Microsoft

SolutionBase: Audit Windows host security with the free SuperScan tool

Administrators need to see what hackers can see in order to secure a company's valuable information resources. In a Windows network, one of the best ways to accomplish this is with SuperScan.

SuperScan, a free utility made by Foundstone, is one of many programs that can be used either as a hacker tool or as a network security tool. A hacker can use this utility to launch a denial of service attack or to collect information about a remote host. As a security utility, SuperScan can help you find out where the weaknesses are within your own network. I'll show you where to get SuperScan and how to use it.

Acquiring SuperScan

SuperScan 4.0 is free, and you can download it here. The download consists of a 196-KB zip file. Because SuperScan is capable of flooding a network with packets, the Foundstone Web site indicates that some antivirus software packages might identify SuperScan as a denial of service (DoS) agent.

SuperScan 4.0 is designed to run only on Windows XP or Windows 2000. For older operating systems, you'll have to download SuperScan version 3.0.

Using SuperScan

After you unzip SuperScan, you can launch the utility by double-clicking on the Superscan4.exe file. The interface's default tab, Scan, allows you to enter one or more host names or IP address ranges. You also have the option of importing a list of IP addresses from a file. Once you've entered the host names or the IP address ranges that you want to scan, just click the Play button and SuperScan will begin scanning the addresses, as shown in Figure A.

Figure A

SuperScan allows you to enter a range of IP addresses to scan.

Once the scanning process completes, SuperScan will provide you with a list of the hosts that have been discovered and all of the open ports that were detected on each host. SuperScan even includes an option for displaying the information in HTML format, as shown in Figure B.

Figure B

SuperScan shows which hosts were detected and which ports were open on each host.

Host and Service Discovery tab

So far, I've shown you an example of how you can perform a simple scan against a group of hosts. However, there are lots of things you can do to customize a scan. In Figure C, you'll see the Host and Service Discovery tab. This tab gives you more control over what information is being looked at during each scan.

Figure C

The Host and Service Discovery tab lets you decide which ports will be scanned.

At the top of this tab is the Host Discovery section. By default, hosts are discovered by way of echo requests. By selecting and deselecting various check boxes, you can also discover hosts through the use of timestamp requests, address mask requests, and information requests. Keep in mind, though, that the more options you select, the longer the scan will take. If you're trying to gather as much information as possible about a specific host, I recommend first performing a regular detection to find the host and then scanning only that host with the request for additional information.

The bottom portion of this tab contains the UDP Port Scan and the TCP Port Scan sections. In the screen capture, notice that SuperScan is initially set to scan only the most commonly used ports. The reason is because there are more than 65,000 TCP ports and over 65,000 UDP ports. Imagine how long a scan would take if you were scanning over 130,000 ports for every potential IP address. SuperScan therefore initially scans only the most commonly used ports, but gives you the option of scanning any additional ports you want.

Scan Options tab

The Scan Options tab, shown in Figure D, allows you to further control the scanner's behavior. The first section on this tab lets you set the number of host and service discovery passes used during a scan. One is the default number and is usually sufficient unless you have an unreliable connection.

Figure D

On the Scan Options tab, you can control the scan speed and the number of passes.

In the next section on this tab, you can set the number of attempts at resolving the host name. Again, unless you have an unreliable connection, one is usually sufficient.

Another option you can set is Banner Grabbing. Banner grabbing is an attempt to get the remote host to respond by displaying some message. The default timeout is 8000 milliseconds, but this may not be long enough if you're connecting to a slow host.

The Scan Speed option on this tab consists of a slide bar you can use to adjust the number of milliseconds SuperScan waits between sending each packet. For the fastest possible scan, you'll want to set this option to zero. However, a setting of zero could potentially flood your network with packets. If you're worried about your network being overrun by packets from SuperScan, you can slow down SuperScan.

Tools

The Tools tab is one of my favorite parts of SuperScan. It allows you to quickly get a lot of information about a specific host. Just enter the host name or IP address and the default whois server; then click the button corresponding to the information you're trying to find. For example, you can ping a server, do a tracerout, and an HTTP request. Figure E shows the variety of information you can obtain.

Figure E

On the Tools tab, you can gather a variety of information on a host with the click of a button.

Windows Enumeration

The last functional tab is Windows Enumeration. As you'd probably guess, it's useless if you're trying to gather information about a Linux/UNIX host, but very handy if you need information about a Windows host. As you can see in Figure F, this tab can potentially provide you with everything from the host's users and groups to its account policies. The most impressive part of this tab is the sheer volume of information that it can produce.

Figure F

The Windows Enumeration tab produces a wealth of information about Windows machines.

End sum

SuperScan is the kind of tool that every administrator needs to have as part of a security auditing toolkit. If you know what information hackers can see when looking at your network, then you'll know how to mitigate many potential attacks and how to protect your company's most important assets.

Editor's Picks