Scantide Auditor PowerShell helps administrators understand what is reachable inside their own networks. Use the ScantideLauncher.ps1 GUI for guided local network scans, or run ScantideLAN.ps1 directly for scripted inventory, service evidence, TLS checks, CVE context, CMDB comparison and HTML reports.
The easiest start is ScantideLauncher.ps1. It can download/update the rest of the package when needed. The full Auditor PowerShell package uses the launcher, main scanner, local discovery helper, radio discovery helper, port/profile metadata helper, Windows Credential Manager helper, favicon evidence helper, and local MAC vendor cache in the same folder.
/favicon.ico evidence outside the main scanner, embeds found icons in the report and returns plain status values such as 404, timeout or helper-missing.
Download
The PowerShell Auditor family has grown. Keeping LAN scanning, local device posture and scheduled CVE watch on one page made it harder to understand. Use this map to choose the right workflow.
Use ScantideLAN.ps1 through the Launcher or CLI to discover reachable hosts, open ports, banners, TLS/web evidence, favicons, service CVEs, CMDB presence and radio/local discovery evidence.
Read network scanner manualUse ScantideLocalCheck.ps1 to inspect the Windows machine itself: firewall, AV/EDR, updates, users, BitLocker, certificates, browsers, USB/ghost devices, listening ports and installed-software CVE review.
Read Local Device Check pageUse Install-ScantideLocalWatch.ps1 for a small scheduled CVE-only installed-software watch using Task Scheduler COM. It does not use HKCU Run registry startup fallback.
Read Local Watch setup
Version 3.5.166 fixes a first-time credential save/update issue in the Launcher. The Credential Manager helper functions are now loaded into a persistent runspace scope before the Launcher calls Set-ScantideWindowsCredential.
ScantideCredentialManager.ps1 is bundled and verified before credential save/update actions.
Scantide API credentials can be stored in Windows Credential Manager and reused by Local Watch and scans.
ServiceNow/CMDB credentials and instance values can be reused without echoing secrets in the console.
The current Auditor package is no longer only a LAN scanner. It now combines internal network discovery, local PC posture checks, installed-software CVE review, Local Watch scheduling, report filtering and operational helper scripts into one authorized audit toolkit.
Run Basic or Advanced endpoint posture checks for Windows inventory, Defender/AV state, firewall state, risky firewall rules, local users/admins, BitLocker, Secure Boot/TPM, USB storage, ghost devices, browser posture, certificates, listening ports and recent Application/System errors.
Install a background CVE-only watch using a short runner script and Windows Task Scheduler. It checks installed software against Scantide CVE intelligence, uses parallelism 8, and can show success or High/Critical review-lead notifications.
Local Watch creation now uses the Task Scheduler COM API with an interactive current-user token, matching the normal “When I log on” task model. No registry Run fallback is used.
Local reports include dynamic sections, filter buttons, summary cards, export support, clearer notes and evidence-oriented rows instead of dumping everything into one long table.
ScantidePortHelper is used for listening-port explanations, protocol behavior, management-port context, SCADA/OT hints and risk wording that makes findings easier to review.
Remove Watch deletes the logon task, the optional daily task and the ProgramData\Scantide runner folder when cleanup is requested.
ScantideLocalCheck.ps1 complements the network scanner by reviewing the Windows machine where it runs. It is useful for audit preparation, troubleshooting and quick posture evidence before or after a LAN scan.
Focused checks for system identity, network, public IP, firewall, antivirus, updates, installed software CVE review, shares, printers, listening ports, SMB, RDP, BitLocker, users, UAC, PowerShell, startup items, Secure Boot/TPM, risky firewall rules and recent event log errors.
.\ScantideLocalCheck.ps1 -CheckLevel BasicAdds deeper posture modules such as Wi-Fi profiles, certificates, browser extensions, remote access tools, developer/admin tools, scheduled tasks, writable services, PATH hijack checks, USB storage, proxy/VPN, LAPS, lock screen, credential exposure, browser posture, Windows security baseline, remote management, audit logging, time sync, recovery posture, device control, update policy and ghost devices.
.\ScantideLocalCheck.ps1 -CheckLevel AdvancedLocal Watch is designed to be quiet and specific. It does not run a full Local PC Check and it does not create registry startup persistence. It creates a Windows Scheduled Task that runs a short runner script, which then starts the CVE-only check.
Uses Task Scheduler COM with an interactive current-user token, similar to creating “When I log on” in the Windows Task Scheduler UI.
.\Install-ScantideLocalWatch.ps1 -AtLogon $trueFor environments that prefer predictable timing, create a daily task instead of a logon trigger.
.\Install-ScantideLocalWatch.ps1 -AtLogon $false -Daily $true -RunAt "09:00"Remove the scheduled task, optional daily task and the generated ProgramData runner files.
.\Remove-ScantideLocalWatch.ps1 -RemoveProgramDataThe current Auditor PowerShell package documents the newer launcher and report behavior: default favicon evidence, helper-based favicon retrieval, clearer startup checks and launcher fixes for settings validation and command preview display.
HTTP and HTTPS rows try favicon evidence automatically. If an icon is found, the report embeds it. If not, the report shows a readable status such as 404, timeout or ReceiveFailure.
ScantideLAN.ps1 keeps favicon byte retrieval outside the main scanner. ScantideFaviconHelper.ps1 performs the small standalone favicon fetch and returns JSON to the scanner.
The launcher startup checks now use green OK messages for files and settings that are present and red warnings/errors when required companion files are missing.
ScantideLauncher.ps1, ScantideLAN.ps1, ScantideHelper.ps1, ScantideRadioHelper.ps1, ScantidePortHelper.ps1, ScantideCredentialManager.ps1, ScantideFaviconHelper.ps1 and oui.csv together in the same folder.
The launcher can save Scantide email/API key and ServiceNow username/password locally in Windows Credential Manager. This keeps secrets off the command line and avoids plain-text configuration files while still making repeat scans easy for administrators.
Credentials are stored under the current Windows user/computer using Windows Credential Manager entries such as ScantideAuditor.Api and ScantideAuditor.ServiceNow.
The GUI launcher can save/update stored values and remove them again. Startup logs show whether saved credentials were found without printing the actual API key or password.
Enter a short hosted instance name such as examplecompany to use https://examplecompany.service-now.com, or paste a full internal/custom URL to use that exact URL.
For most Windows administrators, ScantideLauncher.ps1 is now the easiest starting point. It wraps the PowerShell scanner in a graphical interface, detects the local network at startup, explains scan options, checks the scanner version feed, and can download or update the companion files when needed.
Choose the network, CIDR size, CVE/API settings, CMDB comparison, local discovery, Wi-Fi/radio checks and output options without remembering every command-line switch.
The launcher can download the main scanner, helpers, radio helper, port/profile helper, Credential Manager helper and OUI vendor file. That means users can download only the launcher first and let it fetch the rest later.
The launcher includes a manual tab, Scantide tool overview, subnet calculator, ping, nslookup, traceroute and offline port/protocol lookup helpers for local auditing workflows.
ScantideLauncher.ps1 if you prefer checkboxes and guided setup. Use ScantideLAN.ps1 directly when you want automation, scheduled runs or command-line control.
The script is intended for administrators, security teams, infrastructure teams, and asset owners who need a practical view of internal network exposure without installing agents or running intrusive tests.
Scan approved internal ranges to see which hosts respond, which common services are reachable, and which systems may need follow-up.
Compare discovered hosts against known asset data so teams can spot missing, stale, or unexpected records.
Create HTML reports that show the facts: host, port, title, banner, TLS subject, certificate names, CMDB status, and timestamps.
Many companies have more systems online than they think. Some are old test servers, forgotten admin portals, temporary devices, printers, appliances, or servers that were never added correctly to the asset inventory. Scantide helps turn that uncertainty into a list you can actually review. The radio discovery add-on also shows what the scan workstation can see nearby over Wi-Fi and Bluetooth.
If a device is reachable but not listed in the CMDB, nobody may be responsible for patching it, monitoring it, backing it up, or removing it when it is no longer needed.
A host that only responds to HTTPS is different from a host exposing FTP, old web admin pages, remote access services, or mail protocols. The report helps you see what is actually reachable.
TLS certificates often show hostnames, service names, expiry dates, and ownership hints. This can help find forgotten systems or certificates that need renewal.
A port number alone is not always helpful. Capturing the web server title and basic response information makes it easier to identify what a service actually is.
When the scan finds something that is not in the inventory, the team can decide whether to register it, investigate it, or remove it.
The goal is not only to find things. The goal is to create evidence that helps infrastructure, operations, and security teams agree on what needs attention.
Exact checks depend on the version and options you enable, but the PowerShell auditor is designed around practical asset and service evidence.
Review IP ranges and collect response evidence from hosts that appear reachable during the scan.
Check common ports and service responses such as HTTP, HTTPS, SSH, FTP, SMTP, DNS, IMAP, POP3, and custom configured ports.
Inspect visible certificate fields such as subject, issuer, DNS names, expiry dates, and certificate mismatch clues.
Collect basic web evidence such as status, title, server header, redirects, and HTTP/HTTPS availability where available.
Optionally evaluate nearby Wi-Fi networks, Wi-Fi Direct candidates and Bluetooth/BLE observations, including channel congestion, security mode, vendor/OUI hints and rogue/evil-twin indicators.
Mark discovered hosts as known or not found in the asset inventory when CMDB integration data is available.
Include scan date, network range, duration, and report context so results can be compared over time.
Generate a visual report that can be shared with operations teams, system owners, or audit stakeholders.
Focus on observable network and service data rather than exploitation, credential attacks, or intrusive vulnerability testing.
A finding does not automatically mean something is dangerous. It means there is evidence worth understanding. The report is designed to help teams decide what to verify, document, patch, or remove.
Run the script from a Windows machine or server that is allowed to reach the target network range. Use an account and location that match your organization’s scanning policy.
ScantideLAN.ps1, ScantideHelper.ps1, ScantideRadioHelper.ps1, and oui.csv into the same folder. The helpers are intentionally separate so local multicast and radio discovery stay transparent and easier to review. The OUI CSV is kept local so MAC/BSSID vendor enrichment works offline.
$dest = Join-Path $env:USERPROFILE 'Downloads\ScantideAuditor'
New-Item -ItemType Directory -Path $dest -Force | Out-Null
$base = 'https://www.scantide.com/helpfiles'
$files = @(
@{ Name = 'ScantideLauncher.ps1'; Url = "$base/ScantideLauncher.ps1" },
@{ Name = 'ScantideLAN.ps1'; Url = "$base/ScantideLAN.ps1" },
@{ Name = 'ScantideHelper.ps1'; Url = "$base/ScantideHelper.ps1" },
@{ Name = 'ScantideRadioHelper.ps1'; Url = "$base/ScantideRadioHelper.ps1" },
@{ Name = 'ScantidePortHelper.ps1'; Url = "$base/ScantidePortHelper.ps1" },
@{ Name = 'ScantideCredentialManager.ps1'; Url = "$base/ScantideCredentialManager.ps1" },
@{ Name = 'oui.csv'; Url = "$base/oui.csv" }
)
foreach ($file in $files) {
$target = Join-Path $dest $file.Name
Write-Host "Downloading $($file.Name)..." -ForegroundColor Cyan
Invoke-WebRequest -Uri $file.Url -OutFile $target -UseBasicParsing -TimeoutSec 45
Unblock-File -LiteralPath $target -ErrorAction SilentlyContinue
}
Write-Host ""
Write-Host "Downloaded Scantide Auditor PowerShell files to: $dest" -ForegroundColor Green
Write-Host "Example:" -ForegroundColor Yellow
Write-Host " cd `"$dest`""
Write-Host " .\ScantideLauncher.ps1"
Write-Host " .\ScantideLAN.ps1 -Network 192.168.0.0/24 -PortProfile Standard"
Write-Host " .\ScantideLAN.ps1 -Network 192.168.0.0/24 -PortProfile Hypervisor"
Write-Host " .\ScantideLAN.ps1 -Network 192.168.0.0/24 -EnableRadioDiscovery"
Write-Host " .\ScantideLocalCheck.ps1 -CheckLevel Basic"
Write-Host " .\ScantideLocalCheck.ps1 -CheckLevel Advanced"
Write-Host " .\Install-ScantideLocalWatch.ps1 -AtLogon $true"
Write-Host " .\Install-ScantideLocalWatch.ps1 -AtLogon $false -Daily $true -RunAt \"09:00\""Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
cd "$env:USERPROFILE\Downloads\ScantideAuditor"
.\ScantideLAN.ps1 -Network 10.24.48.0/24
.\ScantideLAN.ps1 -Network 10.24.48.0/24 -EnableRadioDiscoveryScantide Auditor PowerShell is designed for authorized internal network discovery, Windows network inventory, ServiceNow CMDB comparison, exposed service review and HTML evidence reports. These are the situations where it gives the most value.
Run a controlled PowerShell network scan against a known subnet to find live hosts, open ports, DNS names, reverse DNS, web titles, certificates and MAC/vendor evidence.
Compare discovered systems with CMDB data to highlight reachable devices that are missing, stale, renamed or assigned to the wrong owner.
Find internal HTTPS portals, certificate expiry issues, weak documentation clues, login pages, unexpected redirects and server banners that need ownership review.
Add optional Wi-Fi, Wi-Fi Direct and Bluetooth/BLE discovery to support local branch-office reviews, duplicate SSID checks and nearby radio inventory.
Create an evidence baseline before an internal audit, ISO 27001 review, cyber insurance questionnaire, firewall cleanup or server decommissioning project.
Use Windows Credential Manager for Scantide API and ServiceNow credentials so secrets stay local to the Windows user/computer and are not saved in plain text.
Open a real-world style Scantide Auditor HTML report to see the kind of evidence produced: discovered hosts, open services, web details, TLS certificate information, DNS/PTR status, CMDB-style review points and readable explanations.
View anonymized example reportThe PowerShell script is most useful when the goal is to create a practical inventory and exposure baseline for internal networks.
Check that important systems are known, documented, and not exposing unexpected services before an external or internal review.
Run a comparison after migrations, firewall changes, segmentation work, VLAN changes, or server cleanup projects.
Find systems that exist on the network but are missing, outdated, or incorrectly represented in the asset inventory.
Find certificates that are expired, near expiry, incorrectly named, or attached to services that nobody recognizes.
Identify old services such as FTP, legacy admin pages, or unexpected mail services that may need retirement or restriction.
Use -EnableRadioDiscovery during authorized local checks to record nearby Wi-Fi, possible rogue/evil-twin indicators, Wi-Fi Direct candidates, Bluetooth observations and channel congestion statistics.
Create a clear report that helps different teams agree on what is known, what is unknown, and what needs action.
A good report should not just say that something was found. It should help the team understand what the finding means and what to do next.
Scantide Auditor PowerShell is built for authorized visibility. It should be used only on networks where you have permission to perform inventory and exposure review.
Run it only against networks you own, manage, or are explicitly authorized to assess.
The scanner is not intended for password guessing, brute forcing, exploitation, or bypassing access controls.
Use the report to improve asset ownership, CMDB accuracy, certificate hygiene, firewall rules, and service cleanup.
Auditor findings become more useful when they are connected to known vulnerability context and infrastructure ownership/location context. The goal is prioritization and evidence, not automatic blame.
Open ports, service banners, web titles, certificates and server headers may reveal product or version hints that can be compared with CVE information. Treat this as a pointer for follow-up: a visible version may be wrong, patched by backporting, hidden behind a proxy, or not exploitable in the local configuration.
For internal and branch-office reviews, provider, country, ASN, cloud region, mail routing and external dependencies can matter. These signals help teams understand whether systems depend on unexpected providers, regions or legal environments, especially where policy, compliance or data-residency requirements apply.
No. It is an inventory and exposure review script for authorized internal networks. It collects observable service and metadata evidence so administrators can clean up and document their environment.
No. Many open ports are normal. The important question is whether the service is expected, documented, patched, restricted, and owned by the right team.
If a system is reachable but not in the asset inventory, it can be missed by patching, monitoring, backup, lifecycle management, and incident response processes.
They help humans identify systems faster. A hostname, web title, certificate subject, or DNS name can reveal whether the service belongs to a known application, old project, appliance, or test environment.
No. It is better viewed as a visibility, inventory, and evidence tool. It can help decide where deeper vulnerability review is needed, but it is not a replacement for full vulnerability management.
Yes. The output is meant to be readable by operations, infrastructure, application owners, and asset managers. The point is to make cleanup and ownership discussions easier.
The current launcher lets the user enter an IP range, then choose a scan profile. If they do not choose anything else, Standard runs. That keeps the normal ScantideLAN behavior as the safe default while still offering focused checks for specific audit questions.
The recommended default profile for routine LAN inventory. It keeps the proven ScantideLAN port set and covers common web, Windows, remote access, database and hypervisor/admin surfaces.
A lighter first pass for large ranges or quick reachability checks. Use it when speed matters more than full service coverage.
Focuses on virtualization and management surfaces such as VMware ESXi/vCenter, Hyper-V, Proxmox VE, Xen/XCP-ng style hosts, Nutanix Prism, libvirt and console-related ports.
Focuses on data services such as Microsoft SQL Server, MySQL/MariaDB, PostgreSQL, Oracle, Redis, MongoDB, Elasticsearch and Memcached.
Finds protocols that may expose credentials/content or are often phase-out candidates, such as FTP, Telnet, HTTP, POP3, IMAP, SNMP v1/v2c, TFTP and legacy discovery services.
Broader profiles for focused exposure reviews. They can be useful, but are intentionally more noisy. Use Standard first, then move to a focused profile when the report suggests it.
The Tools tab is meant for quick checks that help the user understand the scan range or interpret a result. These tools do not start a full Scantide scan unless the user explicitly uses the scan-range button.
Shows network, broadcast, usable range, netmask and approximate host count from an IP/CIDR or netmask. Useful before scanning a routed or unfamiliar subnet.
Runs local Windows network tools for reachability, DNS resolution and routing path checks. These are quick helper checks, not full scan results.
Offline lookup powered by ScantidePortHelper.ps1. Users can type 25, smtp, telnet or tcp/8006 and get the usual service, risk, encryption notes, comments, warnings and recommendations.
The PowerShell manual explains prerequisites, safe scanning scope, common parameters, report interpretation, CMDB comparison, troubleshooting, and recommended operating practices for internal network reviews.
Use the manual when deploying the script for the first time, explaining the report to colleagues, or standardizing how internal scans should be run and documented.
Open PowerShell manualThe guide covers how to choose a network range, understand discovered hosts, read evidence rows, compare against asset inventory, and turn findings into cleanup actions.
Scantide Auditor PowerShell focuses on internal networks. Scantide Observe focuses on website privacy and browser-visible behavior. Scantide Observe Mobile brings similar visibility to Android. Together they help explain what systems, websites, and services are doing in a way people can act on.
Scantide is split into focused tools so the right audience gets the right kind of evidence quickly. Use Observe for live website behavior, Online for public domain checks, Dashboard for monitoring, and Auditor when you need authorized internal network visibility.
For Chrome, Edge, Brave and Firefox. Shows trackers, cookies, scripts, security headers, forms, contacted hosts and browser-visible website risk while you browse.
Open Observe guideFor Android users who want to share a URL from a browser or app and understand website privacy, scripts, trackers, infrastructure and jurisdiction context on mobile.
Open Observe MobileFor quick public-domain checks. Reviews visible TLS, DNS, headers, redirects, services, provider and jurisdiction signals for a website or domain.
Run single scanFor teams that need recurring certificate and domain visibility, status views, uploaded domain lists, expiry warnings and evidence history.
Open dashboard loginFor Windows admins reviewing authorized internal networks. Finds reachable hosts, visible services, web responses, TLS clues and CMDB gaps in clear HTML reports.
Open PowerShell AuditorFor mobile field checks and quick local network visibility. Useful for Wi-Fi review, nearby network context and on-site authorized infrastructure checks.
Open Android Auditor