Scantide Auditor PowerShell helps administrators understand what is reachable inside their own networks. Use the ScantideLauncher.ps1 GUI for guided local network scans, or run ScantideLAN.ps1 directly for scripted inventory, service evidence, TLS checks, CVE context, CMDB comparison and HTML reports.
The easiest start is ScantideLauncher.ps1. It can download/update the rest of the package when needed. The full Auditor PowerShell package uses the launcher, main scanner, local discovery helper, radio discovery helper, port/profile metadata helper, Windows Credential Manager helper, and local MAC vendor cache in the same folder.
The launcher can save Scantide email/API key and ServiceNow username/password locally in Windows Credential Manager. This keeps secrets off the command line and avoids plain-text configuration files while still making repeat scans easy for administrators.
Credentials are stored under the current Windows user/computer using Windows Credential Manager entries such as ScantideAuditor.Api and ScantideAuditor.ServiceNow.
The GUI launcher can save/update stored values and remove them again. Startup logs show whether saved credentials were found without printing the actual API key or password.
Enter a short hosted instance name such as examplecompany to use https://examplecompany.service-now.com, or paste a full internal/custom URL to use that exact URL.
For most Windows administrators, ScantideLauncher.ps1 is now the easiest starting point. It wraps the PowerShell scanner in a graphical interface, detects the local network at startup, explains scan options, checks the scanner version feed, and can download or update the companion files when needed.
Choose the network, CIDR size, CVE/API settings, CMDB comparison, local discovery, Wi-Fi/radio checks and output options without remembering every command-line switch.
The launcher can download the main scanner, helpers, radio helper, port/profile helper, Credential Manager helper and OUI vendor file. That means users can download only the launcher first and let it fetch the rest later.
The launcher includes a manual tab, Scantide tool overview, subnet calculator, ping, nslookup, traceroute and offline port/protocol lookup helpers for local auditing workflows.
ScantideLauncher.ps1 if you prefer checkboxes and guided setup. Use ScantideLAN.ps1 directly when you want automation, scheduled runs or command-line control.
The script is intended for administrators, security teams, infrastructure teams, and asset owners who need a practical view of internal network exposure without installing agents or running intrusive tests.
Scan approved internal ranges to see which hosts respond, which common services are reachable, and which systems may need follow-up.
Compare discovered hosts against known asset data so teams can spot missing, stale, or unexpected records.
Create HTML reports that show the facts: host, port, title, banner, TLS subject, certificate names, CMDB status, and timestamps.
Many companies have more systems online than they think. Some are old test servers, forgotten admin portals, temporary devices, printers, appliances, or servers that were never added correctly to the asset inventory. Scantide helps turn that uncertainty into a list you can actually review. The radio discovery add-on also shows what the scan workstation can see nearby over Wi-Fi and Bluetooth.
If a device is reachable but not listed in the CMDB, nobody may be responsible for patching it, monitoring it, backing it up, or removing it when it is no longer needed.
A host that only responds to HTTPS is different from a host exposing FTP, old web admin pages, remote access services, or mail protocols. The report helps you see what is actually reachable.
TLS certificates often show hostnames, service names, expiry dates, and ownership hints. This can help find forgotten systems or certificates that need renewal.
A port number alone is not always helpful. Capturing the web server title and basic response information makes it easier to identify what a service actually is.
When the scan finds something that is not in the inventory, the team can decide whether to register it, investigate it, or remove it.
The goal is not only to find things. The goal is to create evidence that helps infrastructure, operations, and security teams agree on what needs attention.
Exact checks depend on the version and options you enable, but the PowerShell auditor is designed around practical asset and service evidence.
Review IP ranges and collect response evidence from hosts that appear reachable during the scan.
Check common ports and service responses such as HTTP, HTTPS, SSH, FTP, SMTP, DNS, IMAP, POP3, and custom configured ports.
Inspect visible certificate fields such as subject, issuer, DNS names, expiry dates, and certificate mismatch clues.
Collect basic web evidence such as status, title, server header, redirects, and HTTP/HTTPS availability where available.
Optionally evaluate nearby Wi-Fi networks, Wi-Fi Direct candidates and Bluetooth/BLE observations, including channel congestion, security mode, vendor/OUI hints and rogue/evil-twin indicators.
Mark discovered hosts as known or not found in the asset inventory when CMDB integration data is available.
Include scan date, network range, duration, and report context so results can be compared over time.
Generate a visual report that can be shared with operations teams, system owners, or audit stakeholders.
Focus on observable network and service data rather than exploitation, credential attacks, or intrusive vulnerability testing.
A finding does not automatically mean something is dangerous. It means there is evidence worth understanding. The report is designed to help teams decide what to verify, document, patch, or remove.
Run the script from a Windows machine or server that is allowed to reach the target network range. Use an account and location that match your organization’s scanning policy.
ScantideLAN.ps1, ScantideHelper.ps1, ScantideRadioHelper.ps1, and oui.csv into the same folder. The helpers are intentionally separate so local multicast and radio discovery stay transparent and easier to review. The OUI CSV is kept local so MAC/BSSID vendor enrichment works offline.
$dest = Join-Path $env:USERPROFILE 'Downloads\ScantideAuditor'
New-Item -ItemType Directory -Path $dest -Force | Out-Null
$base = 'https://www.scantide.com/helpfiles'
$files = @(
@{ Name = 'ScantideLauncher.ps1'; Url = "$base/ScantideLauncher.ps1" },
@{ Name = 'ScantideLAN.ps1'; Url = "$base/ScantideLAN.ps1" },
@{ Name = 'ScantideHelper.ps1'; Url = "$base/ScantideHelper.ps1" },
@{ Name = 'ScantideRadioHelper.ps1'; Url = "$base/ScantideRadioHelper.ps1" },
@{ Name = 'ScantidePortHelper.ps1'; Url = "$base/ScantidePortHelper.ps1" },
@{ Name = 'ScantideCredentialManager.ps1'; Url = "$base/ScantideCredentialManager.ps1" },
@{ Name = 'oui.csv'; Url = "$base/oui.csv" }
)
foreach ($file in $files) {
$target = Join-Path $dest $file.Name
Write-Host "Downloading $($file.Name)..." -ForegroundColor Cyan
Invoke-WebRequest -Uri $file.Url -OutFile $target -UseBasicParsing -TimeoutSec 45
Unblock-File -LiteralPath $target -ErrorAction SilentlyContinue
}
Write-Host ""
Write-Host "Downloaded Scantide Auditor PowerShell files to: $dest" -ForegroundColor Green
Write-Host "Example:" -ForegroundColor Yellow
Write-Host " cd `"$dest`""
Write-Host " .\ScantideLauncher.ps1"
Write-Host " .\ScantideLAN.ps1 -Network 192.168.0.0/24 -PortProfile Standard"
Write-Host " .\ScantideLAN.ps1 -Network 192.168.0.0/24 -PortProfile Hypervisor"
Write-Host " .\ScantideLAN.ps1 -Network 192.168.0.0/24 -EnableRadioDiscovery"Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
cd "$env:USERPROFILE\Downloads\ScantideAuditor"
.\ScantideLAN.ps1 -Network 10.24.48.0/24
.\ScantideLAN.ps1 -Network 10.24.48.0/24 -EnableRadioDiscoveryScantide Auditor PowerShell is designed for authorized internal network discovery, Windows network inventory, ServiceNow CMDB comparison, exposed service review and HTML evidence reports. These are the situations where it gives the most value.
Run a controlled PowerShell network scan against a known subnet to find live hosts, open ports, DNS names, reverse DNS, web titles, certificates and MAC/vendor evidence.
Compare discovered systems with CMDB data to highlight reachable devices that are missing, stale, renamed or assigned to the wrong owner.
Find internal HTTPS portals, certificate expiry issues, weak documentation clues, login pages, unexpected redirects and server banners that need ownership review.
Add optional Wi-Fi, Wi-Fi Direct and Bluetooth/BLE discovery to support local branch-office reviews, duplicate SSID checks and nearby radio inventory.
Create an evidence baseline before an internal audit, ISO 27001 review, cyber insurance questionnaire, firewall cleanup or server decommissioning project.
Use Windows Credential Manager for Scantide API and ServiceNow credentials so secrets stay local to the Windows user/computer and are not saved in plain text.
Open a real-world style Scantide Auditor HTML report to see the kind of evidence produced: discovered hosts, open services, web details, TLS certificate information, DNS/PTR status, CMDB-style review points and readable explanations.
View anonymized example reportThe PowerShell script is most useful when the goal is to create a practical inventory and exposure baseline for internal networks.
Check that important systems are known, documented, and not exposing unexpected services before an external or internal review.
Run a comparison after migrations, firewall changes, segmentation work, VLAN changes, or server cleanup projects.
Find systems that exist on the network but are missing, outdated, or incorrectly represented in the asset inventory.
Find certificates that are expired, near expiry, incorrectly named, or attached to services that nobody recognizes.
Identify old services such as FTP, legacy admin pages, or unexpected mail services that may need retirement or restriction.
Use -EnableRadioDiscovery during authorized local checks to record nearby Wi-Fi, possible rogue/evil-twin indicators, Wi-Fi Direct candidates, Bluetooth observations and channel congestion statistics.
Create a clear report that helps different teams agree on what is known, what is unknown, and what needs action.
A good report should not just say that something was found. It should help the team understand what the finding means and what to do next.
Scantide Auditor PowerShell is built for authorized visibility. It should be used only on networks where you have permission to perform inventory and exposure review.
Run it only against networks you own, manage, or are explicitly authorized to assess.
The scanner is not intended for password guessing, brute forcing, exploitation, or bypassing access controls.
Use the report to improve asset ownership, CMDB accuracy, certificate hygiene, firewall rules, and service cleanup.
Auditor findings become more useful when they are connected to known vulnerability context and infrastructure ownership/location context. The goal is prioritization and evidence, not automatic blame.
Open ports, service banners, web titles, certificates and server headers may reveal product or version hints that can be compared with CVE information. Treat this as a pointer for follow-up: a visible version may be wrong, patched by backporting, hidden behind a proxy, or not exploitable in the local configuration.
For internal and branch-office reviews, provider, country, ASN, cloud region, mail routing and external dependencies can matter. These signals help teams understand whether systems depend on unexpected providers, regions or legal environments, especially where policy, compliance or data-residency requirements apply.
No. It is an inventory and exposure review script for authorized internal networks. It collects observable service and metadata evidence so administrators can clean up and document their environment.
No. Many open ports are normal. The important question is whether the service is expected, documented, patched, restricted, and owned by the right team.
If a system is reachable but not in the asset inventory, it can be missed by patching, monitoring, backup, lifecycle management, and incident response processes.
They help humans identify systems faster. A hostname, web title, certificate subject, or DNS name can reveal whether the service belongs to a known application, old project, appliance, or test environment.
No. It is better viewed as a visibility, inventory, and evidence tool. It can help decide where deeper vulnerability review is needed, but it is not a replacement for full vulnerability management.
Yes. The output is meant to be readable by operations, infrastructure, application owners, and asset managers. The point is to make cleanup and ownership discussions easier.
The current launcher lets the user enter an IP range, then choose a scan profile. If they do not choose anything else, Standard runs. That keeps the normal ScantideLAN behavior as the safe default while still offering focused checks for specific audit questions.
The recommended default profile for routine LAN inventory. It keeps the proven ScantideLAN port set and covers common web, Windows, remote access, database and hypervisor/admin surfaces.
A lighter first pass for large ranges or quick reachability checks. Use it when speed matters more than full service coverage.
Focuses on virtualization and management surfaces such as VMware ESXi/vCenter, Hyper-V, Proxmox VE, Xen/XCP-ng style hosts, Nutanix Prism, libvirt and console-related ports.
Focuses on data services such as Microsoft SQL Server, MySQL/MariaDB, PostgreSQL, Oracle, Redis, MongoDB, Elasticsearch and Memcached.
Finds protocols that may expose credentials/content or are often phase-out candidates, such as FTP, Telnet, HTTP, POP3, IMAP, SNMP v1/v2c, TFTP and legacy discovery services.
Broader profiles for focused exposure reviews. They can be useful, but are intentionally more noisy. Use Standard first, then move to a focused profile when the report suggests it.
The Tools tab is meant for quick checks that help the user understand the scan range or interpret a result. These tools do not start a full Scantide scan unless the user explicitly uses the scan-range button.
Shows network, broadcast, usable range, netmask and approximate host count from an IP/CIDR or netmask. Useful before scanning a routed or unfamiliar subnet.
Runs local Windows network tools for reachability, DNS resolution and routing path checks. These are quick helper checks, not full scan results.
Offline lookup powered by ScantidePortHelper.ps1. Users can type 25, smtp, telnet or tcp/8006 and get the usual service, risk, encryption notes, comments, warnings and recommendations.
The PowerShell manual explains prerequisites, safe scanning scope, common parameters, report interpretation, CMDB comparison, troubleshooting, and recommended operating practices for internal network reviews.
Use the manual when deploying the script for the first time, explaining the report to colleagues, or standardizing how internal scans should be run and documented.
Open PowerShell manualThe guide covers how to choose a network range, understand discovered hosts, read evidence rows, compare against asset inventory, and turn findings into cleanup actions.
Scantide Auditor PowerShell focuses on internal networks. Scantide Observe focuses on website privacy and browser-visible behavior. Scantide Observe Mobile brings similar visibility to Android. Together they help explain what systems, websites, and services are doing in a way people can act on.
Scantide is split into focused tools so the right audience gets the right kind of evidence quickly. Use Observe for live website behavior, Online for public domain checks, Dashboard for monitoring, and Auditor when you need authorized internal network visibility.
For Chrome, Edge, Brave and Firefox. Shows trackers, cookies, scripts, security headers, forms, contacted hosts and browser-visible website risk while you browse.
Open Observe guideFor Android users who want to share a URL from a browser or app and understand website privacy, scripts, trackers, infrastructure and jurisdiction context on mobile.
Open Observe MobileFor quick public-domain checks. Reviews visible TLS, DNS, headers, redirects, services, provider and jurisdiction signals for a website or domain.
Run single scanFor teams that need recurring certificate and domain visibility, status views, uploaded domain lists, expiry warnings and evidence history.
Open dashboard loginFor Windows admins reviewing authorized internal networks. Finds reachable hosts, visible services, web responses, TLS clues and CMDB gaps in clear HTML reports.
Open PowerShell AuditorFor mobile field checks and quick local network visibility. Useful for Wi-Fi review, nearby network context and on-site authorized infrastructure checks.
Open Android Auditor