This manual explains how to use the Scantide Auditor PowerShell network scanner to review your own networks, discover reachable hosts, identify exposed services, inspect web and TLS evidence, compare findings with CMDB data, and export clear reports that administrators can actually act on. The current build can also add nearby Wi-Fi, Wi-Fi Direct and Bluetooth/BLE observations as a separate local radio discovery section.
This page remains the manual for the PowerShell Auditor launcher and internal network scanning workflow. Local endpoint posture has grown into a separate workflow, so it now has its own page.
Use this manual for ScantideLauncher.ps1, ScantideLAN.ps1, scan profiles, CMDB comparison, radio discovery, list files, reports, port helper and LAN troubleshooting.
Continue with network scanner manualUse the separate Local Device Check page for ScantideLocalCheck.ps1, Basic/Advanced endpoint posture, Local Watch, Task Scheduler COM, CVE-only watch and the anonymized local device report.
Open Local Device Check pageVersion 3.5.166 brings the documentation up to the current Auditor workflow: LAN discovery, local endpoint posture checks, CVE-only Local Watch, Task Scheduler COM creation, report filtering and cleaner removal.
| Area | Current behavior | Why it matters |
|---|---|---|
| Local Watch | CVE-only mode using ScantideLocalWatchRunner.ps1, -CveParallelism 8 and -ToastOnSuccess. | Keeps the background check small, focused and easy to explain. |
| Task creation | Uses Task Scheduler COM API with TASK_LOGON_INTERACTIVE_TOKEN and least-privilege run level. | Matches the GUI-style “When I log on” current-user task model better than forcing schtasks.exe /Create. |
| Startup fallback | No registry Run fallback. | Avoids persistence-style noise that could trigger EDR suspicion. |
| Daily scheduling | Supports -AtLogon $false -Daily $true -RunAt "09:00". | Allows a specific check time where policy permits scheduled tasks. |
| Remove Watch | Deletes the logon task, daily task and optionally ProgramData\Scantide. | Cleaner uninstall and easier testing. |
| Local reports | Dynamic sections, filters, export, clear notes, event log errors and highlighted software CVE review leads. | Reports are easier to read and easier to act on. |
The Local Device Check workflow is large enough to stand on its own: endpoint posture, installed-software CVE review, Local Watch, scheduled task behavior, Credential Manager reuse and anonymized local device report.
Use this for ScantideLocalCheck.ps1, Basic/Advanced checks, Local Watch and endpoint report examples.
Open Local Device CheckUse the anonymized local device report when publishing examples or explaining local endpoint evidence.
View anonymized Local Device report
ScantideLocalCheck.ps1 reviews the Windows computer where it runs. Use it when you need local posture evidence,
not a network scan. Run elevated for fuller evidence; non-admin runs are still useful but some checks will be marked limited.
Best for quick posture evidence: system, network, external IP, firewall, AV, updates, software inventory, CVEs, shares, printers, listening ports, SMB, RDP, BitLocker, users, UAC, PowerShell, startup, Secure Boot/TPM, risky firewall rules and recent event log errors.
.\ScantideLocalCheck.ps1 -CheckLevel BasicIncludes Basic plus deeper local checks for Wi-Fi profiles, certificates, browser extensions, remote access tools, developer/admin tools, scheduled tasks, writable services, PATH hijack, USB storage, proxy/VPN, LAPS, credential exposure, browser posture, security baseline, remote management, audit logging, recovery posture, device control, update policy and ghost devices.
.\ScantideLocalCheck.ps1 -CheckLevel AdvancedLocal device scans are different from LAN scans. A LAN scan looks outward at reachable hosts and services. A local device scan looks inward at the Windows computer running Scantide. Use it for workstation/server posture evidence, audit preparation, troubleshooting, and recurring installed-software CVE awareness.
Computer name, signed-in user context, OS details, hardware basics, uptime, admin scope and whether checks were limited by non-admin execution.
Firewall state, antivirus/Defender visibility, update posture, UAC, PowerShell logging policy, Secure Boot/TPM, BitLocker and recovery posture where available.
Installed software is normalized and checked against Scantide CVE intelligence. Matches are review leads and should be verified against exact product, version and build.
Listening TCP ports, SMB/RDP posture, shares, printers, remote management, proxy/VPN hints and service context enriched through the port helper.
USB storage history, ghost devices, Wi-Fi profiles, certificates and browser posture help show what has been connected or configured locally.
Risky firewall rules, writable services, PATH hijack candidates, scheduled tasks, startup items and recent Application/System event log errors are surfaced as evidence.
| Mode | Use when | Typical command |
|---|---|---|
| Basic | Quick endpoint posture evidence with the most common security and inventory checks. | .\ScantideLocalCheck.ps1 -CheckLevel Basic |
| Advanced | Deeper local audit with browser, certificates, remote access tools, device history, credential exposure, audit/logging and hardening checks. | .\ScantideLocalCheck.ps1 -CheckLevel Advanced |
| CVE Watch | Small scheduled installed-software CVE review only. Does not run the full local report. | .\ScantideLocalCheck.ps1 -Mode CveWatch -UseSavedScantideCredentials -CveParallelism 8 -ToastOnSuccess |
Local Watch only checks installed software against Scantide CVE intelligence. It is meant to provide a lightweight recurring signal, not to replace patch management, EDR, antivirus or vulnerability management.
Creates a Windows scheduled task using Task Scheduler COM API and an interactive current-user token.
.\Install-ScantideLocalWatch.ps1 -AtLogon $trueUse this when the check should run at a predictable time instead of at logon.
.\Install-ScantideLocalWatch.ps1 -AtLogon $false -Daily $true -RunAt "09:00"The task launches a short runner script to avoid command-length problems. The runner starts ScantideLocalCheck.ps1 -Mode CveWatch with saved credentials, -CveParallelism 8 and -ToastOnSuccess.
ScantideLocalCheck.ps1 -Mode CveWatch -UseSavedScantideCredentials -SkipExternalIpReputation -CveBatchSize 5 -CveParallelism 8 -ToastOnSuccessRemove the logon task, optional daily task and generated ProgramData files.
.\Remove-ScantideLocalWatch.ps1 -RemoveProgramDataThe old ScantideLAN manual was useful, but it used older naming, older graphics, a few encoding-problem characters, and some wording that sounded more like vulnerability assessment than practical inventory and exposure review. This updated version focuses on the current Scantide Auditor direction.
The wording now describes authorized internal visibility, service evidence, certificates, and CMDB comparison instead of broad or scary security claims.
The old purple dashboard style has been replaced with the newer dark hero, rounded cards, evidence badges, and cleaner Scantide visual language.
Every major finding now explains why it matters for a normal administrator, not only for a technical security specialist.
The current package documents the latest launcher and report behavior: default favicon evidence, an EDR-friendlier favicon helper, larger embedded icons, readable favicon status explanations and corrected launcher startup/run helpers.
HTTP and HTTPS services try root /favicon.ico evidence by default. Icons are embedded when found; otherwise the report keeps the status as evidence.
The report explains common results: 404 means no icon at that path, 403 means access denied, 405 means method rejected, and timeout means the check was skipped to keep the scan fast.
The launcher now keeps Validate-Settings, Build-ScannerArguments and Build-DisplayCommand available, masks sensitive values in command previews and shows clearer startup OK/WARN/ERROR messages.
ScantideLauncher.ps1 is the graphical front end for Scantide Auditor PowerShell. It is useful when a user wants guided local network auditing without memorizing every command-line parameter. The command-line script is still the right choice for automation, scheduled scans and repeatable scripted workflows.
At launch, it shows what it is doing, detects the active local IPv4 network, calculates the CIDR, and fills the Quick Scan page so the user can review the range before scanning.
The Quick Scan, Discovery, Radio/Wi-Fi and ServiceNow/CMDB tabs map directly to the same scanner features that can be enabled from the command line.
The start page can check the version feed, show what changed, and download or update the scanner, local helper, radio helper, port/profile helper, Credential Manager helper, favicon helper and OUI file.
| Launcher option | Command-line equivalent | What it means |
|---|---|---|
| Network / CIDR field | -Network 192.168.1.0/24 | Sets the subnet or range the scanner should review. |
| CIDR dropdown | Part of -Network | Helps users choose /24, /21, /16 and other notations while showing host-count meaning. |
| Port profile dropdown | -PortProfile Standard, -PortProfile Hypervisor, etc. | Chooses the port set used by the scan. If unchanged, Standard runs as the recommended default. |
| Extra ports field | -ExtraPorts 10443 50000 | Adds vendor-specific or custom ports to the selected profile. |
| CVE lookup status | -Email and -ApiKey | Shows whether CVE context can be checked through the Scantide API. |
| Check CMDB | ServiceNow/CMDB parameters | Sends the user to the ServiceNow/CMDB tab to enter instance and authentication details before comparison. |
| Local discovery checkboxes | -EnableAllLocalDiscovery, mDNS, SSDP/UPnP, WS-Discovery options | Enables optional on-link discovery evidence for local inventory. |
| Radio / Wi-Fi checkboxes | -EnableRadioDiscovery and related radio options | Adds nearby Wi-Fi, Wi-Fi Direct and Bluetooth/BLE observations when the helper is available. |
| Favicon evidence | Automatic for HTTP/HTTPS rows | Scantide calls ScantideFaviconHelper.ps1 by default. Found icons are embedded; non-icon responses show statuses such as 404, 405, timeout or ReceiveFailure. |
| Tools tab | Standalone local helper tools | Provides subnet calculator, ping, nslookup and traceroute for local audit preparation. |
ScantideLauncher.ps1 as the first download for normal users. They can open it, read the built-in manual, and download the rest of the package from the launcher when they are ready to scan.
ScantideLauncher now separates the target range from the scan profile. The user enters an IP range, then chooses what kind of port coverage they want. Standard remains the default and is the best first run for most internal network audits.
| Profile | Use it for | Plain-language explanation |
|---|---|---|
| Standard | Normal first scan | Recommended default. Covers the common ScantideLAN services without turning every run into a broad port sweep. |
| Quick | Fast first look | Smaller and faster profile for large ranges or quick checks where you want early visibility before deeper scanning. |
| Hypervisor | Virtualization infrastructure | Looks for VMware, Hyper-V, Proxmox, Xen/XCP-ng style hosts, Nutanix, libvirt and console/management ports. |
| Database | Data service exposure | Looks for MSSQL, MySQL/MariaDB, PostgreSQL, Oracle, Redis, MongoDB, Elasticsearch, Memcached and similar data services. |
| Cleartext | Unencrypted protocol review | Finds ports commonly associated with plaintext or optionally encrypted protocols, such as FTP, Telnet, HTTP, POP3, IMAP, SNMP and TFTP. |
| Obsolete | Legacy cleanup | Focuses on old services that are often candidates for retirement or replacement. |
| Dangerous | Segmentation review | Focuses on services that can be high-impact if exposed too broadly, such as SMB, RDP, WinRM, Docker API, Redis, MongoDB, Kubernetes API and admin surfaces. |
| RemoteAccess | Interactive access review | Looks for SSH, RDP, VNC, WinRM and VPN-style access points. |
| WebAdmin | Dashboards and admin portals | Looks for common web admin interfaces and alternate HTTPS/HTTP ports such as 8006, 8080, 8443, 9090, 9440 and 9443. |
| Discovery | Infrastructure mapping | Looks for DNS, DHCP, NetBIOS, SNMP, RPCbind, NTP and related discovery/infrastructure signals. |
| Admin | Broader admin surfaces | Combines many admin, control-plane, infrastructure, cloud/container and hypervisor surfaces. More review items than Standard. |
| Extended | Broader common protocol audit | More complete than Standard but slower and noisier. Use when you need deeper common-port coverage. |
| Known | All curated Scantide ports | Scans every port that has curated metadata in ScantidePortHelper.ps1. |
| All | Advanced full TCP range | Scans TCP 1-65535. This can be slow on large ranges and should be used deliberately. |
Standard first, review the report, then run focused profiles such as Hypervisor, Database, Cleartext or Dangerous when the first scan suggests a specific question.
The Tools tab contains small helper tools for understanding a target range or interpreting a result. These tools are intentionally separate from the full scan workflow.
Calculates network address, broadcast, netmask, first/last usable host and approximate host count. Use it to verify that the range typed into Quick Scan is correct.
Copies the current Quick Scan Network / CIDR value into the subnet calculator so the user can check it before scanning.
Runs the local Windows ping tool. No reply does not always mean offline because many networks block ICMP.
Runs a local DNS lookup so the user can see what name resolution returns from their current machine and DNS configuration.
Runs Windows tracert to show the routing path. Firewalls may hide or block hops, so treat it as routing evidence, not a complete network map.
Resolves a hostname/IP, calculates the surrounding network and fills the Quick Scan range. Good when starting from one known server.
Offline reference lookup powered by ScantidePortHelper.ps1. Examples: 25 to SMTP, smtp to TCP/25, telnet to TCP/23 with warnings, tcp/8006 to Proxmox VE.
Clears the tool output area. It does not remove reports or change scan settings.
The Advanced tab includes an unblock button. The launcher also unblocks companion Scantide scripts at startup and after downloading files where possible.
Scantide Auditor PowerShell is an agentless script for administrators who need a practical view of what is reachable inside their own network. It does not try to exploit systems. It collects observable evidence and turns it into an HTML report.
Finds reachable systems in a subnet or list of networks so you can compare expected assets with what actually responds.
Checks common ports such as web, SSH, FTP, SMTP, DNS, RDP, and alternate web ports where supported by your script build.
Reviews visible certificate details such as subject, SAN names, issuer, and expiration dates on TLS-enabled services.
When enabled, compares discoveries against CMDB or ServiceNow-style inventory data to highlight known and unknown assets.
A network scan report is only useful if people understand what to do with it. These explanations are written for administrators, operations teams, and managers who need clear risk context without exaggerated fear.
An unknown host may be a legitimate device, a forgotten test system, a printer, a VM, or something that was never added to inventory. It deserves review because unmanaged assets often miss patching, ownership, monitoring, and backup routines.
An open port is not automatically bad. It means a service is reachable. The important question is whether that service should be reachable on that network and whether the owning team knows about it.
Web titles, server headers, redirects, and response clues help identify admin panels, appliances, legacy portals, default pages, and services that may otherwise be hard to recognize from an IP address alone.
Expired or soon-expiring certificates can break services, confuse users, and create avoidable incidents. Certificate subjects and SAN names can also reveal what a host was intended to be.
If a device is reachable but not in CMDB, it may be outside normal change, patch, ownership, or lifecycle processes. This is often one of the most useful operational findings.
One scan gives a snapshot. Repeated scans show change: new devices, disappeared hosts, new exposed services, or certificates that are getting close to expiry.
Use these examples as starting points for authorized internal network inventory, PowerShell network audits, ServiceNow CMDB comparison, certificate review and local radio discovery. Start small, validate the report, then expand scope.
Use this when you want a fast baseline of live hosts, open ports, DNS/PTR names, web titles and certificate clues on a known network.
.\ScantideLAN.ps1 -Network 192.168.10.0/24Use saved ServiceNow credentials from Windows Credential Manager so the password is not passed in clear text on the PowerShell command line.
.\ScantideLAN.ps1 -Network 192.168.10.0/24 -CheckServiceNow -SNOWInstance examplecompany -UseSavedServiceNowCredentialsUse locally saved Scantide email/API key values for CVE or enrichment features without typing them each time.
.\ScantideLAN.ps1 -Network 192.168.10.0/24 -UseSavedScantideCredentialsUse this from an approved workstation when you also want nearby Wi-Fi, Wi-Fi Direct candidates and Bluetooth/BLE observations in a separate report section.
.\ScantideLAN.ps1 -Network 192.168.10.0/24 -EnableRadioDiscoveryThe sample report shows how Scantide Auditor presents internal survey evidence in a browser: summary cards, host rows, open service details, certificate data, web observations, DNS/PTR status, CMDB review points and guidance text for cleanup.
View anonymized example reportScantide Auditor can use Windows Credential Manager for locally stored Scantide API credentials and ServiceNow credentials. This is optional, local to the Windows user/computer, and intended to prevent secrets from being stored in plain text or echoed in command previews.
| Credential target | Username field | Password field | Purpose |
|---|---|---|---|
ScantideAuditor.Api | Scantide email | Scantide API key | CVE/enrichment access where applicable. |
ScantideAuditor.ServiceNow | ServiceNow username | ServiceNow password or token | CMDB comparison without passing the password on the command line. |
ScantideAuditor.ServiceNow.Instance | instance | Short instance name or full URL | ServiceNow location used by the launcher/scanner. |
examplecompany to use https://examplecompany.service-now.com. Enter https://servicenow.internal.example to use a custom or locally hosted URL exactly as entered.
Use this flow when you simply want to run a safe authorized inventory scan and produce the first HTML report.
Download the launcher, main scanner, local discovery helper, radio helper, port/profile helper, optional Credential Manager helper, favicon helper and OUI vendor cache, then save them in a dedicated folder, for example C:\ScantideAuditor\. Keep these files together so the launcher and scanner can find the helpers.
Administrator rights are not always required for basic TCP checks, but they reduce friction and help with local policy and network behavior on managed Windows systems.
If Windows blocks unsigned local scripts, use a temporary session-level policy instead of changing the whole machine permanently.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy BypassStart with a small known subnet before scanning larger ranges. This makes it easier to verify output, timing, firewall noise, and report readability.
cd C:\ScantideAuditor
.\ScantideLAN.ps1 -Network "192.168.1.0/24" -PortProfile Standard
.\ScantideLAN.ps1 -Network "192.168.1.0/24" -PortProfile Hypervisor
.\ScantideLAN.ps1 -Network "192.168.1.0/24" -EnableRadioDiscoveryThe report is normally created with a timestamped filename such as NetworkScan_YYYYMMDD_HHMMSS.html. Review unknown hosts, open services, web evidence, certificates, and CMDB status first.
Exact parameters can vary between builds, but the current Scantide Auditor PowerShell family usually follows this model. Keep the manual aligned with the actual script header before publishing.
| Parameter | Purpose | Example |
|---|---|---|
-Network |
Scan one CIDR range. | -Network "10.24.48.0/24" |
-List |
Read multiple networks or hosts from a text file, one entry per line. | -List ".\networks.txt" |
-PortProfile |
Chooses the scan profile/port set. If omitted, Standard is used. | -PortProfile Standard or -PortProfile Hypervisor |
-ExtraPorts |
Adds custom ports to the selected profile. | -ExtraPorts 10443 50000 |
-PortHelperPath |
Overrides the path to ScantidePortHelper.ps1 when it is not beside the scanner. |
-PortHelperPath ".\ScantidePortHelper.ps1" |
-Email |
Identify the licensed user when API-backed or Pro features are enabled. | -Email "admin@example.com" |
-ApiKey |
Enable Scantide-backed enrichment or licensed features where supported. | -ApiKey "YOUR_KEY" |
-EnableRadioDiscovery |
Runs the radio discovery add-on once per report. Includes Wi-Fi, Wi-Fi Direct candidate and Bluetooth/BLE observations where supported. | -EnableRadioDiscovery |
-EnableWifiDiscovery |
Runs only nearby Wi-Fi discovery and security evaluation. Useful when you want radio context without Bluetooth checks. | -EnableWifiDiscovery |
-EnableWifiDirectDiscovery |
Looks for Wi-Fi Direct-style candidates, including DIRECT-* SSIDs and related adapter/device hints. | -EnableWifiDirectDiscovery |
-EnableBluetoothDiscovery |
Collects known Bluetooth inventory and attempts BLE observation where the Windows/PowerShell platform supports it. | -EnableBluetoothDiscovery -RadioDiscoverySeconds 10 |
-RadioDiscoverySeconds |
Controls how long the radio helper should spend on timed radio discovery operations. | -RadioDiscoverySeconds 8 |
-RadioDiscoveryHelperPath |
Overrides the helper path when ScantideRadioHelper.ps1 is not in the same folder as the main script. |
-RadioDiscoveryHelperPath ".\ScantideRadioHelper.ps1" |
-ImportRadioDiscoveryJson |
Imports previously captured radio discovery JSON instead of running a fresh helper scan. | -ImportRadioDiscoveryJson ".\radio.json" |
-ExpectedTrustedWifiSsids |
Supplies known SSIDs so rogue/evil-twin heuristics can flag mismatched security, vendors or BSSID patterns more clearly. | -ExpectedTrustedWifiSsids "CorpWiFi","CorpGuest" |
-DisableRadioDiscovery |
Explicitly disables the radio add-on even if a wrapper or saved command would otherwise enable it. | -DisableRadioDiscovery |
| CMDB options | Some builds include ServiceNow or CMDB connection settings. Use these only with a read-only account where possible. | -ServiceNowInstance, -CmdbToken, or build-specific equivalents |
| Output options | Some builds allow custom output paths or report naming. If not, reports are created in the script directory. | -OutputPath "C:\Scans" if supported |
Best for normal recurring scans, troubleshooting, or checking a VLAN.
.\ScantideLAN.ps1 -Network "10.24.48.0/24" -PortProfile StandardBest for scheduled scanning across several known networks.
# networks.txt
10.24.48.0/24
10.24.49.0/24
10.24.50.0/24
.\ScantideLAN.ps1 -List ".\networks.txt" -PortProfile StandardRadio discovery is optional and is rendered as a separate add-on section below the normal network scan results. It records what the scan workstation can see nearby rather than treating Wi-Fi or Bluetooth observations as normal IP service rows.
Captures SSID/BSSID, channel, band, signal, authentication, encryption, vendor/OUI hints and security classification where Windows exposes the data.
Flags duplicate SSIDs with mismatched security, multiple AP vendors, locally administered/randomized BSSIDs, weak/open variants and expected corporate SSIDs that look inconsistent.
Adds Wi-Fi analytics cards for channel use, band distribution, security mode mix and congestion level so site surveys are easier to explain.
Looks for DIRECT-* networks, printer/mobile hotspot style names and adapter evidence that can indicate peer-to-peer wireless exposure.
Collects known Bluetooth inventory and BLE-style observations where the Windows platform allows it. Windows PowerShell 5.1 may report live BLE scanning as unavailable instead of throwing an error.
Uses the local oui.csv cache for MAC/BSSID vendor matching without sending internal identifiers to external services.
# Full radio add-on
.\ScantideLAN.ps1 -Network "10.24.48.0/24" -EnableRadioDiscovery
# Wi-Fi only
.\ScantideLAN.ps1 -Network "10.24.48.0/24" -EnableWifiDiscovery
# Expected SSIDs for stricter rogue/evil-twin hints
.\ScantideLAN.ps1 -Network "10.24.48.0/24" -EnableWifiDiscovery -ExpectedTrustedWifiSsids "CorpWiFi","CorpGuest"The script uses a staged flow so the report can explain where each finding came from. The exact phases may vary by version, but the logic is generally the same.
The script expands the selected network or reads the list file. Large networks should be split into smaller ranges for cleaner output.
Reachability checks identify likely live hosts. Some networks block ping, so TCP results can still reveal active systems.
Common ports are checked with timeouts. This is evidence of reachable services, not proof that the service is unsafe.
Where web services respond, the script can collect titles, server hints, status codes, and redirect clues.
For TLS-enabled services, certificate data helps identify ownership, names, expiry, and obvious maintenance issues.
The final HTML report is designed for sorting, filtering, review, and sharing with asset owners.
Scantide checks favicons automatically for HTTP and HTTPS services. A favicon is not a vulnerability finding by itself, but it helps identify printers, appliances, NAS devices, admin portals and reused web stacks faster in the HTML report.
| Status | Plain-language meaning | How to read it |
|---|---|---|
200 | Found and embedded. | The favicon helper retrieved a valid image and Scantide embedded it in the report. |
404 | Not found. | The service answered, but there was no favicon at the tested /favicon.ico path. |
401 / 403 | Authentication required or access denied. | The service may require login or block unauthenticated favicon requests. |
405 | Method not allowed. | The device rejected the request method for the favicon path. This is common on some embedded web servers. |
timeout | Too slow to answer. | Scantide stopped waiting so favicon checks do not slow down the whole scan. |
ReceiveFailure / ConnectFailure | Transfer or connection failed. | The port was reachable, but the favicon transfer failed or the service closed the connection early. |
not-image | The response was not an image. | The URL answered with HTML, text or another non-image body instead of a favicon. |
helper-missing | Helper file was missing. | Keep ScantideFaviconHelper.ps1 in the same folder as ScantideLAN.ps1. |
ScantideFaviconHelper.ps1. The main scanner keeps the broader network scan logic separate from the small helper that follows the working standalone favicon-script model.
The easiest way to understand the value of Scantide Auditor is to look at a real report layout. The example report is anonymized, but keeps the structure of a real-world internal survey: summary cards, discovered assets, service exposure, TLS/web evidence, CVE review leads, radio observations where present, local device context and practical remediation notes.
Use this link in demos, documentation and customer discussions when you want to show the output without exposing a real customer network.
View anonymized reportThe report is the main deliverable. It should help you move from a raw scan to an action list: verify unknown hosts, fix inventory gaps, renew certificates, and remove services that should not be reachable.
| Report field | What it means | How to use it |
|---|---|---|
| IP address / hostname | The discovered endpoint and any resolved DNS name. | Use it to identify the owner, location, and expected role. |
| Open port | A network service responded on that port. | Confirm whether that service should be reachable from the scanned network. |
| Web title / server | Visible web page title, response clues, or server header where available. | Useful for recognizing appliances, portals, default pages, and forgotten admin interfaces. |
| Certificate subject / SAN | Names and identity information presented by a TLS certificate. | Use it to spot expired certificates, wrong hostnames, old systems, or ownership clues. |
| CMDB status | Whether the host appears in the connected inventory source. | Prioritize hosts marked not found in CMDB for ownership and lifecycle review. |
| Local radio discovery | Optional add-on rows for nearby Wi-Fi, Wi-Fi Direct candidates, Bluetooth/BLE observations, channel congestion and wireless security classification. | Use it for on-site Wi-Fi review, rogue/evil-twin hints, weak wireless configuration and local device visibility. |
| Scan duration / network | Summary metadata for when and where the report was created. | Important when comparing multiple reports or proving when a finding was observed. |
CMDB comparison is one of the most valuable parts of the Auditor workflow. It connects network reality with asset governance: what responds on the wire versus what the organization believes exists.
Systems that appear in CMDB are easier to route to an owner. The scan evidence can still reveal services or certificates that need maintenance.
These are often the most important rows. They may be legitimate but unmanaged, or they may be old lab systems, appliances, shadow IT, or stale infrastructure.
If the script connects to ServiceNow or another CMDB, use least-privilege read-only credentials and keep secrets outside shared screenshots and reports.
Use CVE and jurisdiction information as context for triage. It helps decide what to investigate first, but it does not replace verification by the system owner.
The script can collect clues such as open services, web titles, server headers, TLS certificate names and service banners. If those clues identify a product or version, they can be compared with known CVEs. Always confirm the real installed version and patch state before calling it a vulnerability.
For public-facing domains, cloud-hosted systems or services that depend on external providers, country, ASN, provider ownership and mail routing can matter. The purpose is to support governance and data-sovereignty review, not to label a provider or country as automatically good or bad.
Scantide Auditor PowerShell is intended for authorized internal visibility. It should be used on networks you own, administer, or have explicit permission to assess.
The best scan is not always the biggest scan. Smaller, predictable ranges usually produce cleaner reports and fewer operational surprises.
Use a /24 or smaller known range for the first run. Confirm that reports, sorting, and CMDB matching look right before expanding.
Break /16-style scopes into multiple /24 or /22 chunks. This is easier to schedule and easier to troubleshoot if one network behaves differently.
Shorter timeouts are faster but can miss slow services. Longer timeouts are more complete but increase total run time.
# Example: scan several smaller ranges instead of one huge scan
.\ScantideLAN.ps1 -Network "10.24.48.0/24"
.\ScantideLAN.ps1 -Network "10.24.49.0/24"
.\ScantideLAN.ps1 -Network "10.24.50.0/24"Scheduled scans are useful when you want to detect change over time: new hosts, new exposed services, disappearing systems, or certificates getting close to expiry.
Create a small wrapper script and call it from Windows Task Scheduler.
$ScriptPath = "C:\ScantideAuditor\ScantideLAN.ps1"
$Network = "10.24.48.0/24"
& $ScriptPath -Network $NetworkWeekly is often enough for normal internal visibility. Daily can be useful during cleanup projects, migrations, or CMDB remediation work.
Most problems fall into a few categories: execution policy, blocked traffic, DNS behavior, permissions, or services that do not speak standard HTTP/TLS even though a port is open.
Use a process-scoped execution policy for the current window.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy BypassPing may be blocked or routed differently. Confirm that the scanner machine can reach the target network and that local firewall rules allow outbound checks.
That can be normal. RDP and NLA do not always behave like a standard HTTPS certificate check. Treat the open port as evidence, not a failed certificate scan.
Browse to the script folder and open the newest NetworkScan_*.html file manually. On servers, default browser behavior may be restricted.
Reduce scope first. If needed, adjust script timeout or parallelism settings only after confirming the network is stable and the target range is correct.
Check whether CMDB stores IPs, FQDNs, short hostnames, retired records, NAT addresses, or multiple interfaces differently than the scan sees them.
These habits make the reports more useful and easier to defend when shared with asset owners or management.
Record which networks were scanned, when the scan ran, who requested it, and which machine performed the scan.
Keep timestamped reports so you can compare trends and prove when a host or service first appeared.
Reports contain internal infrastructure details. Store them where only authorized teams can access them.
A finding without an owner often stays unresolved. Route unknown hosts and exposed services to the team responsible for the network or system.
After disabling a service, renewing a certificate, or adding a CMDB record, run the same scope again to verify the result.
An open port or missing CMDB record is a review signal. Use the evidence to drive verification, not blame.
Short answers for common questions from administrators and stakeholders.
No. It is positioned as an authorized internal visibility and evidence collection tool. It checks reachability, services, web clues, TLS certificates, and inventory gaps. It should only be used on networks where you have permission.
No. An open port means a service is reachable. The follow-up question is whether that service is expected, owned, patched, monitored, and appropriate for that network.
Because unmanaged assets are often the root of operational and security problems. If a device exists on the network but not in inventory, it may not be patched, monitored, backed up, or owned by the right team.
Technically, yes, depending on your build and environment. Practically, smaller chunks are better. They create clearer reports, reduce noise, and are easier to schedule safely.
Web titles are a simple way to identify what a service is. A title can reveal a printer admin page, firewall interface, old application, test portal, or forgotten default web server.
No. Treat reports as internal operational data. They can contain IP addresses, hostnames, software clues, certificate names, and service exposure details.
Save all required files in the same folder, run a small authorized network first, review the report, then expand into scheduled scans or CMDB comparison once the output is verified.
Recommended GUI launcher with built-in manual, version check, quick scan options and download/update buttons.
Download launcher onlyOptional Wi-Fi, Wi-Fi Direct and Bluetooth discovery helper.
Download radio helperPort profile definitions and offline port/protocol lookup metadata.
Download port helperOptional local Windows Credential Manager helper for saved API and ServiceNow credentials.
Download credential helperDefault favicon evidence helper. Fetches /favicon.ico outside the main scanner and returns embedded icons or clear status codes.
$dest = Join-Path $env:USERPROFILE 'Downloads\ScantideAuditor'
New-Item -ItemType Directory -Path $dest -Force | Out-Null
$base = 'https://www.scantide.com/helpfiles'
$files = @(
@{ Name = 'ScantideLauncher.ps1'; Url = "$base/ScantideLauncher.ps1" },
@{ Name = 'ScantideLAN.ps1'; Url = "$base/ScantideLAN.ps1" },
@{ Name = 'ScantideHelper.ps1'; Url = "$base/ScantideHelper.ps1" },
@{ Name = 'ScantideRadioHelper.ps1'; Url = "$base/ScantideRadioHelper.ps1" },
@{ Name = 'ScantidePortHelper.ps1'; Url = "$base/ScantidePortHelper.ps1" },
@{ Name = 'ScantideCredentialManager.ps1'; Url = "$base/ScantideCredentialManager.ps1" },
@{ Name = 'oui.csv'; Url = "$base/oui.csv" }
)
foreach ($file in $files) {
$target = Join-Path $dest $file.Name
Write-Host "Downloading $($file.Name)..." -ForegroundColor Cyan
Invoke-WebRequest -Uri $file.Url -OutFile $target -UseBasicParsing -TimeoutSec 45
Unblock-File -LiteralPath $target -ErrorAction SilentlyContinue
}
Write-Host ""
Write-Host "Downloaded Scantide Auditor PowerShell files to: $dest" -ForegroundColor Green
Write-Host "Example:" -ForegroundColor Yellow
Write-Host " cd `"$dest`""
Write-Host " .\ScantideLauncher.ps1"
Write-Host " .\ScantideLAN.ps1 -Network 192.168.0.0/24 -PortProfile Standard"
Write-Host " .\ScantideLAN.ps1 -Network 192.168.0.0/24 -PortProfile Hypervisor"
Write-Host " .\ScantideLAN.ps1 -Network 192.168.0.0/24 -EnableRadioDiscovery"
Write-Host " .\ScantideLocalCheck.ps1 -CheckLevel Basic"
Write-Host " .\ScantideLocalCheck.ps1 -CheckLevel Advanced"
Write-Host " .\Install-ScantideLocalWatch.ps1 -AtLogon $true"
Write-Host " .\Install-ScantideLocalWatch.ps1 -AtLogon $false -Daily $true -RunAt \"09:00\""Scantide is split into focused tools so the right audience gets the right kind of evidence quickly. Use Observe for live website behavior, Online for public domain checks, Dashboard for monitoring, and Auditor when you need authorized internal network visibility.
For Chrome, Edge, Brave and Firefox. Shows trackers, cookies, scripts, security headers, forms, contacted hosts and browser-visible website risk while you browse.
Open Observe guideFor Android users who want to share a URL from a browser or app and understand website privacy, scripts, trackers, infrastructure and jurisdiction context on mobile.
Open Observe MobileFor quick public-domain checks. Reviews visible TLS, DNS, headers, redirects, services, provider and jurisdiction signals for a website or domain.
Run single scanFor teams that need recurring certificate and domain visibility, status views, uploaded domain lists, expiry warnings and evidence history.
Open dashboard loginFor Windows admins reviewing authorized internal networks. Finds reachable hosts, visible services, web responses, TLS clues and CMDB gaps in clear HTML reports.
Open PowerShell AuditorFor mobile field checks and quick local network visibility. Useful for Wi-Fi review, nearby network context and on-site authorized infrastructure checks.
Open Android Auditor