0
  • What are the differences between authenticated and unauthenticated network scans?
  • Do they show the same results?
  • In which scenario should both be used?
schroeder
  • 123,438
  • 55
  • 284
  • 319
fox_haunter
  • 29
  • 1
  • 5

3 Answers3

3

I assume you are talking about web applications. If not, edit your question as my answer will not make much sense.

What are the differences between authenticated and unauthenticated scans?

Authenticated scan is when you have a valid account on the application. Unauthenticated is when you do not have any.

Do they show the same results?

No, they show different results. Unauthenticated scan will show every resource that anyone on the internet can access, without having an account. Authenticated will show only resources accessible to valid users.

In which scenario should both be used?

If the application don't have account controls, a simple unauthenticated scan is the only option, as you cannot use an account if no accounts are available.

If there are accounts involved, use both. Why?

If you have credentials, login on your account and scan everything you can. Map every resource, every available backend, everything. Log out, and try to access the protected resources with the unauthenticated session. If you can access secured resources without an account, you found an authentication bypass vulnerability.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • And a variety of privilege escalation is when not only anonymous/authenticated access but also multiple levels of authentication are supported; a regular user should not get more privileged (admin) levels of access or access to content belonging to a different authenticated user. – HBruijn Sep 12 '19 at 13:49
  • I just edited the post. I meant about network scans. Sorry for the confusion. – fox_haunter Sep 12 '19 at 14:49
1

What are the differences between authenticated and unauthenticated network scans?

As noted above - it depends whether the scanner is given a valid account or not.

Do they show the same results?

For infrastructure scans, they should but rarely do. Authenticated scans can use the (usually) admin access they are given to check patch status and version numbers more accurately (in theory) than the direct tests might be able to do. This, of course, depends on the information they are accessing (for Windows systems, usually in the Registry) to be correct. Which it usually is but it is the edge cases where it isn't that are interesting.

In which scenario should both be used?

As ThoriumBR noted, if you are doing web app testing, you need to use authenticated scanning and should, in fact, scan with different privileged accounts. If you are doing infrastructure testing, you would usually use both methods if you are testing from an internal IP (or remotely but with a test scanner inside the target network.) And compare the results from the two different scan types (or from the different privilege levels with a web app scan.)

mwapemble
  • 41
  • 2
0

The question is at least weird formulated.

Network scan implies scanning for network devices which generally does not require anything but network access/valid network address. You just use a general network scanning tool that can be standard ICMP or something else based (if ICMP is blocked) and that's it. Nothing else is necessary.

If you want to deep scan devices like PCs, then yes, there is a big difference between being authenticated and unauthenticated. The result will clearly be different as a general scan for device information will go as deep as you have access.

So with no authentication you will get basic results and with an authentication like domain-level you will get very detailed information about domain-member devices.

As for scenarios, it depends on your objective. To determine the PCs in a network segment clearly you don't need to authenticate, but if you want detailed info like registry content or detailed system information you need to authenticate on these devices.

Overmind
  • 8,779
  • 3
  • 19
  • 28