Using SuperScan to Reconnoiter an Internal Network

Home > Blogs > Security > Using SuperScan to Reconnoiter an Internal Network

Using SuperScan to Reconnoiter an Internal Network

Like This Blog 0 Mike Danseglio
Added by August 25, 2014

The importance of reconnaissance in vulnerability discovery and penetration testing is usually overlooked. Network security personnel with little training or experience will often begin their analysis by finding a few target systems and immediately attempt to compromise their security with user/password logins and vulnerability penetration tests. These premature attempts to compromise pseudo-random hosts are likely to trigger alerts on intrusion prevention systems, firewalls, and host-based security controls.

This is a mistake. The criticality of reconnaissance cannot be overstated. That’s why the more experienced penetration testers take a slow and methodical approach to hacking. They know that identifying networks, hosts, and services is much easier to do before an attack begins and allows them to attack only targets that are likely to produce the desired outcome.

One of my favorite tools for performing reconnaissance is SuperScan, a GUI tool developed by  Foundstone and now owned by McAfee.

Using SuperScan

SuperScan can be used for either internal or external network reconnaissance. I prefer it for internal scanning as it tends to do a good job with NetBIOS and other Windows LAN-oriented enumeration.

SuperScan is a free tool that can be downloaded from SuperScan v4.1. It requires no installation, so you can just unzip it and launch SuperScan as shown in Figure 1.

001-SuperScan-to-Reconnoiter-an-Internal-Network

Figure 1. The default SuperScan startup screen.

Note that if SuperScan gives you an error, you may need to run it as an Administrator. To do that, simply right-click the exe file and select Run as administrator as shown in Figure 2.

002-SuperScan-run-as-administrator-to-Reconnoiter-an-Internal-Network

Figure 2. Running SuperScan as admin.

To reconnoiter a network, simply type in a valid IP address range in the Start IP and End IP address fields and click the right-arrow button to move that range into the IP range selection box as shown in Figure 3.

003-SuperScan-valid-IP-address-range -to-Reconnoiter-an-Internal-Network

Figure 3. SuperScan has a valid IP address range.

I’m going to use 10.1.10.1 through 10.1.10.254 here, a valid range on my network. Once I press play in the bottom left corner, SuperScan does its thing.

By default SuperScan begins with a ping sweep, which often sets off external intrusion detection systems but is frequently ignored on internal networks. The results of the initial ping sweep (here called Host discovery ICMP (Echo) scan) are shown in Figure 4.

004-SuperScan-valid-IP-address-range -to-Reconnoiter-an-Internal-Network

Figure 4. Targeting 10.0.1.1 with SuperScan.

Once all hosts in the range are discovered, SuperScan begins interrogating them for open ports, service names and versions, and more. The options for what interrogations are performed are available under both the Host and Service Discovery and Scan Options tabs as shown in Figures 5 and 6.

005-SuperScan-Targeting-Reconnoiter-an-Internal-Network

Figure 5. The default Host and Service Discovery options for SuperScan.

006-SuperScan-Host-Service-Discovery-Targeting-Reconnoiter-an-Internal-Network

Figure 6. The default Scan Options for SuperScan

Between the ping sweep, port scan, and banner grab, SuperScan collects and displays an extremely useful list of potential targets for penetration testing.

What Do I Do With This Test?

Once you’ve conducted the test you will have a fairly complete list of active network hosts and the services running on those hosts. Although the list is probably not complete, you can use it to either begin selecting targets for further penetration testing or begin probing for other hosts based on the data you’ve collected.

So now you know how to use a free tool to reconnoiter your internal network. And knowing is half the battle!

Stay safe!

Mike Danseglio -CISSP / MCSE / CEH
Interface Technical Training – Technical Director and Instructor

Mike Danseglio teaches Security classes at Interface Technical Training. His classes can be attended in Phoenix, Arizona or online from anywhere in the world with RemoteLive.

 

 

Videos You May Like

Creating Users and Managing Passwords in Microsoft Office 365

0 645 3

In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365.   For instructor-led Office 365 training classes, see our course schedulle: Spike Xavier SharePoint Instructor – Interface Technical Training Phoenix, AZ 20347: Enabling and Managing Office 365    

Using Navigation Controls in a Collaboration Site in SharePoint

0 338 1

In this SharePoint training video, I want to talk about the Navigation Controls in SharePoint. They tend to fall into two kind of different categories; one with the navigation controls in a typical Collaboration Site such as a Team Site or a Project Site. These are Sites that are based on the Team Site Template … Continue reading Using Navigation Controls in a Collaboration Site in SharePoint

Detailed Forensic Investigation of Malware Infections – April 21, 2015

4 608 5

How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015

Write a Comment

Share your thoughts...

Please fill out the comment form below to post a reply.