Superscan 4: test your network security

Several years ago I used a “hacker” (read security testing) tool called Superscan a GUI-based port scanner.

While it’s no replacement for Nmap; Superscan is a lot easier to use. Maybe that’s why most of the security presenters at the recent Microsoft TechEd in Sydney used Superscan during their presentations.

When the new version (totally rewritten) came out I took it for a test drive to see how it behaved. This version is made by Foundstone (www.foundstone.com) and is still free.

Before you can test the security of a network or a host you need to know what’s there and preferably what OS the computers are running – this is all provided by a good port scanner.

No installation is necessary- just unpack superscan4.zip and run SuperScan4.exe. Note that this version only runs on Windows 2000 and XP and might require administrative privileges.

The first thing I noticed is that this version is faster by far. Scanning an entire class C subnet with five live hosts took 40 seconds.

The results are displayed in your favourite browser by clicking View HTML Results. For each discovered host it lists all the information it has sniffed out. Hostname and Netbios names are listed per host as are UDP and TCP ports and their associated services. This is very good data for further penetration testing. MAC addresses are listed for each network card too which is also handy for spoofing.

(Click to see an expanded view)

The first host is a Netgear router listed as running BIND 9.2 (that’s the DNS proxy for clients on the network).

The next PC listed is a Windows XP SP2 PC with Windows Firewall enabled. Note that it still gives out its Netbios nametable. This scan was run from a host on the local LAN running a scan on the internet can give very different results.

The next host is a Windows Longhorn Server beta 2 also with the built in firewall enabled. Not a lot of information is revealed. The final host is a networked Brother printer.

The second tab in SuperScan is where settings for hosts and service discovery are applied. Which ports to scan and whether to scan both UDP and TCP (recommended) can be configured. If you need to bypass a simple firewall on your end a specific source port for both TCP and UDP can be applied.

The next tab lets you configure scan options if you’re on a dial up link or other slow link set the time out values to 20 or 30ms delay. If you’re on a high speed link / LAN you can try setting the value a bit higher perhaps 5ms. If you’re keeping a low profile an even slower value might be good 100ms or even slower.

The next tab – tools is a real treasure trove for command line allergic wannabe hackers.

Here you can do a hostname / IP / URL lookup and continue with Ping and Traceroute for your target. A HTTP head request lets us know that APC’s web site is running on Apache.

Finally a number of Whois databases can be queried for information on the selected host.

The last tab is perhaps why this tool is popular Windows Enumeration lets you “fingerprint” a particular Windows host for Netbios names Users Groups and Shares etc.

We ran an enumeration against our Longhorn server with very little information gained earlier (non-hardened) versions of Windows would have coughed up more information.