How does ADscan reduce AD pentest time from 5 days to 2?

ADscan automates enumeration (saves 1-2 days), provides semi-guided exploitation paths (saves 1-2 days), and generates MITRE-mapped reports automatically (saves 0.5-1 day). The operator confirms all actions while ADscan handles the grunt work.

What's the difference between ADscan and PingCastle/Purple Knight?

PingCastle and Purple Knight are excellent risk assessment tools for IT teams. ADscan goes further by executing semi-guided exploitation, building complete attack chains, and outputting pentester-ready MITRE-mapped evidence for consulting deliverables.

How is ADscan different from Pentera?

Pentera is a GUI-based automated platform designed for IT teams to run simulations. ADscan is a CLI tool built for pentesters who need granular control over attack vectors, reproducible evidence, and detailed technical reporting for client deliverables.

Does ADscan work in air-gapped environments?

Yes. ADscan supports offline licenses and includes an optional on-premises license server for completely air-gapped deployments. All tools and wordlists are bundled locally.

What operating systems does ADscan support?

Currently Linux (Kali, Ubuntu, Debian, Parrot). Docker and Windows support are in the near-term roadmap. Design Partners get early access to new platform releases.

Can ADscan integrate with existing pentest workflows?

Yes. ADscan exports to JSON for integration with other tools, generates Word reports using your templates, and works alongside BloodHound, NetExec, and other standard AD pentest tools.

How much does ADscan cost for consulting companies?

PRO seats start at €997/year. Enterprise team packs (5/10/25 seats) include volume discounts, SSO, and priority support. POV Pass available at €249 per 14-day engagement for project-based testing.

What's included in the 14-day POV?

Full ADscan PRO features, setup assistance, Word report generation, and a debrief session with your team lead. No credit card required. Run in your non-production lab environment.

What is the difference between a POV and the Design Partner program?

POV is a 14-day lab evaluation to validate fit. Design Partner is a 90-day collaboration with direct support, early features and limited discounted pricing in exchange for an anonymous/public case.

Credential Management

ADscan automatically discovers and stores credentials during enumeration and exploitation. Use these commands to view and work with discovered credentials.

Commands

`creds show`

Display all discovered credentials in the current workspace.

Syntax:

creds show

Example:

(ADscan:htb_forest) > creds show

# TODO: Add real output from 'creds show' command
# Expected format:
# - Username
# - Domain
# - Password (if available)
# - NTLM hash (if available)
# - Source (AS-REP, Kerberoast, DCSync, etc.)

What it shows:

All discovered usernames
Associated domains
Cleartext passwords (when cracked)
NTLM hashes
Source of credential discovery (AS-REP roasting, Kerberoasting, DCSync, etc.)

`creds select`

Select a specific credential to use for further enumeration and exploitation.

Syntax:

creds select <domain>

Parameters:

domain: The domain name of the credentials to select

Example:

(ADscan:htb_forest) > creds select htb.local

# TODO: Add real output from 'creds select' command
# Expected behavior:
# - Prompts to select from available credentials for the domain
# - Sets the selected credential as active for enumeration
# - May show available actions with selected credential

What it does: When you select credentials, ADscan will:

Show available credentials for the specified domain
Allow you to choose which credential to use
Enumerate privileges and access for the selected user:
- Accessible SMB shares
- ACL permissions
- Group memberships
- Special privileges
- Attack paths in BloodHound

Use cases:

Switch between different compromised accounts
Test access levels of different users
Enumerate lateral movement opportunities
Identify privilege escalation paths

System Command

`system`

Execute shell commands on your local system (where ADscan is running).

Syntax:

system <command>

Parameters:

command: Any shell command to execute locally

Examples:

# Check local user
(ADscan:workspace) > system whoami
kali

# List files in workspace directory
(ADscan:workspace) > system ls -la ~/.adscan/workspaces/htb_forest/

# View network interfaces
(ADscan:workspace) > system ip addr show

# Check VPN connection
(ADscan:workspace) > system ping -c 1 10.10.10.161

Important Notes:

system runs commands on your local machine (Kali, Ubuntu, etc.)
It does NOT execute commands on the target domain
Useful for checking local system state, files, and network connectivity
All standard Linux/bash commands are available

Local Execution Only

The system command executes on your local system (where ADscan is running), NOT on the target domain. For example, system whoami returns your local username (e.g., "kali"), not a domain user. ADscan is a TUI that orchestrates tools—it does not act as a remote agent.

Common Use Cases:

# Verify VPN connectivity
system ping <target_ip>

# Check available disk space
system df -h

# View workspace files
system ls ~/.adscan/workspaces/

# Copy results to external location
system cp ~/.adscan/workspaces/client/report.json /tmp/

# Check network routes
system ip route

# Verify tool installations
system which hashcat
system docker ps

Credential Storage

Credentials are automatically saved in the workspace:

~/.adscan/workspaces/<workspace>/
└── credentials.json       # All discovered credentials

Security:

Credentials file has restrictive permissions (600)
NTLM hashes are stored securely
Cleartext passwords are only stored when explicitly cracked

Credential Sources

ADscan discovers credentials through various techniques:

Technique	Description	Output
AS-REP Roasting	Pre-authentication disabled accounts	Password (cracked hash)
Kerberoasting	Service accounts with SPNs	Password (cracked TGS)
DCSync	Domain replication rights	NTLM hashes (all users)
SAM Dump	Local account database	NTLM hashes (local users)
LSA Secrets	LSA cached credentials	Passwords or hashes
DPAPI	Data Protection API credentials	Passwords (decrypted)

Workflow Example

Complete credential management workflow:

# 1. Run authenticated scan
(ADscan:pentest) > start_auth corp.local 10.0.0.1 jdoe Password123

# 2. View all discovered credentials
(ADscan:pentest) > creds show

# TODO: Real output showing discovered credentials

# 3. Select high-privilege account
(ADscan:pentest) > creds select corp.local

# TODO: Real output showing credential selection menu

# 4. ADscan enumerates with selected credential:
#    - SMB shares accessible
#    - ACL permissions
#    - Group memberships
#    - Privilege escalation paths

# 5. Use system command to verify local files
(ADscan:pentest) > system ls ~/.adscan/workspaces/pentest/

Best Practices

Credential Rotation

When you discover new credentials:

Use creds show to view all accounts
Test each credential with creds select
Document which accounts have which access
Prioritize high-privilege accounts for further exploitation

Secure Storage

Never share credentials.json publicly
Encrypt workspace backups before transferring
Delete old workspaces after engagement completion
Use clear_all to wipe workspace data when done

Sensitive Data Protection

The credentials.json file contains cleartext passwords and NTLM hashes. Always protect this file with restrictive permissions (600), encrypt backups before transfer, and securely delete workspace data after engagement completion using clear_all.

Credential Testing

# Select different credentials to test access
creds select corp.local  # Test user1
creds select corp.local  # Test user2

# Compare access levels between accounts
# Identify which accounts have DA/EA privileges

Scanning Commands - Discover credentials through scanning
Workspace Management - Manage workspace data

Next Steps

After discovering credentials:

Use creds show to view all credentials
Select high-value credentials with creds select
Enumerate privileges and accessible resources
Follow BloodHound attack paths to escalate privileges

Credential Management

On this page