP, FTP, and HTTP (basic authentication passwords).
You can use this utility to recover lost Web/FTP/Email passwords.
In order to start using SniffPass, follow the instructions below:
If you have Windows 9x, Windows NT, or Windows XP with SP1, you must download and install the WinPcap capture driver in order to use SniffPass.
In all other versions of Windows (including Windows XP with SP2), installing this capture driver is optional. If you don't install this driver, you can still use the raw sockets method for capturing the passwords.
Run the executable file of SniffPass (SniffPass.exe).
From the File menu, select "Start Capture", or simply click the green play button in the toolbar. If it's the first time that you use SniffPass, you'll be asked to select the capture method and the network adapter that you want to use.
After you select the desired capture options, SniffPass listen to your network adapter, and display instantly any password that it find.

Command-Line Options
Command Description
/NoCapDriver Starts SniffPass without loading the WinPcap Capture Driver.
/NoReg Starts SniffPass without loading/saving your settings to the Registry.

Translating SniffPass to other languages
SniffPass allows you to easily translate all menus, dialog-boxes, and other strings to other languages.
In order to do that, follow the instructions below:
Run SniffPass with /savelangfile parameter:
SniffPass.exe /savelangfile
A file named SniffPass_lng.ini will be created in the folder of SniffPass utility.
Open the created language file in Notepad or in any other text editor.
Translate all menus, dialog-boxes, and string entries to the desired language. Optionally, you can also add your name and/or a link to your Web site. (TranslatorName and TranslatorURL values) If you add this information, it'll be used in the 'About' window.
After you finish the translation, Run SniffPass, and all translated strings will be loaded from the language file.
If you want to run SniffPass without the translation, simply rename the language file, or move it to another folder.

SocketSniff allows you to watch the Windows Sockets (WinSock) activity of the selected process.
For each created socket, the following information is displayed: socket handle, socket type, local and remote addresses, local and remote ports, total number of send/receive bytes, and more. You can also watch the content of each send or receive call, in Ascii mode or as Hex Dump
SocketSniff doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - SocketSniff.exe
After running it, select the process that you want to inspect, and click Ok. You must select a process that already loaded the winsock library, otherwise, the action will fail. After clicking Ok, SocketSniff will start showing the activity of Windows socket for the selected process.
The upper pane displays the list of all created sockets. When selecting a socket in the upper pane, the lower pane displays the receive and send calls of the selected socket.

Using SocketSniff In Windows Vista
SocketSniff can work in Vista even when UAC (User Account Control) is turned on, as long as the process that you wish to inspect run in the same account and security context of SocketSniff. However, if you want to inspect a process that runs under administrator account, you must also run SocketSniff as administrator. (right-click on SocketSniff.exe and choose 'Run As Administrator')

Translating SocketSniff to other languages
In order to translate SocketSniff to other language, follow the instructions below:
Run SocketSniff with /savelangfile parameter:
SocketSniff.exe /savelangfile
A file named SocketSniff_lng.ini will be created in the folder of SocketSniff utility.
Open the created language file in Notepad or in any other text editor.
Translate all string entries to the desired language. Optionally, you can also add your name and/or a link to your Web site. (TranslatorName and TranslatorURL values) If you add this information, it'll be used in the 'About' window.
After you finish the translation, Run SocketSniff, and all translated strings will be loaded from the language file.
If you want to run SocketSniff without the translation, simply rename the language file, or move it to another folder.
____________________________________________________________________
Network Tools - Other network monitoring tools of NirSoft.
NetResView - View all computers/shares on your network.
SmartSniff - Capture TCP/IP packets on your network adapter
DownTester - Test the download speed of your Internet connection.
SocketSniff - Windows Sockets (WinSock) Sniffer
SniffPass - Capture POP3/IMAP/SMTP/FTP/HTTP passwords on your network adapter.
AdapterWatch - Monitor your network adapters
IPNetInfo - Retrieve IP Address Information from WHOIS servers
_______________________________________________________________

CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it.
In addition, CurrPorts allows you to close unwanted TCP connections, kill the process that opened the ports, and save the TCP/UDP ports information to HTML file , XML file, or to tab-delimited text file.
CurrPorts also automatically mark with pink color suspicious TCP/UDP ports owned by unidentified applications (Applications without version information and icons)
CurrPorts utility is a standalone executable, and it doesn't require any installation process or additional DLLs. In order to start using it, just copy the executable file (cports.exe) to any folder you like, and run it.
The main window of CurrPorts displays the list of all currently opened TCP and UDP ports. You can select one or more items, and then close the selected connections, copy the ports information to the clipboard, or save it to HTML/XML/Text file. If you don't want to view all available columns, or you want to change the order of the columns on the screen and in the files you save, select 'Choose Column' from the View menu, and select the desired columns and their order. In order to sort the list by specific column, click on the header of the desired column.

Command-Line Options
/stext Save the list of all opened TCP/UDP ports into a regular text file.
/stab Save the list of all opened TCP/UDP ports into a tab-delimited text file.
/scomma Save the list of all opened TCP/UDP ports into a comma-delimited text file.
/stabular Save the list of all opened TCP/UDP ports into a tabular text file.
/shtml Save the list of all opened TCP/UDP ports into HTML file (Horizontal).
/sverhtml Save the list of all opened TCP/UDP ports into HTML file (Vertical).
/sxml Save the list of all opened TCP/UDP ports to XML file.
/sort This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Remote Port" and "Remote Address". You can specify the '~' prefix character (e.g: "~Remote Address") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns.
Examples:
cports.exe /shtml "f:\temp\1.html" /sort 2 /sort ~1
cports.exe /shtml "f:\temp\1.html" /sort "Protocol" /sort "~Remote Address"

/nosort When you specify this command-line option, the list will be saved without any sorting.
/filter Start CurrPorts with the specified filters. If you want to specify more than one filter, use the ';' character as a delimiter.
/cfg Start CurrPorts with the specified config file.

Here's some examples:

Save all opened TCP/IP ports created by Internet Explorer browser to HTML file:
cports.exe /filter "include:process:iexplore" /shtml "c:\temp\ports.html"
Add all opened ports information to ports.txt (as tab-delimited text file). This example only works when running it from a command-prompt window.
cports.exe /stab "" >> c:\temp\cports1.txt
Start CurrPorts with filter that will only display the opened ports of Internet Explorer and FireFox:
cports.exe /filter "include:process:firefox;include:process:iexplore"

Closing a Connection From Command-Line
Starting from version 1.09, you can close one or more connections from command-line, by using /close parameter.
The syntax of /close command:
/close
For each parameter, you can specify "*" in order to include all ports or addresses.
Examples:

Close all connections with remote port 80 and remote address 192.168.1.10:
/close * * 192.168.1.10 80
Close all connections with remote port 80 (for all remote addresses):
/close * * * 80
Close all connections to remote address 192.168.20.30:
/close * * 192.168.20.30 *
Close all connections with local port 80:
/close * 80 * *

Translating CurrPorts To Another Language
CurrPorts allows you to easily translate all menus, dialog-boxes, and other strings to other languages.
In order to do that, follow the instructions below:
Run CurrPorts with /savelangfile parameter:
cports.exe /savelangfile
A file named cports_lng.ini will be created in the folder of CurrPorts utility.
Open the created language file in Notepad or in any other text editor.
Translate all menus, dialog-boxes, and string entries to the desired language.
After you finish the translation, Run CurrPorts, and all translated strings will be loaded from the language file.
If you want to run CurrPorts without the translation, simply rename the language file, or move it to another folder.
_______________________________________
Disk Doctors Outlook Mail Recovery - Repairs corrupt and damaged .pst files.
MessenPass - Recover the passwords of 'Instant Messenger' applications.
IE PassView - Recover the passwords of Internet Explorer.
Dialupass - Recover VPN/RAS/Dialup passwords
Asterisk Logger - Recover passwords stored behind asterisk (**) characters.
Network Password Recovery - Recover Windows XP/Vista network passwords (Credentials file)
____________________________________________

Mail PassView is a small password-recovery tool that reveals the passwords and other account details for the following email clients:

Outlook Express
Microsoft Outlook 2000 (POP3 and SMTP Accounts only)
Microsoft Outlook 2002/2003/2007 (POP3, IMAP, HTTP and SMTP Accounts)
Windows Mail
Windows Live Mail
IncrediMail
Eudora
Netscape 6.x/7.x (If the password is not encrypted with master password)
Mozilla Thunderbird (If the password is not encrypted with master password)
Group Mail Free
Yahoo! Mail - If the password is saved in Yahoo! Messenger application.
Hotmail/MSN mail - If the password is saved in MSN/Windows/Live Messenger application.
Gmail - If the password is saved by Gmail Notifier application, Google Desktop, or by Google Talk.
For each email account, the following fields are displayed: Account Name, Application, Email, Server, Server Type (POP3/IMAP/SMTP), User Name, and the Password.

If your email program is not supported by Mail PassView, you can still recover your password by using this Password Sniffer
Translating Mail PassView to other languages
Mail PassView allows you to easily translate all dialog-boxes, menus, and strings to other language.
In order to do that, follow the instructions below:
Run Mail PassView with /savelangfile parameter:
mailpv.exe /savelangfile
A file named mailpv_lng.ini will be created in the folder of Mail PassView utility.
Open the created language file in Notepad or in any other text editor.
Translate all menus, dialog-boxes, and string entries to the desired language.
After you finish the translation, Run Mail PassView, and all translated strings will be loaded from the language file.
If you want to run Mail PassView without the translation, simply rename the language file, or move it to another folder.
_____________________

When you use the "Dial-Up Networking" module for connecting to the internet or to other networks, the operating system give you the option to store the password and use it when it needed. Although the password is constantly stored in your computer, the operating system doesn't allow you to watch it. if you forget your password and you want to extract it from your computer, you can use the Dialupass utility for viewing the password.
This utility enumerates all Dial-Up entries on your computer and reveals their logon details: User Name, Password and Domain.
it works perfectly in the following operating systems: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, and Windows XP. In Windows 2000 and Windows XP, the Dialupass utility can reveal the Dial-Up passwords only if you are logged on with administrator privileges. Using Dialupass
The Dialupass utility is a standalone application, and it doesn't require any installation process or additional DLLs. Just copy the dialupass.exe to any folder you want and run it. After you run it, it'll instantly show all your Dial-Up accounts and their user/password details.
You can also select one or more Dial-Up items (by using Ctrl and Shift keys), and then save them into a readable or tab-limited text file , or copy them into the clipboard (Ctrl+C).

the Dialupass utility also allows you to easily edit the logon details: user name, password and domain. You can get the editing dialog-box by double-clicking the item you want to edit.

Viewing the logon details of other users
Under Windows 2000/XP, you can view the logon details of other users in the same computer. Simply press Ctrl+U, and select the desired user, or select to view the passwords of all user profiles in your system. In order to view the logon details of other users under Windows NT, you should run Dialupass in advanced mode, by using the /adv option: dialupass.exe /adv

Command-Line Options
Option Description
/stext Save the list of all dial-up items into a regular text file.
/stab Save the list of all dial-up items into a tab-delimited text file.
/stabular Save the list of all dial-up items into a tabular text file.
/shtml Save the list of all dial-up items into horizontal HTML file.
/sverhtml Save the list of all dial-up items into vertical HTML file.

Sunday, November 8, 2009

VB.NET 2008 DATA PROGRAMMING WITH CRYSTAL REPORT

VB.NET 2008 DATA PROGRAMMING WITH CRYSTAL REPORT

DataSet and DataAdapter in ASP.NET 2.0 - Part 1 of 2
What are DataSets and DataAdapters
Datasets store a copy of data from the database tables. However, Datasets can not directly retrieve data from Databases. DataAdapters are used to link Databases with DataSets. If we see diagrammatically,
DataSets < ----- DataAdapters < ----- DataProviders < ----- Databases
DataSets and DataAdapters are used to display and manipulate data from databases.
Reading Data into a Dataset
To read data into Dataset, you need to:
Create a database connection and then a dataset object.
Create a DataAdapter object and refer it to the DB connection already created. Note that every DataAdapter has to refer to a connection object. For example, SqlDataAdapter refers to SqlDataConnection.
The Fill method of DataAdapter has to be called to populate the Dataset object.
We elaborate the above mentioned steps by giving examples of how each step can be performed:

1) As we said, our first task is to create a connection to database. We would explore later that there is no need of opening and closing database connection explicitly while you deal with DataAdapter objects. All you have to do is, create a connection to database using the code like this:
___________________________________

Public Class Form1
Dim conn As New OleDb.OleDbConnection
Dim adp As New OleDb.OleDbDataAdapter("select * from EMP", conn)
Dim row As DataRow
Dim bm As BindingManagerBase
Dim dset As New DataSet

Public Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
conn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & """" & "C:\Documents and Settings\admin\My Documents\EMP.mdb" & """"
Try
conn.Open()
' Insert code to process data.
Catch ex As Exception
MessageBox.Show("Failed to connect to data source" + ex.ToString)
Finally
conn.Close()
End Try
adp.Fill(dset, "EMP")
'row = dset.Tables("EMP").Rows(0)
row = dset.Tables("EMP").Rows(dset.Tables("EMP").Rows.Count - 1)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString

End Sub

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
Dim i As Integer
i = TextBox1.Text
If i = 1 Then
MessageBox.Show("Beginning Point of Record")
Else
i -= 1
Try
row = dset.Tables("EMP").Rows(i - 1)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
Catch ex As Exception
MessageBox.Show(ex.ToString)
End Try
End If

End Sub

Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click
Dim i As Integer
i = TextBox1.Text
If i = dset.Tables("EMP").Rows.Count Then
MessageBox.Show("End Point of Record")
Else
i += 1
Try
row = dset.Tables("EMP").Rows(i - 1)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
Catch ex As Exception
MessageBox.Show(ex.ToString)
End Try
End If
End Sub

Private Sub Button3_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button3.Click
Try
row = dset.Tables("EMP").Rows(0)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
Catch ex As Exception
MessageBox.Show(ex.ToString)
End Try
End Sub

Private Sub Button4_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button4.Click
Try
row = dset.Tables("EMP").Rows(dset.Tables("EMP").Rows.Count - 1)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
Catch ex As Exception
MessageBox.Show(ex.ToString)
End Try
End Sub

Private Sub Button5_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button5.Click
Dim par As String
par = "INSERT INTO EMP" + "(" + "ID, NAME" + ") " + "VALUES" + "( " + "'" + TextBox1.Text + "'" + ", " + "'" + TextBox2.Text + "'" + ");"
MessageBox.Show(par)
Dim cmd As New OleDb.OleDbCommand(par, conn)
cmd.CommandType = CommandType.Text
adp.SelectCommand = cmd
adp.Fill(dset, "EMP")
row = dset.Tables("EMP").Rows(dset.Tables("EMP").Rows.Count - 1)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
End Sub

Private Sub Button9_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button9.Click
TextBox1.Text = ""
TextBox2.Text = ""
End Sub
End Class

to know total row in this table :
MessageBox.Show(dset.Tables("EMP").Rows.Count)

_______________________________-
Public Class Form1
Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
Dim conn As New OleDb.OleDbConnection
Dim dset As New DataSet
Dim constr1 As String
constr1 = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" + Str("\") + "C:\Documents and Settings\admin\My Documents\EMP.mdb" + Str("\")
conn.ConnectionString = constr1
MessageBox.Show(conn.ConnectionString)
Try
conn.Open()
' Insert code to process data.

Dim adp As New OleDb.OleDbDataAdapter("select * from EMP", conn)
adp.Fill(dset, "EMP")
Dim row As DataRow
row = dset.Tables("EMP").Rows(0)
TextBox1.Text = row(0)(0).ToString
TextBox2.Text = row(0)(1).ToString
Catch ex As Exception
MessageBox.Show("Failed to connect to data source" + ex.ToString)

Finally
conn.Close()
End Try
End Sub
End Class
________________________________________________________________________

SqlConnection con = new SqlConnection ("data source=localhost; uid= sa; pwd= abc; database=Northwind");

We would use Northwind database by using OleDbConnection. The Code would

Look like:

OleDbConnection con= new OleDbConnection ("Provider =Microsoft.JET.OLEDB.4.0;" + "Data Source=C:\\Program Files\\Microsoft Office\\Office\\Samples\\Northwind.mdb");

2) Now, create a Dataset object which would be used for storing and manipulating data. You would be writing something like

DataSet myDataSet = new DataSet ("Northwind");

Since the name of source database is Northwind, we have passed the same name in the constructor.

3) The DataSet has been created but as we said before, this DataSet object can not directly interact with Database. We need to create a DataAdapter object which would refer to the connection already created. The following line would declare a DataAdapter object:

OleDbAdapter myDataAdapter = new OleDbAdapter (CommandObject, con);

The above line demonstrates one of many constructors of OleDbAdapter class. This constructor takes a command object and a database connection object. The purpose of command object is to retrieve suitable data needed for populating DataSet. As we know SQL commands directly interacting with database tables, a similar command can be assigned to CommandObject.

OleDbCommand CommandObject = new OleDbCommand ("Select * from employee");

Whatever data you need for your Dataset should be retrieved by using suitable command here. The second argument of OleDbAdapter constructor is connection object con.

Alternative approach for initializing DataAdapter object:

Place a null instead of CommandObject while you initialize the OleDbAdapter object:

OleDbAdapter myDataAdapter = new OleDbAdapter (null, con);

Then you assign your query to the CommandObject and write:

myDataAdapter.SelectCommand = CommandObject;

4) Now, the bridge between the DataSet and Database has been created. You can populate dataset by using the Fill command:

myDataAdapter.Fill (myDataSet, "EmployeeData");

The first argument to Fill function is the DataSet name which we want to populate. The second argument is the name of DataTable. The results of SQL queries go into DataTable. In this example, we have created a DataTable named EmployeeData and the values in this table would be the results of SQL query: "Select * from employee". In this way, we can use a dataset for storing data from many database tables.

5) DataTables within a Dataset can be accessed using Tables. To access EmployeeData, we need to write:

myDataSet.Tables["EmployeeData"].
To access rows in each Data Table, you need to write:

myDataSet.Tables["EmployeeData].Rows
___________________________________________________________________
OleDbConnection con= new OleDbConnection ("Provider =Microsoft.JET.OLEDB.4.0;" + "Data Source=C:\\Program Files\\Microsoft Office\\Office\\Samples\\Northwind.mdb");

OleDbCommand CommandObject = new OleDbCommand ("Select * from employee");

OleDbAdapter myDataAdapter = new OleDbAdapter (CommandObject, con);

//DataSet myDataSet = new DataSet ("Northwind");
myDataAdapter.Fill (myDataSet, "EmployeeData");

Place a null instead of CommandObject while you initialize the OleDbAdapter object:

OleDbAdapter myDataAdapter = new OleDbAdapter (null, con);

Then you assign your query to the CommandObject and write:

myDataAdapter.SelectCommand = CommandObject;
________________________________________________
Listing 1.1 would combine all the steps we have elaborated so far.

1. <%@ Page Language= "C#" %>

2. <%@ Import Namespace= "System.Data" %>

3. <%@ Import Namespace= "System.Data.OleDb" %>

4.

5.

6.

7.

8.

9.

10.

11.

12.

13. <% OleDbConnection con= new OleDbConnection ("Provider

14. =Microsoft.JET.OLEDB.4.0;" + "Data Source=C:\\Program Files\\Microsoft

15. Office\\Office\\Samples\\Northwind.mdb");

16.

17. <%

18. DataSet myDataSet = new DataSet();

19. OleDbCommand CommandObject = new OleDbCommand ("Select * from

20. employee");

21.

22. OleDbAdapter myDataAdapter = new OleDbAdapter (CommandObject, con);

23.

24. myDataAdapter.Fill (myDataSet, "EmployeeData");

25.

26. foreach (DataRow dr in myDataSet.Tables["EmployeeData"].Rows)

27. {

28. Response.write ("");

29. for (int j = 0 ; j <2 ; j++)

30. {

31. Response.write ( "");

34.

35. %>

36.

Employee ID	Employee Name
" + dr[j].ToString() + " ); 32. } 33. Response.write ("

37.

38.

The Code above would iterate in all rows of Employee table and display ID and name of every employee. To Display all columns of Employee Table, Line # 29 would be replaced by:

for (int j = 0 ; j < dr.Table.Columns.Count ; j++)

As we said earlier, there is no need of opening and closing database connection explicitly. DataAdapter class handles both these functions.

____________________________________________________________________
Deletions in Employee Table
To delete the Employee having id 1001:

1. int i =0;

2. foreach (DataRow dr in ds1.Tables["EmployeeData"].Rows)

3. {

4. i++;

5. if (dr["id"] = = 1001 )

6. break;

7. }

8. EmployeeData.Rows[i].Delete;

____________________________________
Updating Employee Table
To change the name of Employee having id 1001:

8. foreach (DataRow dr in ds1.Tables["EmployeeData"].Rows)

9. if (dr["id"] = = 1001 )

10. dr["name"] = "new name";

__________________________________________
Insertions in Employee Table

1. DataRow dr = EmployeeData.NewRow();

2. dr["id"] = "1003";

3. dr["name"] = "Ahmed Albaradi";

(or you can move it like dr[0], dr[1],a., dr[n-1])

4. EmployeeData.Rows.Add(dr);

_______________________________________________
Writing Changes back to database table
We have discussed that DataSets can not directly interact with Database tables. Moreover, all the modifications we performed above apply only to EmployeeData, which is Data Table. Before we discuss how to write back changes, letAs explore DataAdapter class in a bit more detail:

We have discussed SelectCommand property which lets the Adapter selects its query. There are three other properties including UpdateCommand, AddCommand and DeleteCommand. All these commands would make changes in the database. However, by using CommandBuilderObject, you donAt have to create all the available commands. The update, Add and Delete commands are created automatically based on SelectCommand.

OleDbCommandBuilder mybuilder = new OleDbCommandBuilder (myDataAdapter);

And after writing this statement, you are now in position to make changes back to database. All you have to do is create a separate dataset for all the modified rows and then apply the Update command of DataAdapter.

1. DataSet newSet = myDataSet.GetChanges (DataRowState.Modified);

2. myDataAdapter.Update(newSet, "EmployeeData");

GetChanges method would return all the modified rows .The parameter in GetChanges method can be different. For example:

DataRowState.Added: would return newly added rows

DataRowState.Deleted: would return deleted rows

_____________________________________________________
THIS IS ORIGINAL:

Imports CrystalDecisions.CrystalReports.Engine
Imports CrystalDecisions.Shared
Imports System.Data
Public Class Form1
Dim conn As New OleDb.OleDbConnection
Dim adp As New OleDb.OleDbDataAdapter("select * from EMP", conn)
Dim row As DataRow
Dim i As Integer
Dim cmd As OleDb.OleDbCommand
Dim dset As New DataSet

Public Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
conn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & """" & "C:\Documents and Settings\admin\My Documents\EMP.mdb" & """"
Try
conn.Open()
Catch ex As Exception
MessageBox.Show("Failed to connect to data source: " + ex.ToString)
Finally
conn.Close()
End Try
adp.Fill(dset, "EMP")
row = dset.Tables("EMP").Rows(dset.Tables("EMP").Rows.Count - 1)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
i = dset.Tables("EMP").Rows.Count - 1
End Sub

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
If i = 0 Then
MessageBox.Show("Beginning Point of Record")
Else
i -= 1
Try
row = dset.Tables("EMP").Rows(i)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
Catch ex As Exception
MessageBox.Show(ex.ToString)
End Try
End If

End Sub

Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click

If i = dset.Tables("EMP").Rows.Count Then
MessageBox.Show("End Point of Record")
Else
i += 1
Try
row = dset.Tables("EMP").Rows(i - 1)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
Catch ex As Exception
MessageBox.Show(ex.ToString)
End Try
End If
End Sub

Private Sub Button3_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button3.Click

Try
row = dset.Tables("EMP").Rows(0)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
i = 0
Catch ex As Exception
MessageBox.Show(ex.ToString)
End Try
End Sub

Private Sub Button4_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button4.Click
Try
row = dset.Tables("EMP").Rows(dset.Tables("EMP").Rows.Count - 1)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
i = dset.Tables("EMP").Rows.Count - 1
Catch ex As Exception
MessageBox.Show(ex.ToString)
End Try
End Sub

Private Sub Button5_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button5.Click
Dim par As String
If TextBox1.Text = "" Or TextBox2.Text = "" Then
MessageBox.Show(" PLEASE ENTER DATA BEFORE ADD")
Exit Sub
End If

par = "INSERT INTO EMP VALUES('" & TextBox1.Text & "','" & TextBox2.Text & "')"
Dim cmd As New OleDb.OleDbCommand(par, conn)
Try
cmd.CommandType = CommandType.Text
adp.SelectCommand = cmd
adp.Fill(dset, "EMP")
conn.Close()
Catch ex As Exception
MessageBox.Show("Either Duplicate ID or Bad Data have entered, cann't added")
End Try
conn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & """" & "C:\Documents and Settings\admin\My Documents\EMP.mdb" & """"
Try
conn.Open()
par = "SELECT * FROM EMP"
cmd.CommandText = par
adp.SelectCommand = cmd
adp.Fill(dset, "EMP")
row = dset.Tables("EMP").Rows(dset.Tables("EMP").Rows.Count - 1)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
Catch ex As Exception
MessageBox.Show("Failed to connect to data source: " + ex.ToString)
Finally
conn.Close()
End Try

End Sub

Private Sub Button9_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)
TextBox1.Text = ""
TextBox2.Text = ""
End Sub

Private Sub Button6_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button6.Click
Dim par As String
If TextBox1.Text = "" Or TextBox2.Text = "" Then
MessageBox.Show(" PLEASE ENTER DATA BEFORE ADD")
Exit Sub
End If

par = "UPDATE EMP SET NAME='" & TextBox2.Text & "'" & " WHERE ID=" & TextBox1.Text
Dim cmd As New OleDb.OleDbCommand(par, conn)
Try
cmd.CommandType = CommandType.Text
adp.SelectCommand = cmd
adp.Fill(dset, "EMP")
conn.Close()
Catch ex As Exception
MessageBox.Show("Either Duplicate ID or Bad Data have entered, cann't added")
End Try
conn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & """" & "C:\Documents and Settings\admin\My Documents\EMP.mdb" & """"
Try
conn.Open()
par = "SELECT * FROM EMP"
cmd.CommandText = par
adp.SelectCommand = cmd
adp.Fill(dset, "EMP")
row = dset.Tables("EMP").Rows(dset.Tables("EMP").Rows.Count - 1)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
Catch ex As Exception
MessageBox.Show("Failed to connect to data source: " + ex.ToString)
Finally
conn.Close()
End Try
End Sub

Private Sub Button8_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button8.Click
Dim par As String
If TextBox1.Text = "" Or TextBox2.Text = "" Then
MessageBox.Show(" PLEASE ENTER DATA BEFORE ADD")
Exit Sub
End If

par = "UPDATE EMP SET NAME='" & TextBox2.Text & "'" & " WHERE ID=" & TextBox1.Text
Dim cmd As New OleDb.OleDbCommand(par, conn)
Try
cmd.CommandType = CommandType.Text
adp.SelectCommand = cmd
adp.Fill(dset, "EMP")
conn.Close()
Catch ex As Exception
MessageBox.Show("Either Duplicate ID or Bad Data have entered, cann't added")
End Try
conn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & """" & "C:\Documents and Settings\admin\My Documents\EMP.mdb" & """"
Try
conn.Open()
par = "SELECT * FROM EMP"
cmd.CommandText = par
adp.SelectCommand = cmd
adp.Fill(dset, "EMP")
row = dset.Tables("EMP").Rows(dset.Tables("EMP").Rows.Count - 1)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
Catch ex As Exception
MessageBox.Show("Failed to connect to data source: " + ex.ToString)
Finally
conn.Close()
End Try
End Sub

Private Sub Button7_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button7.Click
Dim par As String
par = "DELETE FROM EMP WHERE ID=" & TextBox1.Text
Dim cmd As New OleDb.OleDbCommand(par, conn)
Try
cmd.CommandType = CommandType.Text
adp.SelectCommand = cmd
adp.Fill(dset, "EMP")
conn.Close()
Catch ex As Exception
MessageBox.Show("Either Duplicate ID or Bad Data have entered, cann't added")
End Try
conn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & """" & "C:\Documents and Settings\admin\My Documents\EMP.mdb" & """"
Try
conn.Open()
par = "SELECT * FROM EMP"
cmd.CommandText = par
adp.SelectCommand = cmd
adp.Fill(dset, "EMP")
row = dset.Tables("EMP").Rows(dset.Tables("EMP").Rows.Count - 1)
TextBox1.Text = row(0).ToString
TextBox2.Text = row(1).ToString
Catch ex As Exception
MessageBox.Show("Failed to connect to data source: " + ex.ToString)
Finally
conn.Close()
End Try
End Sub

Private Sub Button9_Click_1(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button9.Click
'Dim CR As New CrystalReport1
conn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & """" & "C:\Documents and Settings\admin\My Documents\EMP.mdb" & """"
Dim query As String
conn.Open()
Dim adp As New OleDb.OleDbDataAdapter("select * from EMP", conn)
Try
Dim d As New ReportDocument
d.Load("C:\EMP\EMP\CrystalReport1.rpt")
adp.Fill(dset, "EMP")
d.SetDataSource(dset)
'CR.SetDataSource(dset)
query = "{EMP.NAME} ='" & TextBox2.Text & "'"
CrystalReportViewer1.SelectionFormula = query
CrystalReportViewer1.ReportSource = d
'CrystalReportViewer1.ReportSource = CR
CrystalReportViewer1.Refresh()
Catch ex As Exception
MessageBox.Show(ex.ToString)
Finally
conn.Close()
End Try

End Sub

End Class

Monday, November 2, 2009

KORNETO

html hit counter code

Thursday, September 17, 2009

SYSTEM ADMIN TOOLS- TCPview ,FPort ,Inzider ,Active Ports , or Vision

SYSTEM ADMIN TOOLS- TCPview ,FPort ,Inzider ,Active Ports , or Vision
________________________________________________________
Not every case of a successful intrusion is “crowned” with a replaced Web site on the server, data theft or damage. Often electronic intruders do not wish to create a spectacle but prefer to avoid fame by hiding their presence on compromised systems, sometimes leaving certain unexpected things. They use sophisticated techniques to install specific “malware” (backdoors) to let them in again later with full control and in secret.

What is malevolent software intended for?
Obviously, hackers have a variety of motives for installing malevolent software (malware). These types of software tend to yield instant access to the system to continuously steal various types of information from it – for example, strategic company’s designs or numbers of credit cards. In some cases, they use compromised machines as launch points for massive Denial of Service attacks. Perhaps the most common reason hackers tend to settle on another system is the possibility of creating launch pads that attack other computers while disguised as innocent computer addresses. This is a certain kind of spoofing where the intrusion logs fool the target system into believing that it is communicating with another, legitimate computer rather than that of an intruder.

Under normal conditions, it is hardly to compromise LAN security from the Internet, because in most cases LANs are tied to the Internet via reserved addresses such as type 10.0.0.0 or 192.168.0.0 – (for more details, see the RFC 1918 document available at http://www.faqs.org/rfcs/rfc1918.html). Thus, a hacker cannot have direct access from the Internet, which presents a certain problem for him. Installing shell programs (e.g. Telnet) on any Internet-accessible computer will allow the intruder to gain access to the LAN and spread his control over the infrastructure. Such types of attacks are prevalent on Unix computers, because they use more common remote access shell services (SSH, or more rarely, Telnet) and no additional installation is required. This article will, however, focus on Microsoft Windows-based systems.

Who will become a victim?
An intelligent hacker will not try to put his program on a server that is monitored and checked regularly. He will secretly, without the knowledge of any legitimate user. Therefore, his attempts to get in will certainly not be through the main domain controller which has its log frequently examined, network traffic monitored and will detect any alterations immediately. Of course, everything depends on the observance of the security policy and as is well known, network administrators are not always scrupulous in performing their work. Nevertheless, a host that plays no key role in the network makes a perfect target for a hacker. Before commencing the selection process, a successful hacker tends to transfer the zone and thereafter identify probable roles of individual hosts within a domain by deducing the knowledge from their names. A poorly secured workstation, isolated from the main network, may ideally be used for hacking purposes because there would be a little chance to detect signs of an installed backdoor.

Backdoors
A backdoor is a program or a set of related programs that a hacker installs on the victim computer to allow access to the system at a later time. A backdoor’s goal is to remove the evidence of initial entry from the systems log. But a “nice” backdoor will allow a hacker to retain access to a machine it has penetrated even if the intrusion factor has in the meantime been detected by the system administrator. Resetting passwords, changing disk access permissions or fixing original security holes in the hope of remedying the problem may not help.

A trivial example of a backdoor is default BIOS, router or switch passwords set either by careless manufacturers or security administrators.

A hacker could simply add a new user account with administrator privileges and this would be a sort of backdoor, but far less sophisticated and easy detectable.

Adding a new service is the most common technique to disguise backdoors in the Windows operating system. This requires involving tools such as Srvany.exe and Srvinstw.exe that comes with the Resource Kit utility and also with Netcat.exe [1]. The principle of this operation is that the srvany.exe tool is installed as a service and then permits netcat.exe to run as a service. The latter, in turn, listens on an appropriate port for any connection. Once connected, it will have spawned a remote shell on the server (using cmd.exe) and from this moment onwards, a hacker has free reign.

Just before commencing the installation of a backdoor, a hacker must investigate within the server to find activated services. He could simply add a new service and give it an inconspicuous name, but he would be better off choosing a service that never gets used and that is either activated manually or even completely disabled. It is sufficient to remove it using the Srvinstw.exe utility and again to install a new service with the same name. By doing so, the hacker considerably reduces possibility that the administrator will detect the backdoor during a later inspection. Whenever an event occurs, the system administrator will focus on looking for something odd in the system, leaving all existing services unchecked. From the hacker point of view, it is essential to hide files deeply in system directories to protect them from being detected by the system administrator. In time, a hacker will think of naming the tools to be planted on the server disk. Netcat.exe and Srvany.exe are utilities that are required to run continuously and will be seen in the task manager. Hackers understand that backdoor utilities must have names that will not attract any undue attention. They use the same approach when choosing an appropriate port for a backdoor. For example, port 5555 does not seem to be backdoored for the reason that it could immediately tip off the system administrator.

The technique presented above is very simple but efficient at the same time. It allows a hacker to get back into the machine with the least amount of visibility within the server logs (we are obviously not speaking about situations where extra software is used to monitor traffic and there is an efficient event logging system installed). Moreover, the backdoored service allows the hacker to use higher privileges – in most cases as a System account. This may cause some problems for an intruder because, notwithstanding the highest permissions, the System account has no power outside the machine. Under this account, disk mapping or adding user accounts is not possible. Instead, passwords can be changed and privileges may be assigned to existing accounts. With a backdoor that has captured the system administrator account, no such restrictions exist. The only problem that remains is related to the change of user password, because a password update is required to restart the related service. An administrator will undoubtedly start noticing log errors, once care for event logging and monitoring is provided. The example given above describes a backdoor that is the most dangerous one from the victim system point of view, because anyone can connect to it and obtain the highest permissions with no authentication required. It may be any scriptkiddie using a portscanning tool against computers randomly selected from the Internet.

Hacker–dedicated Web sites give examples of many tools that serve to install backdoors, with the difference that once a connection is established the intruder must login by entering a predefined password. iCMD [2], Tini [3], RemoteNC [4] or WinShell [5] (Fig. 1) are examples of tools resembling Telnet.

1 WinShell program may be used to install certain simple backdoors

I once saw a very interesting script named CGI-backdoor [6]. I considered this to be interesting because an attacker could execute remote commands on the server via WWW. It was a specifically created totally dynamic .asp site written in VBScript (available also in Perl, PHP, Java and C) that enabled one to execute commands on the server using the default command processor cmd.exe. A hacker can exploit this to configure the reverse WWW script on the victim's system but can only permitted by default with sufficient privileges to the IUSR_MACHINE account. This script can be used without logging at all, thus no traces are left on the system. Its additional advantage is that it does not listen in on any port but translates between the HTML used in WWW pages and the server that runs interactive websites.

In order to create backdoors, hackers can use commercially available tools such as Remote Administrator [7], or free available TightVNC [8], that apart from a full control over the computer also allow one to operate a remote console.

“The Fall of Troy, the wooden horse and all events thereafter…”
Trojan horses or Remote Administration Trojans (RATs) are a class of backdoors that are used to enable remote control over the compromised machine. They provide apparently useful functions to the user, and at the same time, open a network port on a victim computer. Then, once started, some trojans behave as executable files, interact with certain keys of the registers responsible for starting processes and sometimes create their own system services.

Contrary to common backdoors, Trojan horses hook themselves into the victim operating system and always come packaged with two files – the client file and the server file. The server, as its name implies, is installed in the infected machine while the client is used by the intruder to control the compromised system. Some well known trojan functions include: managing files on the victim computer, managing processes, remote activation of commands, intercepting keystrokes, watching screen images and also restarting and closing down infected hosts - just to name a few of their features. Some are even able to connect themselves to their originator. Of course, these possibilities vary among individual Trojan horses. The following are considered the most popular: NetBus, Back Orifice 2000, SubSeven, Hack’a’tack, and one of Polish origin, named Prosiak.

In most cases, Trojan horses propagate via email. They are usually found within attachments, because their authors exploit vulnerabilities of the email client. Another technique relies on the fact that they bound into other programs. There are many programs in the Web that malts files to create a single executable file.

Trojan horses (also called trojans) typically operate in a somewhat schematic manner. In contrast to previously described backdoors, where both implementation and function are limited only by intruder’s ingenuity, the behavior here is quite well defined. They listen in on specific ports (for example, 12345 is the NetBus Trojan default port), setting specific references in start files and registers, thereby being relatively simple to detect and identify. In most cases, problems with Trojan horses can be solved by using an anti-virus (AV) software (updated!) to check for possible infections.

RootKit – hiding presence
To accomplish his goal, a hacker must install a backdoor that is not easily detectable. This is his primary task. Hackers use a variety of methods for this purpose, placing their tools at the deepest level of compromised systems and renaming files so as not to arouse suspicions. However that is not enough since the processes are still visible and it is so simple to discover any unexpected program that listens in on a certain port using netstat for checking information about that port. Therefore, hackers can also use Root Kits.

As most readers know, a rootkit is generally a Unix concept that is spreading to other platforms in its increasingly sophisticated forms. This is a collection of tools used by an intruder to hide his presence in an attacked system. Typical goals include replacing or infecting binaries such as ps, find, ls, top, kill, passwd, netstat, hiding directories, files and even their portions – for example, in /etc/passwd. Moreover, catching passwords, deleting logins of attacker’s activity, placing backdoors in specific services (for example, Telnet), to get in without authorization at any time. There are plenty of rootkits in the Unix environment, and each new release is more “forward thinking” in terms of its functions. They are also available to attack Windows systems – less sophisticated but still powerful and also trendy. Some handy rootkit solutions deal with hiding or altering netstat commands, thereby making a previously planted backdoor invisible while listening in on any port.

A simple script put in Perl’s string context, compiled and named netstat.exe may be an example of a trivial rootkit. A real system netstat could be named oldnetstat.exe. The principle of operation of the new netstat is that once the command line will call the real netstat (now oldnetstat.exe), it will be directed to a temporary text file. Then the rootkit searches that file for any information about the listening port to remove it (according to the procedure predefined in the rootkit code). After modification, the result is displayed on the screen and the old file is removed. This principle is both simple and efficient and provides an interesting possibility – it may be used to spoof output data acting from any other tool available through the command line – for example, tlist, or dir. There are many programs of this type available on the Web. The ones that I encountered did not display, for example, information on listening ports such as 666, 27374, 12345, 31337 – i.e. well-known Trojan horse ports.

The idea of a first enhanced rootkit for the Windows environment was born in due time. The originator was Greg Hoglund, whilst the progress of this idea could be seen on www.rootkit.com (unfortunately no longer available). From what I know, the development got stuck after the 0.44 version [9]. However below you will find a description of a somewhat older version, namely 0.40 [10].

This rootkit has been designed as a kernel mode driver that runs with system privileges right at the core of the system kernel. Given this fact, it has access to all resources of the operating system, thus having a broad field of action. In order to install it one requires the administrator’s permissions whilst simple net start/net stop commands are sufficient to activate/disactivate it respectively.

Once the rootkit has been loaded, the hacker can hide directories and files on the victim’s disk. This method is efficient provided that the object to be hidden has a name prefixed with _root_ – for example, _root_directory_name. How does this work? The rootkit, by patching the kernel, intercepts all system calls for the listing of the disk content and all objects beginning with the sequence _root_ – are hidden from display. The same applies to the searching process – all files and directories with the above sequence of characters are hidden from the search.

This rootkit feature can also be used to hide processes running as well as to do the same with the system registry entries, by prefixing all keys and entries with _root_. This enables the hacker to install, for example, services which will become a backdoor, thus being as invisible for the system administrator as services or registry entries or processes running in the system memory.

The rootkit can also intercept all key strokes typed at the system console. This may be carried out by hooking into the keyboard driver and issuing the ‘sniffkeys’ command.

This is not the last feature of the described rootkit. Its newest version (0.44) offers some other functions such as a hard-coded backdoor (Fig. 2) that allows a remote attacker to connect with the infected machine and gain the “top” privileged shell.

A backdoored rootkit allows a hacker to activate a sniffer

Moreover, new implementations are foreseen, for example to have a function that redirects .EXE files to other programs. Starting a completely different tool after the rootkit has detected the execution of a file name that started with _root_ will do this. No other details have been published so far. Everything is currently in the proof-of-concept stage and hackers cannot use this functionality.

Guarding against the rootkit
An ingenious hacker will be smart enough to hide his track forever. He will use all available means to outwit his victim and often has a big chance of reaching that goal. However system administrators are not defenseless against malicious attacks. There are many known techniques and procedures to detect any suspected installation within systems. At a first glance a rootkit seems to be a powerful tool and undoubtedly it is. Luckily, rootkits are a double-edged sword with their design. As I already mentioned, a kernel-based rootkit monitors calls for objects (files, directories, registers or processes) the names of which begin with a string

Luckily many crackers are careless and portions of their rootkit can be detected. The trojaned files above often have configuration files that list which programs to hide and which to display. Often they forget to hide the configuration files themselves. Since /dev is the default location for many of these configuration files, looking in there for anything that is a normal file is often a good idea.

A rootkit, however, cannot affect processes that have _root_ in their names. In other words, when a system administrator, is analyzing the system log using Regedit.exe, he cannot see hidden entries, but just by changing its name to _root_regedit.exe, it will be enough for him to see all of them as well as hidden keys and registry entries. This is true for all programs – for example, Task Manager (see Fig. 3).

Task Manager – after changing its name to _root_taksmgr.exe, you can see hidden processes running in your system

Next “vulnerability” of a rootkit: objects are only hidden from the environment of the compromised machine and they can easily be seen from another computer. Mapping a Network Drive remotely from another machine (or using net use command) is a means to see everything, which has been hidden for a local user. This is because the remote machine is using a clean kernel to view the files and directories on the compromised machine, avoiding the rootkits filtration process.

Another trick is to use drivers.exe tools (see Fig. 4) available in the Resource Kit package, or Winmsd.exe.

Use drivers.exe utility from the Resource Kit for listing all drivers – even those where the rootkit is involved

Using the programs mentioned above, the system administrator can get the listing off all drivers, including the _root_.sys, that is, the rootkit device driver itself. This is an exceptional case, in which a process named with a prefix _root_ is not hidden. I would like to stress that the name of the driver as above is related to the specific rootkit described here and not necessarily to other rootkits. But as far as I know, more recent versions of the Windows rootkit are not available as yet.

An interesting anti-rootkit solution has been developed by Pedestal Software. The company has created a program called Intact Integrity Protection Driver [11] that blocks changes and additions to registry keys and values. It effectively prohibits the Service Control Manager or user applications from changing service and driver keys, and values in the registry and also from adding to or replacing existing driver binaries.

Detecting and guarding against backdoors
Is your system secure? How do you know? A machine is very rarely targeted for an attack for any other reason than because it was vulnerable. One of the first steps in being proactive is to assess your basic security policy rules and requirements. I think that having an up-to-date anti-virus software installed is a primary concern, and even it won't fully protect your machine itself, it can be a lifesaver, providing good protection against most viruses and trojans.

Another good practice is to look routinely at any modification of programs to discover new, odd services or processes. Administration scripts are very useful tools in this regard, particularly when dealing with multiple systems. One might also wish to consider host scanning on your network from time to time. If you suspect that there is an open port at your computer, give a snapshot to check whether it is authorized or no. You may use network, application diagnosis and troubleshooting programs such as TCPview (Fig. 5) [12], FPort [13], Inzider [14], Active Ports (Fig. 6) [15], or Vision [16].

TCPview tool allows to locate which application opened a port in your computer. Like Active Ports, it tells you what is running on which port.

Active Ports in action

These tools provide a means to identify the specific application opening the port. Moreover, they let one avoid using Netstat, if it suspects that is has been replaced or infected. This brings me to another interesting consideration: whichever tool is used, it is a good practice to use original tools previously uploaded on a trusty diskette or CD-ROM when attempting to make a check of the system. If any doubt exists whether individual tools are original ones, checksum them to check if they match the installation CD-ROM.

In this regard, ListDlls [17] and Process Explorer [18] (Fig. 7) can certainly be useful if finding any suspect signs of trojan infected or backdoored processes.

Process Explorer that displays object processes and related DLL libraries

These programs with their DLL libraries give some assistance and provide additional information on handling incidents, investigations and conducting analysis to gather legal evidence in view of criminal prosecution.

May I also suggest that one pay closer attention to the registry keys that are responsible for starting programs on the system startup. In most cases, these registry elements usually contain some indication of how the intruder gained access, from where, when, etc. These are:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\KnownDLLs
HKEY_LOCAL_MACHINE\System\ControlSet\Services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows (run)
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows (run)
HKEY_CLASSES_ROOT\exefile\shell\open\command

It is extremely important to establish consistent access permissions on these keys and activate inspection tools to continuously monitor for any malicious attempts. The same applies to those system directories and files that are security critical. A commonly accepted computer security policy usually starts with a “sound” firewall as a guard against backdoors. Even if the intruder manages to install a backdoor, the firewall will block him from getting to the listening port.

In fact, bypassing a firewall is not a plug-n-play thing, but I take liberty to serve a nice dose of pessimism. There are known hacker tools that can get through even the most hardened firewalls.

However this is beyond the scope of this article, so I would recommend reading the document available at the address: http://www.spirit.com/Network/net0699.txt.

Finally, I would like to raise your awareness about a certain issue. Once your machine has been compromised and the hacker has gained total administrative access, be very careful in recovering the system from the back-up copy or the disk image! I have personally experienced a situation, where someone replaced a WWW site. The system administrator had retrieved the system from a back-up copy, patched the system, updated the access database and changed passwords. Thus, he has considered the server perfectly safe. But he overlooked the fact, that the intrusion had been made long before he made the copy containing a back-doored version. So, I would strongly recommend checking the system whenever it is backed up.

Hackers increasingly threaten the network community with their new techniques, backdoors and Trojan horses. Therefore we must take steps to guard against known methods of hacking, even though their will still be a large number of worrying factors we don’t know about. The only thing is absolutely obvious – you never know how long your immune system can hold out before breaking down.

Tools:
[1] Netcat - http://www.hackerscor.com/km/files/hfiles/ncnt090.zip
[2] iCMD - http://go8.163.com/lmqkkk/mytools/iCmd.exe
[3] RemoteNC - http://go8.163.com/lmqkkk/mytools/remotenc.zip
[4] Tini - http://go8.163.com/lmqkkk/mytools/tini.exe
[5] WinShell - http://go8.163.com/lmqkkk/mytools/Winshell4.0.zip
[6] CGI-backdoor - http://go8.163.com/lmqkkk/mytools/cgi.zip
[7] Remote Administrator - www.radmin.com
[8] TightVNC - http://www.tightvnc.com/download.html
[9] Rootkit v.0.44 – www.ndsafe.com/fires/rk_044.zip
[10] IIP Driver - http://www.pedestalsoftware.com/intact/iipdriver.htm
[11] TCPview – www.winternals.com
[12] Fport - http://www.foundstone.com/knowledge/proddesc/fport.html
[13] Inzider - http://ntsecurity.nu/toolbox/inzider/
[14] Active Ports - http://www.ntutility.com/freeware.html
[15] Vision - http://www.foundstone.com/knowledge/proddesc/vision.html
[16] ListDlls – http://www.sysinternals.com/ntw2k/freeware/listdlls.shtml
[17] Process Explorer - http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
[18] LANguard Network Security Scanner

Additional information:
1. RootKit
http://www.crackinguniversity2000.it/Paper/__==__--%20rootkit%20--__==__.htm
http://packetstorm.decepticons.org/UNIX/penetration/rootkits
2. Intact Integrity Protection Driver
http://www.pedestalsoftware.com/intact/iipdriver.htm
3. Preventing and Detecting Malware Installations on NT/2K
http://www.securitystorm.net/mobile/securityfocus-articles/preventing_and_detecting_malware.htm
4. Detecting rootkits
http://r00t.h1.ru/texts/detectrk.php
5. Hacker’s Rootkit for NT
http://webbuilder.netscape.com/webbuilding/0-7532-8-4877567-1.html
6. Rootkit: Attacker undercover tools By Saliman Manap
http://www.niser.org.my/resources/rootkit.pdf
7. Stop Windows hackers
http://webbuilder.netscape.com/webbuilding/0-7532-8-4996985-1.html
8. Understanding and Guarding Against Rootkits
http://rr.sans.org/threats/rootkits2.php
9. Hacking lexicon
http://www.robertgraham.com/pubs/hacking-dict.html
10. Securing a compromised Microsoft Windows NT or 2000 Server
http://www.utexas.edu/computer/security/news/iis_hole.html
11. Windows backdoors – update II
http://www.ciac.org/ciac/bulletins/j-032.shtml
12. Backdoors Continued
http://www.themanagementor.com/EnlightenmentorAreas/it/SW/1202_4.htm
13. At the root of rootkits
http://builder.cnet.com/webbuilding/0-7532-8-4561014-1.html?tag=st.bl.7532.edt.7532-8-4561014

restore firewall, task manager , registry

WINDOWS XP HIDDEN APPS:
=========================================

1) Character Map = charmap.exe (very useful for finding unusual characters)

2) Disk Cleanup = cleanmgr.exe

3) Clipboard Viewer = clipbrd.exe (views contents of Windows clipboard)

4) Dr Watson = drwtsn32.exe (Troubleshooting tool)
using dos tasklist command you can view all running process-

5) DirectX diagnosis = dxdiag.exe (Diagnose & test DirectX, video & sound cards)

6) Private character editor = eudcedit.exe (allows creation or modification of characters)

7) IExpress Wizard = iexpress.exe (Create self-extracting / self-installing package)

Microsoft Synchronization Manager = mobsync.exe (appears to allow synchronization of files on the network for when working offline. Apparently undocumented).

9) Windows Media Player 5.1 = mplay32.exe (Retro version of Media Player, very basic).

10) ODBC Data Source Administrator = odbcad32.exe (connecting to databases)

11) Object Packager = packager.exe (to do with packaging objects for insertion in files, appears to have comprehensive help files).

12) System Monitor = perfmon.exe (very useful, highly configurable tool, tells you everything you ever wanted to know about any aspect of PC performance, for uber-geeks only )

13) Program Manager = progman.exe (Legacy Windows 3.x desktop shell).

14) Remote Access phone book = rasphone.exe (documentation is virtually non-existant).

15) Registry Editor = regedt32.exe [also regedit.exe] (for hacking the Windows Registry).

16) Network shared folder wizard = shrpubw.exe (creates shared folders on network).

17) File siganture verification tool = sigverif.exe

1 Volume Control = sndvol32.exe (I've included this for those people that lose it from the System Notification area).

19) System Configuration Editor = sysedit.exe (modify System.ini & Win.ini just like in Win98! ).

20) Syskey = syskey.exe (Secures XP Account database - use with care, it's virtually undocumented but it is used to encrypt passwords).

21) Microsoft Telnet Client = telnet.exe

22) Driver Verifier Manager = verifier.exe (seems to be a utility for monitoring the actions of drivers, might be useful for people having driver problems. Undocumented).

23) Windows for Workgroups Chat = winchat.exe (appears to be an old NT utility to allow chat sessions over a LAN, help files available).

24) System configuration = msconfig.exe (can use to control starup programs)

25) gpedit.msc used to manage group policies, and permissions

26) TO RESET WINDOWS FIREBALL SETTING BACK IF YOU GOT FIREWALL DISABLE THEN TRY THIS COMMAND AT COMMAND PROMPT:- netsh winshock reset

Repairing Your Windows Environment
(1)
You have already seen people fully desperate because their Windows system cannot boot. Of course,
they could bring their PC back to the shop and ask for a complete re-install, but they will loose
their data. There is a way avoiding that. Of course they will still have to go back to the shop and
have the thing repaired. But they can, before that, save their files. There are Windows LiveCD
distros, you can boot on a CD which has an embedded Windows. Because you boot off the CD-rom, the
hard disk is not embedded. And as you boot off a CD, there is no virus problem, at least....
How To Change Your Windows User Environment Variables
a step-by-step guideline (5)
1. INTRODUCTION. Most of Microsoft very basic users are satisfied when the Windows installer
installs each new software, automatically putting each file in the right place and making each
Windows registry change. However, some new incoming software environment, mainly the ones from the
open world, let you do some changes manually. For instance, if you install the java development
software on your pc, you have to manually tell windows where the java binaries are. That means, if
you type “javac” in a command shell window, Microsoft Windows has to know that javac.ex....
Avoid Flash Disk Viruses
This ruins a lot of Windows PC! (14)
There are this new hype of virus scattering around nowadays that ruins a lot of PCs in our country;
in schools and public cafes! Its bad since it disables a lot of features as well as it ruins memory
the slows down the whole thing. It disables much of the removal process like Windows RegEdit.exe,
MsConfig.exe and also TaskMan.exe. Variations of these also disables your keyboard during normal
booting, floods your disk with virus files in the root directory and also the windows directory and
some also floods your directory with Folder looking icons that is an executable.. ....
Reformatting Your Computer (windows Xp)
Format your Computer/PC/Harddrive and Install Windows (10)
Many of us, during the course of computer's life will need to reformat our computer for various
reasons. Whether it be your computer is so slow and you just can't figure out why, or if you
have a very persistent virus that you just can't figure out a way to eradicate. Though i'm
sure there are countless number of reasons, many will fall on the solution of reformatting your
computer....or more specifically, your hard-drive. Now what exactly does this involve? To put it
simply, reformatting your hard-drive is like reformatting any other disk like a floppy d....
Remote Desktop Connection In Windows Vista
(4)
Remote Desktop Connection in Windows Vista What is Remote Desktop ? Remote Desktop Connections
can save time and aggravation: It's a technology already installed in Windows Vista that lets
you sit at a computer in one place and connect to another computer in a completely different
physical location away from you. For example, you can leave programs running on your computer at
work and then see them the same way you do at work when you turn on your computer at home. You can
be miles away from the work computer but be working on it as if you had never left the off....
How To Setup Parental Controls In Windows Vista
(5)
How to Setup parental controls in windows Vista Parental controls are a great first step to
keeping children safe online. To configure Parental Controls your computer must be set up with at
least one password-protected administrator user account. To Set up parental controls 1- Log in
to a user account that has administrative privileges. 2- Click the Start button, choose Control
Panel, and click Set up parental controls for any user. 3- You come to a page that shows the name
and picture for each user account you’ve created Click the user account for which you want....
How To Add Administrator Account In Logon Screen
Windows XP (4)
If you've created an account in addition to the Administrator account in Windows XP, the
administrator account will not be shown in the Logon Scree, this tutorial explains you how to add
the Administrator account to the logon screen. If you are using Windows XP Pro follow these steps,
1. In the Start Menu, select Run. 2. In the Run dialog, type 'regedit' without quotes, to
start the registry editor. 3. Navigate to the key, HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \
Windows NT \ CurrentVersion \Winlogon \SpecialAccounts \UserList 4. In the right pane, ri....
Installing Windows Vista Rtm With Boot Camp
(4)
I guess I'm a few months late on this Vista RTM thing... I'm writing this because I've
gotten sick of the Mac OS. It's just too unnatural for me to use. But, for those of you who have
been afraid to install Windows Vista RTM on your Macs using Boot Camp, this tutorial should help you
and give you confidence. wifi, Aero, and installation work automatically. Two-finger scrolling
works. iSight is actually functional (you can use it). Part 1: Installing Vista To install
Windows Vista on your Mac, you'll need... (Guess.) A Windows Vista DVD and an ....
Windows Xp & 2003 Performace And Security Part One
(2)
Last week I promised to release my very first tutorial on AstaHOST regarding basic computer
security. Why is computer security important? For starters, ask yourselves the following question.
Can you really risk losing your personal data, including memorable pictures, videos, documents, and
important projects that are currently being developed by you? That is up to you to answer, yet I
know that most computer users don’t have instant backup solutions that keep data safe, even if
Windows is dead. The following tutorial will guide the average user on how to easily tweak h....
Getting A New PC Ready To Work With Windows
Getting started with Windows OS (6)
This tutorial will help you getting started with using your new PC, which came with a Windows
Operating System. After you succesfully install Windows (that's much of an achievement
itself!), do not think that you are ready to use your PC. Actually, you're far away from
'ready' to use anything more complex than Notepad!!! ---- Section 1 : Things to install,
depending on how you use your PC ---- Office Applications : Microsoft Windows DOES NOT ship
with Microsoft Office. You have to purchace it separately. If you have done so, then be sure to i....
Breaking Into A Windows XP Installation
Exploiting the FAT32 Partition (7)
Usually a Windows XP installation is done on a NTFS partition but at times you will find fools who
install it on FAT32 partition and have no idea that they could create a Limited user account for
normal using and then go about complaining that Windows is insecure to the brim. Anyway here we
only need the Windows XP/Server 2003 to be installed on a FAT32 partition. There are three simple
steps involved: • Rename the logon.scr file situated in system32 folder to something else.
Then make a copy of the cmd.exe and name it logon.scr . • Restart the computer, ....
Adding East Asian Fonts To Your System
For Windows XP (5)
While trying to show someone the mysterious symbols used to create "The Matrix" source code, I
realized that most people have no need to use the East Asian input services offered in Windows XP
but they still may want to know how to play with the options. Additionally, there may be many
Eur-Asian people throughout the world that don't know that they can use their native language
when sending emails to their families abroad;. Or even type letters in their native script. Well,
in an effort to increase the public knowledge of this service, I decided to write this tuto....
Disabling/Enabling Some Of Windows Features
(2)
Disabling/Enabling some of Windows features .:!:. To disable task manager Click Start > Run > and
type regedit, to run registry editor Find following address:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Crate a new Dword and
name it DisableTaskMgr. To disable task manager give value of 1 To enable task manager give value of
0 .:!:. To disable unread email display on Welcome Screen Run registry editor and find following
address: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UnreadMail Double click on
“MessageExpiryDays” key ....
Stream Lining Windows

(1)
Here's a few quick hacks/registry changes that will help you improve the terribly bloated and
mind-numbing thing we call XPand hopefully I'll got some good credits out of this to. This
tutorial is VERY detailed so it should be easy to follow and sorry if there is spelling mistakes.
MAKE SURE YOU BACK UP YOUR REGISTRY BEFORE YOU TRY ANY OF THESE. I also take no responsibility if
you are an idoit and dont back it up or if you do any harm to your computer!! Improved context
menu:

HKEY_CLASSES_ROOT\AllFileSysytemObjects\shellex\ContextMenuHandlers New key called "Co....
How To Make Your Windows Look Like A Mac
Windows Xp only (25)
Ok Fans of macs I have done my reserch and checked it twice and I now present my tutorial on how to
make your windows XP desktop look like a Mac operating system. For those who think its really hard
your wrong and without any more jiber jaber lets get started. Step 1: The Downloads Ok for this
to work your going to need some items to make it work. The first one is the skin to make your
windows look like a mac. Its called Panther you can download it here . Second your gonna need a doc
for your programs. The best free one out there is Yz's dock and you can download....
Ways To Improve Your Performance In Windows XP
(24)

There are many ways for us to improve our computer performance when we're using memory intensive

programs like 3ds max, adobe photoshop(when dealing with large poster-size pictures) etc. Below are
some suggested steps to improve your computer's performance. 1)Reduce the number of processes

running during startup. /biggrin.gif" style="vertical-align:middle" emoid=":D" border="0"
alt="biggrin.gif" /> This can be achieved by using the MSCONFIG provided by windows. To access this
hidden program, go to start > run and type "MSCONFIG". This will brings you t....
[windows 95/98/me] Force Users To Login
(1)
No doubt you noticed that in windows 95/98/me that at the loin screen a user can press cancel to
access your computer. This i guess is meant to be like a guest account but in most cases its
annoying to have. This hack will auto-logoff the user as soon as they login the this
'guest' account. IMPORTANT: THIS REQUIRES YOU TO EDIT THE REGISTRY, IF YOU DO NOT FOLLOW
THESE INSTRUCTIONS CAREFULLY YOU COULD MESS UP YOUR COMPUTER, IN SOME CASES A REGISTRY BACKUP MAY
WORK, IF YOU CAN USE IT, SEARCH GOOLGLE FOR REGISTRY BACKUP TO FIND OUT HOW TO DO THIS 1. Goto
this k....
[all Windows] Disable Registry Editing Tools
(2)
If you want to mek it so cerin users, maybe guest or the account you getto by pressing cancel for in
95/98 to not be able to edit the regisstry this is the registry hack for you. IMPORTANT: THIS
REQUIRES YOU TO EDIT THE REGISTRY, IF YOU DO NOT FOLLOW THESE INSTRUCTIONS CAREFULLY YOU COULD MESS
UP YOUR COMPUTER, IN SOME CASES A REGISTRY BACKUP MAY WORK, IF YOU CAN USE IT, SEARCH GOOLGLE FOR
REGISTRY BACKUP TO FIND OUT HOW TO DO THIS 1. Goto this key in the registry, to get to the
registry goto Start -> Run and enter regedit QUOTE HKEY_CURRENT_USER\SOFTWARE\Micro....
Great Windows Tweaks
(16)
I've found mass ways to tweak windows, therfore increasing computer performance, and bandwidth.
Check out www.speedguide.net and install the right tweaks for you, i assure it will optimize your
connection, and give all of you a better surfing experience.....
Speed up your windows and Pc!
(21)
Speed up your windows and Pc! Right click on " My Computer" and select " Properties" . Go to "
Performance" and click on " File System". In "Settings" section change " Desk Top Computer" to "
Network Server" For speed up your windows: Run " Registry Editor", and go to below address :
HKEY_CURRENT_URER\Control Panel\Desk Top Add a parameter : (String Value)(REG_SZ) (value data =0
),and name it "MenuShow Delay"....
Windows Keyboard Shortcuts
FYI (11)
CTRL+C=Copy CTRL+V=Paste Windows+E=Windows Explorer Windows+F=Search CTRL+Z=Undo Windows+R=Run
Command Windows+D=Shows Desktop Windows+U=Utility manager Windows+F1=Windows Help CTRL+A=Select All
Hope that helps to all of you computer-illiterate...

The NET Command is used to manage services as follows:

Syntax
NET START [service]
NET STOP [service]
NET PAUSE [service]
NET CONTINUE [service]

Key
service : The service name as shown in Control Panel, ServicesTo list the basic Services:

NET HELP SERVICES

To list the running Services:

NET START

If you try to start a service that is already running you will get this error message:

"The requested service has already been started. More help is available by typing NET HELPMSG 2182"

You can redirect and FIND this type of error as follows:

NET START alerter 2>&1|FIND "2182"
IF errorlevel 1 goto :sub_already_started

Related:

NET - Manage network resources
MODE - Configure a system device
SC - Service Control
PsService - View and control services
WMIC SERVICE - WMI access to services.
List of Windows Services
Powershell:
Get-Service - Get a list of services
New-Service - Create a new service
Restart-Service - Stop and then restart a service
Resume-Service - Resume a suspended service
Set-Service - Change the start mode/properties of a service
Start-Service - Start a stopped service
Stop-Service - Stop a running service
Equivalent bash command (Linux): start-stop-daemon - start and stop system daemon programs

Microsoft DOS netsh command
___________________________________________________
MS-DOS command that enables users to change network settings such as changing their network device from a dynamic address to a static address or changing the IP address.

netsh dump

Dump all the network information as a script to the screen. Can also be sent to a file by doing netsh dump > file.txt . This script can then be executed using the exec command.

set address name="Local Area Connection" source=dhcp

Set the "Local Area Connection" to DHCP.

set address local static 10.0.0.9 255.0.0.0 10.0.0.1 1

Set the local address to Static.

netsh interface ip show config

View network ip configuration. Below is an example of what may be seen.

Configuration for interface "Local Area Connection"
DHCP enabled: Yes
InterfaceMetric: 1
DNS servers configured through DHCP
WINS servers configured through DHCP

There is a registry hack to enable or disable Windows NT TaskManager. The same registry hack applies to Windows 2000 and Windows XP.
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
Name: DisableTaskMgr
Type: REG_DWORD
Value: 1=Enablethis key, that is DISABLE TaskManager
Value: 0=Disablethis key, that is Don't Disable, Enable TaskManager

As part of the enhanced management available in Windows 2000 and Windows XP, rather than risking a registry change, as an administrator you can enable or disable Windows 2000 Pro or Windows XP Pro's TaskManager using Group Policy Editor. This can be applied to the local policy. Note: if you are trying to override your organizations group policy, you can't. As soon as you re-authenticate to the domain, the domain or OU Group Policy will rewrite the registry setting. But if the TaskManager was accidently disabled or you need to control this item for a set of standalone boxes this is for you:

Click Start
Click Run
Enter gpedit.msc in the Open box and click OK
In the Group Policy settings window
Select User Configuration
Select Administrative Templates
Select System

Select Ctrl+Alt+Delete options
Select Remove Task Manager
Double-click the Remove Task Manager option
And as I mentioned above, since the policy is Remove Task Manager, by disabling the policy, you are enabling the Task Manager.
Got XP Home - use the registry edit.

Security Task Manager shows all active processes on your computer. You can easily recognize the endangering potential of each process. No other Task Manager or Process Viewer has this feature. Furthermore you can put a process into quarantine or search the internet for information about that process.

"Security Task Manager tells you exactly what programs are running on your computer - and it gives you answers to the obvious ensuing questions, such as where these programs reside, who makes them, what they are called, whether they include hidden components, and what all this means to your computer."

SpyProtector deletes history, disables keyboard monitoring and warns you when registry is changed. You can easily monitor your autostart / startup registry entries.

"SCANREG /RESTORE" Command_______________
When you use the SCANREG /RESTORE command at a command prompt in MS-DOS mode to restore the registry, you may receive an error message stating that the registry was not restored.

Reason & sslution _____________
This behavior can occur if a third-party program (such as Norton Unerase) has the drive's disk access locked.

To work around this behavior:
Restart the computer. Press and hold down the CTRL key until the Startup menu appears.
Choose Step-by-Step Confirmation, and load only Himem.sys. Press N for all other prompts.
Run the SCANREG /RESTORE command. Himem.sys is not required to run Scanreg.exe, but is required for Scandisk.exe and other tools that may be needed.
When you start your computer successfully, the Windows Registry Checker tool (Scanreg.exe) creates a backup of system files and registry configuration information (including user account information, protocol bindings, software program settings, and user preferences) once daily. Files that Windows Registry Checker backs up include System.dat, User.dat, System.ini, and Win.ini. This article describes the Windows Registry Checker tool.
Windows Registry Checker automatically scans the system registry for invalid entries and empty data blocks when it is started. If invalid registry entries are detected, Windows Registry Checker automatically restores a previous day's backup. This is equivalent to running the scanreg /autorun command from a command prompt. If no backups are available, Windows Registry Checker tries to make repairs to the registry. This is equivalent to running the scanreg /fix command from a command prompt. If the registry contains more than 500 KB of empty data blocks, Windows Registry Checker automatically optimizes it.

Windows Setup runs the Windows Registry Checker tool to verify the integrity of the existing registry before it performs an upgrade. If it detects registry damage, it tries to fix it automatically.

The protected-mode version of the Windows Registry Checker tool (Scanregw.exe) can create a backup of the system files and scan the registry for invalid entries. If invalid entries are detected, it refers to the real-mode version of the Windows Registry Checker tool (Scanreg.exe) for a resolution.

You can configure Windows Registry Checker with a Scanreg.ini file. Settings that you can configure include:
Enabling or disabling the tool
The number of backups maintained (no more than five is recommended)
The location of the backup folder
Settings to add additional files to the backup set
For additional information about the Scanreg.ini file, click the article number below to view the article in the Microsoft Knowledge Base:
183603 (http://support.microsoft.com/kb/183603/EN-US/ ) How to Customize Registry Checker Tool Settings
To start the Windows Registry Checker tool, click Start, click Run, type scanregw.exe in the Open box, and then click OK.

NOTE: To use the Windows Registry Checker tool with the /restore parameter, you must run the tool from a command prompt running outside of Windows. When you do so, you can choose up to five registry backup files listed for you to restore.
To Restore Individual Files
To restore individual files, follow these steps:
Click Start, point to Find, and then click Files Or Folders.
In the Named box, type rb0*.cab, and then click Find Now.
Double-click the cabinet file that contains the file that you want to restore.
Right-click the file that you want to restore, click Extract, and then choose the folder where the new file is to be placed. Microsoft recommends that you place the file in your Temp folder.
Restart your computer in MS-DOS mode (in Windows Millennium Edition, this requires that you restart with the Windows Millennium Edition Startup disk).
Copy the file that you extracted to the appropriate folder. Note that registry .dat files are typically marked as hidden and read-only, so you need to use both the attrib and copy commands to replace the existing file with the newly extracted one.
Known Issues for Windows Registry Checker
If your registry contains an entry that references a file (such as a .vxd file) that no longer exists, it is not repaired by Windows Registry Checker. Such errors are not typically damaging, and you can manually remove the entry. For additional information about such errors, click the article number below to view the article in the Microsoft Knowledge Base:
132008 (http://support.microsoft.com/kb/132008/EN-US/ ) Err Msg: Cannot Find a Device File That May Be Needed...
The amount of conventional memory that is required by Windows Registry Checker is determined by the size of your registry. Windows Registry Checker may require 580 KB or more of free conventional memory to complete the repair process. If you encounter an "Out of Memory" error message, optimize your free conventional memory. For additional information about optimizing memory, click the article number below to view the article in the Microsoft Knowledge Base:
134399 (http://support.microsoft.com/kb/134399/EN-US/ ) How to Increase Conventional Memory for MS-DOS-Based Programs
NOTE: Extended memory is required for Windows Registry Checker to operate properly, so it does not run when you start your computer with the Safe Mode Command Prompt Only option. The exception to this is the scanreg /restore command, which is the only Scanreg function that can run without extended memory memory.

Monday, August 31, 2009

Fixing DLL Issues Related to Kernel32.dll

Fixing DLL Issues Related to Kernel32.dll

Kernel is the nucleus of an operating system. It provides basic services such as performing memory management, handling I/O operations, and handling interrupts. In Windows operating systems, such as Windows 98, ME, and XP, kernel operations are handled by the Kernel32.dll, which is a Dynamic Link Library (DLL) file. Kernel32.dll is loaded at startup in the protected memory area of the system, thereby preventing other programs from taking over this memory space.

Troubleshooting Kernel32.dll Errors

Since Kernel32.dll manages several core activities of Windows operating systems, there are several reasons why Kernel32.dll errors may occur.

Some of the common causes of Kernel32.dll errors are:

Damaged swap file, file allocation, password list, and registry
Low disk space
Incorrect or corrupt Kernel32.dll file
Improper power supply, faulty hard disk controller, and hot CPU
Hardware malfunctioning, over clocking, ground bounce, and RF noise
Improper BIOS Settings
Damaged or incorrectly installed third party software
Missing or corrupt Temp folder
Damaged or missing Control Panel’s .cpp file
Damaged JAVA machine, hardware drivers, .log files, and Msinfo32.exe file
Incorrect entries in History folder and damaged, missing, or incorrect dlls
Due to their crucial role in managing a number of tasks related to core functioning of an operating system, fixing dll problems related to kernel is very important. Here, we discuss steps to fix common Kernel32.dll problems.

Invalid Page Fault Error

Invalid Page Fault (IPF) errors occur when one or more programs try to gain access to the protected memory space. In case only a single program is causing the problem, then fixing this program by reinstalling or uninstalling it can help you fix the problem. However, in case multiple programs are the cause of the error, then faulty hardware may be the most likely cause. To fix this, you might have to replace the device causing the problem.

If IPF Kernl32.dll errors from different drivers such as Explorer, Msgsrv32, and Mprexe become a common affair, then a damaged password list might be the most likely cause of the problem.

For fixing dll error caused from different drivers, you might have to recreate the password file. Before doing this, remember to write down all the passwords saved on your PC. Next, open the Windows folder and search for the *.pwl file. Next, delete all the .pwl files displayed and restart your Windows system.

Damaged Memory Modules

To find out if frequent kernel32.dll errors are caused by problems in the memory module, run msconfig.exe and add the line ‘DEVICE=C:\WINDOWS\HIMEM.SYS /TESTMEM:ON’ in config.sys and restart you PC. If your screen displays the message ‘HIMEM has detected unreliable memory at address xx:xxxxxx’ at startup, it indicates memory problems.

Outdated or Damaged Drivers

Device drivers, especially video drivers, are updated on a regular basis. Therefore, you must keep your device drivers updated to avoid receiving Kernel32.dll errors.

Malware

Many times, malware can lead to dll errors. One of the best methods for fixing dll errors that occur due to malware is to regularly run antivirus scans on your PC. In doing this, it also becomes important for you to keep your antivirus software files updated.

Malware also tends to corrupt the system registry by adding invalid entries or removing important entries from it. Therefore, opting for a registry cleaner software and regularly running registry scans to keep the system registry healthy may also keep dll-related errors at bay.

The Kernerl32.dll file is important for normal functioning of your Windows system. Frequent occurrence of Kernel32.dll errors can stall your system and render it useless. To avoid these problems from occurring on your PC, it is important for you to ensure that your PC’s hardware and devices are well maintained, and are in good working condition. Also, you must keep your PC updated by regularly installing driver, antivirus, and security updates. Regular antivirus and registry scans also help you in preventing dll errors.

The Kernel32.dll file handles memory management, input/output operations, and interrupts. When you start Windows, Kernel32.dll is loaded into a protected memory space so that other programs do not take over that memory space.

On occasion, you may receive an invalid page fault (IPF) error message. This error message occurs when a program tries to access the Kernel32.dll protected memory space. Occasionally, the error message is caused by one particular program, and other times the error message is provoked by multiple files and programs.

If the problem results from running one program, the program needs to be replaced. If the problem occurs when you access multiple files and programs, the damage is likely caused by damaged hardware.

You may want to clean boot the computer to help you identify the particular third-party memory-resident software. Note that programs that are not memory-resident can also cause IPF error messages.

The following conditions can cause Kernel32.dll error messages:

Damaged swap file
File allocation damage
Damaged password list
Damaged or incorrect version of the Kernel32.dll file
Damaged registry
Hardware, hot CPU, over clocking, broken power supply, RF noise, ground bounce, or bad hard disk controller
BIOS settings for Wait states, RAM timing, or other BIOS settings
Third-party software that is damaged or incorrectly installed
.dll files that are saved to the desktop

Non-existent or broken Temp folder
A control panel (.cpl) file is damaged
Incorrect or damaged hardware driver
Incorrectly installed printer drivers or HP Jetadmin drivers
Damaged Java Machine

Damaged .log files
Damaged entries in the History folder
Incompatible or damaged dynamic link library files
Viruses
Damaged or incorrect Msinfo32.exe file
Low disk space
More on the possible causes:

Bad memory modules:

You can test your memory modules by inserting the command: DEVICE=C:\WINDOWS\HIMEM.SYS /TESTMEM:ON into your Config.sys file. You can use the System Configuration Utility:

Select Start>> Run and type: msconfig [Enter]

Next, select the Config.sys tab and add the HIMEM.SYS line (above) by pressing the New button.

Windows will tell you to reboot your computer.

Watch your screen for a message; "HIMEM has detected unreliable memory at address xx:xxxxxx" which will certainly indicate that there's a memory problem.

Note: Memory problems may not immediately surface from the result of this test. It may take many reboots or even a few days for the above message to appear.

CPU, bus speed or multiplier overclocking.

Graphic acceleration set too high:
Select Control Panel > System, then select the Performance tab, click the Graphics button. Turn down Hardware acceleration by moving the slider a notch to the left, reboot, try again.
Bad or outdated drivers, especially video drivers:

Check with your card manufacturer for an updated set of drivers. Video drivers are updated constantly, it pays to have the latest release, especially if you find yourself having problems with Internet Explorer.
--------------------------------------------------------------------------------
What to do if you have Kernel32.dll IPF ("Invalid Page Fault") error?

This error occurs when an application tries to access kernel32.dll's protected memory space. It may be one particular program or application, or multiple files and applications. Most kernel32.dll errors are NOT caused by a corruption of the kernel32.dll module.

If the error seems to arise when activating a certain program, application or device, you should try uninstalling and re-installing that program, application or device.

If you frequently receive Invalid Page Fault in Kernel32.dll Errors from different drivers (Explorer, Guide.exe, Msgsrv32, Commgr32, Mprexe and others), it is possible that a damaged password list file is the culprit. Try re-creating your password list file:
In Windows Explorer select your \Windows folder

Press F3. This will bring up the Find: All Files window

In the 'Named' box type: *.pwl

Click Find Now

When a list of found files is displayed, select Edit> Select All> Press Delete on your keyboard

Exit the Find window and restart Windows

Note: This procedure will cause you to lose all of your saved passwords. Be sure to write them down before deleting so that you can re-insert them as needed.

computer recently suffered Zelot-inflicted monitor failure and the corruption of my System32 file.

Thursday, August 20, 2009

Alert: JAVA SPY CODE USING PORT 6463

Scanner.jar

The Scanner.jar is a simple client application which scans a server or an workstation for open ports from 1 - 65536.
The operating system used: Solaris x86 and the Java IDE: Netbeans !

Notice: The purpose of this exercise is pure educational, to learn about Java and networking. This application will run with any JDK 1.4.2_x version available from java.sun.com. It is working fine with the latest version, Java 5 too. However this package does not run with JDK 1.3 or previous versions.

Method 1: Single threaded application

Package: Scanner.jar
Source: Main.java

This is a single threaded application which will try to look for any open ports.
The main logic behind this is explained below: the scanner will try to access
the range 1 - 65536 looking for any open ports using the Socket() method

try {

InetAddress addr = InetAddress.getByName(host);
System.out.println("Searching for open ports between 1 - 65536");
System.out.println("Please wait...(CTRL-C to stop the process)");

for (int i = 1; i < 65536; i++) {
Socket s = null;
try {
s = new Socket(addr,i);
System.out.println("Port: " + i + " open on " + host );
}
catch (IOException ex) {

}
finally {
try {
if (s != null) s.close();
}
catch (IOException ex) {}
}

} //for
} //try
catch (UnknownHostException ex) {
System.err.println(ex);
}

}

Some results:

$ time java -client -jar Scanner.jar
Searching for open ports between 1 - 65536
Please wait...(CTRL-C to stop the process)
Port: 21 open on localhost
Port: 22 open on localhost
Port: 23 open on localhost
Port: 25 open on localhost
Port: 79 open on localhost
Port: 111 open on localhost
Port: 513 open on localhost
Port: 514 open on localhost
Port: 515 open on localhost
Port: 587 open on localhost
Port: 631 open on localhost
Port: 898 open on localhost
Port: 4045 open on localhost
Port: 4999 open on localhost
Port: 5987 open on localhost
Port: 5988 open on localhost
Port: 6000 open on localhost
Port: 7100 open on localhost
Port: 9010 open on localhost
Port: 32786 open on localhost
Port: 32787 open on localhost
Port: 32788 open on localhost
Port: 32789 open on localhost
Port: 32790 open on localhost
Port: 32791 open on localhost
Port: 32792 open on localhost
Port: 32795 open on localhost
Port: 32796 open on localhost
Port: 33221 open on localhost
Port: 36314 open on localhost
Port: 36317 open on localhost
Port: 36359 open on localhost
Port: 36360 open on localhost
Port: 36389 open on localhost
Port: 36391 open on localhost
Port: 36393 open on localhost
Port: 36394 open on localhost
Port: 36395 open on localhost
Port: 36396 open on localhost
Port: 36397 open on localhost
Port: 36400 open on localhost
Port: 36401 open on localhost
Port: 36402 open on localhost
Port: 36403 open on localhost
Port: 36406 open on localhost
Port: 36409 open on localhost
Port: 36455 open on localhost
Port: 36460 open on localhost
Port: 58787 open on localhost

real 1h32m7.01s
user 0m8.28s
sys 0m7.23s

Next the scanner will be implemented using threads to improve the performance, if any.

Method 2: An improved version: multi-threaded

Package: Scanner2.jar
Source: Main2.java

One thing many network client applications, or most likely servers, are using is: threads. To see if we can improve the performance of our scanner we will introduce threads and as well to make the things a bit easier and more flexible the scanner will ask for hostname, startPort, endPort and the number of threads from user.

stefan@nereid>java -jar Scanner2.jar
Usage: java -jar Scanner2.jar hostname startPort endPort noThreads

public class Main2 {
public static PortScannerWorker t = null;
public static String host = "localhost";

/** Creates a new instance of Main */
public Main2() {
}

/**
* @param args the command line arguments
*/
public static void main(String[] args) {
// TODO code application logic here

...

long startTime = System.currentTimeMillis();

try {

System.out.println("Searching for open ports between 1 - 65536");
System.out.println("Please wait...(CTRL-C to stop the process)");
host = InetAddress.getByName(args[0]);

System.out.println("host: "+host+" threads: "+threads);

ports = new PortHandler(firstPort, lastPort);
for (int i = 0; i < threads; i++){
t = new PortScannerWorker(("Worker"+i), ports);
t.start();
}

while(t.isAlive()) Thread.sleep(30);
} //try

catch (Exception ex) {
System.err.println("Error:" + ex);
ex.printStackTrace();
}

long endTime = System.currentTimeMillis();
System.out.println("Time spend for port scan:" + (millisecondsToString(endTime - startTime)));

}

public static String millisecondsToString(long time) {
// retunr the time as a String

}

}

class PortScannerWorker extends Thread {
PortHandler _ports = null;

public PortScannerWorker(String name, PortHandler ports)
{
super(name);
_ports = ports;
}

public void run() {
Port port = null;
boolean quit = false;

while (!quit) {
port = null;
synchronized(_ports)
{
if (!_ports.hasMoreElements()) {
quit = true;
return;
}
port = (Port) _ports.nextElement();
}

if (null != port) port.scan(this.getName());
}
}//run
}

class PortHandler implements Enumeration
{
InetAddress host = null;
int _firstPort = 0;
int _lastPort = 0;
int _nextPort = 0;

public PortHandler(int first, int last){
_firstPort = first;
_nextPort = first;
_lastPort = last;

}

public boolean hasMoreElements(){
return (_nextPort <= _lastPort);
}

public Object nextElement(){
return new Port(_nextPort++);
}
}//class PortHandler

class Port
{
int _port = -1;

Port(int port){
_port = port;
}

void scan(String name) {
try {
Socket s = new Socket(Main2.host, _port);
System.out.println("Port open " + _port + " discovered by thread "
+ name + " at " +
new GregorianCalendar().get(Calendar.HOUR_OF_DAY) + ":" +
new GregorianCalendar().get(Calendar.MINUTE) + ":" +
new GregorianCalendar().get(Calendar.SECOND));

s.close();
}

catch (IOException e) {
}
}//scan

public static String millisecondsToString(long time) {
int seconds = (int) ((time / 1000) % 60);
String secondsStr = (seconds < 10 ? "0" : "") + seconds;
return new String(secondsStr);
}
}//class Port

And at the end let's check some results: using the scanner with 500 threads.

PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP
727 stefan 75M 47M sleep 59 0 0:00:59 2.4% thunderbird-bin/11
1160 stefan 102M 30M sleep 59 0 0:00:07 1.8% java/508
1095 stefan 64M 42M sleep 47 4 0:03:09 1.1% mozilla-bin/3
672 stefan 25M 13M sleep 59 0 0:00:24 0.8% metacity/1
729 stefan 73M 46M sleep 59 0 0:00:56 0.7% gnome-terminal/2

...

The scanner is represented by the 1160 PID number having 508 threads (8 internal JVM threads+ 500 our threads). The real size segment of the process got bigger a bit since each thread has its own stack occupying space.

stefan@nereid>time java -jar Scanner2.jar localhost 1 65536 500
Searching for open ports between 1 - 65535
Please wait...(CTRL-C to stop the process)
host: localhost/127.0.0.1 threads: 500
Port open 21 discovered by thread Worker3 at 14:31:4
Port open 25 discovered by thread Worker4 at 14:31:4
Port open 22 discovered by thread Worker2 at 14:31:4
Port open 111 discovered by thread Worker36 at 14:31:4
Port open 515 discovered by thread Worker171 at 14:31:4
Port open 587 discovered by thread Worker5 at 14:31:11
Port open 631 discovered by thread Worker1 at 14:31:14
Port open 898 discovered by thread Worker6 at 14:31:34
Port open 4045 discovered by thread Worker17 at 14:35:23
Port open 4999 discovered by thread Worker14 at 14:36:6
Port open 5987 discovered by thread Worker0 at 14:36:47
Port open 5988 discovered by thread Worker0 at 14:36:47
Port open 6000 discovered by thread Worker76 at 14:36:48
Port open 7100 discovered by thread Worker149 at 14:37:33
Port open 9010 discovered by thread Worker118 at 14:38:31
Port open 32775 discovered by thread Worker85 at 14:50:58
Port open 32776 discovered by thread Worker85 at 14:50:58
Port open 32777 discovered by thread Worker85 at 14:50:58
Port open 32778 discovered by thread Worker85 at 14:50:58
Port open 32779 discovered by thread Worker85 at 14:50:58
Port open 32780 discovered by thread Worker85 at 14:50:58
Port open 32781 discovered by thread Worker85 at 14:50:58
Port open 32784 discovered by thread Worker85 at 14:50:58
Port open 32785 discovered by thread Worker85 at 14:50:58
Port open 32789 discovered by thread Worker84 at 14:50:58
Port open 32786 discovered by thread Worker83 at 14:50:58
Port open 32831 discovered by thread Worker379 at 14:50:59
Port open 32832 discovered by thread Worker379 at 14:50:59
Port open 32865 discovered by thread Worker160 at 14:51:1
Port open 32866 discovered by thread Worker160 at 14:51:1
Port open 32868 discovered by thread Worker160 at 14:51:1
Port open 32869 discovered by thread Worker160 at 14:51:1
Port open 32870 discovered by thread Worker160 at 14:51:1
Port open 32871 discovered by thread Worker160 at 14:51:1
Port open 32872 discovered by thread Worker160 at 14:51:1
Port open 32875 discovered by thread Worker160 at 14:51:1
Port open 32877 discovered by thread Worker172 at 14:51:1
Port open 32879 discovered by thread Worker172 at 14:51:1
Port open 32882 discovered by thread Worker172 at 14:51:1
Port open 32883 discovered by thread Worker172 at 14:51:1
Port open 32885 discovered by thread Worker172 at 14:51:1
Port open 32876 discovered by thread Worker160 at 14:51:1
Port open 32918 discovered by thread Worker85 at 14:51:2
Port open 32923 discovered by thread Worker85 at 14:51:2
Port open 32947 discovered by thread Worker85 at 14:51:2
Port open 34119 discovered by thread Worker108 at 14:51:34
Port open 36208 discovered by thread Worker379 at 14:52:31
Time spend for port scan:00:35:21.728

real 36m28.94s
user 0m12.02s
sys 0m7.27s

So, the total execution time, using 500 threads, has been 35minutes compared with 1h and 30minutes as previous in Method 1. However the time of 30minutes is far too long. In the next section we will understand why.

--------------------------------------------------------------------------------

Conclusions:

Two scanners applications were presented: a single threaded and a multi-threading one. The multi-threading client was presented to show how can you use threads, sockets under Java.

Another open issue was: the time of the scanning process. Scanning for open ports under Solaris x86 took a very, very long time. Why ?

Solaris (x86 or SPARC) defends itself against a DoS - the SYN attack. By default Solaris has this protection ON (hmm ... very nice :)) comparing with RedHat 9 based on kernel 2.4.x where the scanning went in couple of seconds without to have this protection. To disable this protection as root try:
# ndd -set /dev/tcp tcp_rst_sent_rate_enabled 0

and you can put it on back:

# ndd -set /dev/tcp tcp_rst_sent_rate_enabled 1

To demonstrate the results after changing the RST parameter we started again Scanner2 to look for all open ports. The CPU consumption went very high and the total time was reduced to: 18seconds !

stefan@nereid>time java -jar Scanner2.jar localhost 1 65535 500
Searching for open ports between 1 - 65536
Please wait...(CTRL-C to stop the process)
host: localhost/127.0.0.1 threads: 500
Port open 21 discovered by thread Worker0 at 15:15:1
Port open 22 discovered by thread Worker0 at 15:15:1
Port open 25 discovered by thread Worker0 at 15:15:1
Port open 111 discovered by thread Worker0 at 15:15:1
Port open 515 discovered by thread Worker236 at 15:15:2
Port open 587 discovered by thread Worker236 at 15:15:2
Port open 631 discovered by thread Worker236 at 15:15:2
Port open 898 discovered by thread Worker208 at 15:15:2
Port open 4045 discovered by thread Worker212 at 15:15:3
Port open 4999 discovered by thread Worker247 at 15:15:3
Port open 5987 discovered by thread Worker248 at 15:15:3
Port open 5988 discovered by thread Worker248 at 15:15:3
Port open 7100 discovered by thread Worker385 at 15:15:4
Port open 9010 discovered by thread Worker440 at 15:15:4
Port open 6000 discovered by thread Worker248 at 15:15:4
Port open 32775 discovered by thread Worker245 at 15:15:9
Port open 32776 discovered by thread Worker245 at 15:15:9
Port open 32777 discovered by thread Worker245 at 15:15:9
Port open 32778 discovered by thread Worker245 at 15:15:9
Port open 32779 discovered by thread Worker245 at 15:15:9
Port open 32780 discovered by thread Worker245 at 15:15:9
Port open 32781 discovered by thread Worker245 at 15:15:9
Port open 32784 discovered by thread Worker456 at 15:15:9
Port open 32785 discovered by thread Worker456 at 15:15:9
Port open 32789 discovered by thread Worker315 at 15:15:9
Port open 32786 discovered by thread Worker261 at 15:15:9
Port open 32831 discovered by thread Worker297 at 15:15:9
Port open 32832 discovered by thread Worker297 at 15:15:9
Port open 32865 discovered by thread Worker462 at 15:15:9
Port open 32866 discovered by thread Worker462 at 15:15:9
Port open 32868 discovered by thread Worker462 at 15:15:9
Port open 32869 discovered by thread Worker462 at 15:15:9
Port open 32870 discovered by thread Worker462 at 15:15:9
Port open 32871 discovered by thread Worker462 at 15:15:9
Port open 32872 discovered by thread Worker462 at 15:15:9
Port open 32875 discovered by thread Worker494 at 15:15:9
Port open 32876 discovered by thread Worker494 at 15:15:9
Port open 32877 discovered by thread Worker494 at 15:15:9
Port open 32879 discovered by thread Worker252 at 15:15:9
Port open 32882 discovered by thread Worker280 at 15:15:9
Port open 32883 discovered by thread Worker280 at 15:15:9
Port open 32885 discovered by thread Worker281 at 15:15:9
Port open 32918 discovered by thread Worker32 at 15:15:9
Port open 32923 discovered by thread Worker66 at 15:15:9
Port open 34119 discovered by thread Worker158 at 15:15:10
Port open 36208 discovered by thread Worker486 at 15:15:10
Port open 63312 discovered by thread Worker303 at 15:15:16
Time spend for port scan:00:00:15.544

real 0m15.97s
user 0m8.48s
sys 0m5.67s

Trying as well to decrease the number of threads, by reducing the CPU and memory consumption, returned similar results, in fact got better results than the multi-threading one:

stefan@nereid>time java -jar Scanner2.jar localhost 1 65535 1
Searching for open ports between 1 - 65536
Please wait...(CTRL-C to stop the process)
host: localhost/127.0.0.1 threads: 1
Port open 21 discovered by thread Worker0 at 15:17:33
Port open 22 discovered by thread Worker0 at 15:17:33
Port open 25 discovered by thread Worker0 at 15:17:33
Port open 111 discovered by thread Worker0 at 15:17:34
Port open 515 discovered by thread Worker0 at 15:17:34
Port open 587 discovered by thread Worker0 at 15:17:34
Port open 631 discovered by thread Worker0 at 15:17:34
Port open 898 discovered by thread Worker0 at 15:17:34
Port open 4045 discovered by thread Worker0 at 15:17:35
Port open 4999 discovered by thread Worker0 at 15:17:35
Port open 5987 discovered by thread Worker0 at 15:17:36
Port open 5988 discovered by thread Worker0 at 15:17:36
Port open 6000 discovered by thread Worker0 at 15:17:36
Port open 7100 discovered by thread Worker0 at 15:17:36
Port open 9010 discovered by thread Worker0 at 15:17:36
Port open 32775 discovered by thread Worker0 at 15:17:41
Port open 32776 discovered by thread Worker0 at 15:17:41
Port open 32777 discovered by thread Worker0 at 15:17:41
Port open 32778 discovered by thread Worker0 at 15:17:41
Port open 32779 discovered by thread Worker0 at 15:17:41
Port open 32780 discovered by thread Worker0 at 15:17:41
Port open 32781 discovered by thread Worker0 at 15:17:41
Port open 32784 discovered by thread Worker0 at 15:17:41
Port open 32785 discovered by thread Worker0 at 15:17:41
Port open 32786 discovered by thread Worker0 at 15:17:41
Port open 32789 discovered by thread Worker0 at 15:17:41
Port open 32831 discovered by thread Worker0 at 15:17:41
Port open 32832 discovered by thread Worker0 at 15:17:41
Port open 32865 discovered by thread Worker0 at 15:17:41
Port open 32866 discovered by thread Worker0 at 15:17:41
Port open 32868 discovered by thread Worker0 at 15:17:41
Port open 32869 discovered by thread Worker0 at 15:17:41
Port open 32870 discovered by thread Worker0 at 15:17:41
Port open 32871 discovered by thread Worker0 at 15:17:41
Port open 32872 discovered by thread Worker0 at 15:17:41
Port open 32875 discovered by thread Worker0 at 15:17:41
Port open 32876 discovered by thread Worker0 at 15:17:41
Port open 32877 discovered by thread Worker0 at 15:17:41
Port open 32879 discovered by thread Worker0 at 15:17:41
Port open 32882 discovered by thread Worker0 at 15:17:41
Port open 32883 discovered by thread Worker0 at 15:17:41
Port open 32885 discovered by thread Worker0 at 15:17:41
Port open 32918 discovered by thread Worker0 at 15:17:41
Port open 32923 discovered by thread Worker0 at 15:17:41
Port open 34119 discovered by thread Worker0 at 15:17:42
Port open 36208 discovered by thread Worker0 at 15:17:42
Port open 63312 discovered by thread Worker0 at 15:17:47
Time spend for port scan:00:00:14.482

real 0m14.81s
user 0m7.21s
sys 0m5.33s

Disabling the RST protection makes the scan procedure very fast. In fact with the protection OFF and with a high number of threads Scanner2 performs worse than using only one thread !

REMEMBER: By default the protection is ON meaning your server is protected against such of DoS attack and when you are switching that OFF you are vulnerable to a DoS attack.