Network Scans: Authenticated vs Unauthenticated

TL;DR

Unauthenticated network scans quickly identify open ports and services but may miss devices or show inaccurate information. Authenticated scans use credentials to log in to devices, providing a much more accurate view of the network. Choose authenticated scans whenever possible for better security assessments.

Understanding Network Scans

Network scanning is how you find out what’s connected to your network and what services those devices are running. There are two main types: unauthenticated and authenticated. Let’s look at each one in detail.

1. Unauthenticated Network Scans

An unauthenticated scan doesn’t use any login details (username/password). It tries to figure out what devices are on the network by sending packets and looking for responses. Think of it like knocking on doors to see who answers.

• How they work: They typically use techniques like TCP connect scans, SYN scans, UDP scans, and ICMP echo requests (ping).
• What you find: Open ports, running services (like HTTP, SSH, FTP), operating system guesses.
• Advantages: Fast, easy to run, doesn’t require credentials.
• Disadvantages: Inaccurate results – firewalls can block scans, devices might not respond, and OS detection is often wrong. They also won’t show you what’s *inside* a device (e.g., installed software, user accounts).

Example using Nmap:

nmap -F 192.168.1.0/24

-F performs a fast scan.

2. Authenticated Network Scans

An authenticated scan *does* use login details to connect to devices. This is like having a key to each door, allowing you to see what’s inside.

• How they work: They log in to devices using protocols like SSH, RDP, or WMI (Windows Management Instrumentation).
• What you find: Everything an unauthenticated scan finds, *plus* installed software, running processes, user accounts, patch levels, configuration details.
• Advantages: Accurate results, detailed information, can identify vulnerabilities that unauthenticated scans miss.
• Disadvantages: Slower than unauthenticated scans, requires valid credentials for each device, potential risk if credentials are compromised.

Example using Nmap with SSH credentials:

nmap -sS --script vuln 192.168.1.10 --auth-login username --auth-password password

-sS performs a SYN scan, and –script vuln runs vulnerability scripts.

3. When to Use Which Type

1. Initial Discovery: Start with an unauthenticated scan to get a quick overview of the network.
2. Detailed Assessment: Follow up with authenticated scans for critical devices and systems.
3. Regular Security Checks: Schedule regular authenticated scans to identify new vulnerabilities and configuration changes.
4. Compliance: Authenticated scans are often required for compliance standards (e.g., PCI DSS).

4. Improving Scan Accuracy

• Credential Management: Use strong, unique passwords and store them securely.
• Firewall Rules: Ensure firewalls allow scan traffic to reach devices (especially for authenticated scans).
• Scan Scheduling: Schedule scans during off-peak hours to minimize impact on network performance.
• Target Selection: Focus scans on specific devices or subnets instead of scanning the entire network unnecessarily.

5. Cybersecurity Considerations

Network scanning is a key part of cyber security, but it’s important to do it responsibly.

• Permission: Always get permission before scanning any network you don’t own. Scanning without authorization can be illegal.
• Data Handling: Protect scan results from unauthorized access. They contain sensitive information about your network.
• False Positives: Be aware that scans can sometimes report false positives (vulnerabilities that aren’t actually present). Verify findings before taking action.