How does ADscan reduce AD pentest time from 5 days to 2?

ADscan automates enumeration (saves 1-2 days), provides semi-guided exploitation paths (saves 1-2 days), and generates MITRE-mapped reports automatically (saves 0.5-1 day). The operator confirms all actions while ADscan handles the grunt work.

What's the difference between ADscan and PingCastle/Purple Knight?

PingCastle and Purple Knight are excellent risk assessment tools for IT teams. ADscan goes further by executing semi-guided exploitation, building complete attack chains, and outputting pentester-ready MITRE-mapped evidence for consulting deliverables.

How is ADscan different from Pentera?

Pentera is a GUI-based automated platform designed for IT teams to run simulations. ADscan is a CLI tool built for pentesters who need granular control over attack vectors, reproducible evidence, and detailed technical reporting for client deliverables.

Does ADscan work in air-gapped environments?

Yes. ADscan supports offline licenses and includes an optional on-premises license server for completely air-gapped deployments. All tools and wordlists are bundled locally.

What operating systems does ADscan support?

Currently Linux (Kali, Ubuntu, Debian, Parrot). Docker and Windows support are in the near-term roadmap. Design Partners get early access to new platform releases.

Can ADscan integrate with existing pentest workflows?

Yes. ADscan exports to JSON for integration with other tools, generates Word reports using your templates, and works alongside BloodHound, NetExec, and other standard AD pentest tools.

How much does ADscan cost for consulting companies?

PRO seats start at €997/year. Enterprise team packs (5/10/25 seats) include volume discounts, SSO, and priority support. POV Pass available at €249 per 14-day engagement for project-based testing.

What's included in the 14-day POV?

Full ADscan PRO features, setup assistance, Word report generation, and a debrief session with your team lead. No credit card required. Run in your non-production lab environment.

What is the difference between a POV and the Design Partner program?

POV is a 14-day lab evaluation to validate fit. Design Partner is a 90-day collaboration with direct support, early features and limited discounted pricing in exchange for an anonymous/public case.

Scanning Commands

Authorization Required

Only scan systems you have explicit written authorization to test. Unauthorized network scanning and access is illegal and may result in criminal prosecution.

ADscan provides powerful scanning commands for both unauthenticated and authenticated Active Directory enumeration.

Configuration Commands

Before starting a scan, configure these essential parameters:

`set iface`

Set the network interface for scanning.

Syntax:

set iface <interface_name>

Examples:

# Ethernet
(ADscan:workspace) > set iface eth0

# VPN (common for CTFs)
(ADscan:workspace) > set iface tun0

# WiFi
(ADscan:workspace) > set iface wlan0

Finding your interface:

ip addr show

`set hosts`

Set target IP range for unauthenticated scans.

Syntax:

set hosts <cidr_range|ip_address>

Examples:

# Single host
(ADscan:workspace) > set hosts 10.10.10.161

# CIDR range
(ADscan:workspace) > set hosts 192.168.1.0/24

# Large subnet
(ADscan:workspace) > set hosts 10.0.0.0/16

`set auto`

Configure automation level.

Syntax:

set auto <True|False>

Examples:

# Semi-automatic mode (recommended for production)
(ADscan:workspace) > set auto False

# Automatic mode (faster for labs/CTFs)
(ADscan:workspace) > set auto True

Modes:

auto=False: Prompts before each potentially noisy or disruptive action
auto=True: Minimal prompts, faster enumeration (safe actions automatic)

Production Warning

Always use auto=False in production or client environments. Automatic mode (auto=True) may execute operations that could trigger alerts, cause service disruptions, or violate rules of engagement without explicit confirmation.

`set telemetry`

Enable or disable telemetry reporting.

Syntax:

set telemetry <on|off>

Examples:

# Enable telemetry (helps improve ADscan)
(ADscan:workspace) > set telemetry on

# Disable telemetry
(ADscan:workspace) > set telemetry off

Note: Telemetry does not include sensitive data (credentials, domain names, etc.). Only anonymized error data and feature usage.

Unauthenticated Scanning

`start_unauth`

Start unauthenticated Active Directory enumeration.

Syntax:

start_unauth

Prerequisites:

Network interface configured (set iface)
Target hosts configured (set hosts)

Example:

(ADscan:workspace) > set iface tun0
(ADscan:workspace) > set hosts 10.10.10.161
(ADscan:workspace) > start_unauth

[*] Starting unauthenticated scan...
[+] Discovered domain: htb.local
[+] Primary Domain Controller: forest.htb.local (10.10.10.161)
[*] Enumerating users via RPC...
[+] Found 31 user accounts
[*] Checking for AS-REP roastable accounts...
[+] Found AS-REP roastable accounts:
    - svc-alfresco
[?] Attempt to crack AS-REP hashes? (y/n):

What it does:

Discovers Active Directory domain and domain controllers
Enumerates users via anonymous RPC/LDAP
Identifies AS-REP roastable accounts (no pre-authentication required)
Attempts to crack found hashes
If credentials found, offers to escalate to authenticated scan

Success criteria:

Domain discovered
User accounts enumerated
Potential attack paths identified

Authenticated Scanning

`start_auth`

Start authenticated Active Directory enumeration with credentials.

Syntax:

start_auth <domain> <dc_ip> <username> <password|hash>

Parameters:

domain: Domain name (e.g., corp.local, htb.local)
dc_ip: Primary Domain Controller IP address
username: Domain username (without DOMAIN\ prefix)
password: Cleartext password or NTLM hash

Examples:

With password:

(ADscan:workspace) > start_auth corp.local 10.10.10.1 jdoe MyP@ssw0rd!

With NTLM hash (pass-the-hash):

(ADscan:workspace) > start_auth corp.local 10.10.10.1 administrator aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

What it does:

Verifies credentials against domain controller
Enumerates all domain users, groups, and computers
Performs Kerberoasting (identifies service accounts with SPNs)
Collects BloodHound data automatically
Identifies accessible SMB shares
Checks for common privilege escalation paths
Offers exploitation options based on findings

Example output:

(ADscan:workspace) > start_auth htb.local 10.10.10.161 svc-alfresco s3rvice

[+] Credentials validated successfully
[*] Enumerating domain users...
[+] Found 450 user accounts
[*] Enumerating domain computers...
[+] Found 125 computers
[*] Performing Kerberoasting...
[+] Found 3 kerberoastable accounts:
    - MSSQLSvc/sql01.htb.local:1433
    - HTTP/web01.htb.local
[?] Attempt to crack TGS tickets? (y/n):
[*] Collecting BloodHound data...
[+] BloodHound collection complete
[?] Upload to BloodHound for analysis? (y/n):

Scan Types

Network Discovery

Identify Active Directory infrastructure:

(ADscan:workspace) > set hosts 192.168.1.0/24
(ADscan:workspace) > start_unauth

Discovers:

Domain controllers
Domain DNS name
Domain functional level

User Enumeration

List all domain user accounts:

Unauthenticated:

start_unauth
# Uses anonymous RPC/LDAP if allowed

Authenticated:

start_auth domain.local 10.10.10.1 user pass
# Full user enumeration with attributes

Privilege Escalation

Identify paths to Domain Admin:

# Run authenticated scan
start_auth domain.local 10.10.10.1 lowpriv_user password

# ADscan automatically:
# - Checks for Kerberoasting opportunities
# - Identifies AS-REP roastable accounts (within domain)
# - Analyzes BloodHound paths
# - Suggests exploitation steps

Best Practices

Reconnaissance

Start with unauthenticated scanning:

# 1. Discover the domain
set hosts 10.10.10.0/24
start_unauth

# 2. If credentials found, escalate
start_auth domain.local 10.10.10.1 found_user found_password

Production Environments

Use semi-automatic mode for control:

set auto False
# You'll be prompted before potentially noisy operations

Lab/CTF Environments

Use automatic mode for speed:

set auto True
# Faster enumeration with minimal prompts

Credential Management

ADscan automatically saves discovered credentials:

# Credentials are stored in workspace
~/.adscan/workspaces/<workspace>/credentials.json

# Use them in future scans
start_auth domain.local 10.10.10.1 stored_user stored_password

Scan Output

All scan results are saved in the workspace:

~/.adscan/workspaces/<workspace>/
├── users.txt              # All enumerated users
├── computers.txt          # All enumerated computers
├── groups.txt             # All groups
├── bloodhound/            # BloodHound JSON files
├── kerberoast/            # Kerberoastable hashes
├── asrep/                 # AS-REP roastable hashes
└── shares/                # Accessible SMB shares

Troubleshooting

"Network interface not found"

✗ Interface 'tun0' not found

Solution: Check available interfaces:

ip addr show

"Domain not found"

✗ No Active Directory domain found in range

Solutions:

Verify target IP range is correct
Ensure network connectivity to domain controllers
Check firewall rules (ports 88, 389, 445)

"Credentials invalid"

✗ Authentication failed for user 'jdoe'

Solutions:

Verify username and password are correct
Check if account is locked or disabled
Ensure domain name is correct
Try NTLM hash instead of password

"Permission denied"

✗ Insufficient privileges for operation

Solutions:

Use higher-privileged account
Check if operation requires Domain Admin rights
Review BloodHound for privilege escalation paths

Advanced Usage

Custom Wordlists

Use custom wordlist for password cracking:

# ADscan prompts for wordlist selection during cracking
? Select wordlist:
  > rockyou.txt (default)
    custom_ad_wordlist.txt
    company_passwords.txt

Targeted Scanning

Scan specific domain controller:

set hosts 10.10.10.1
start_unauth

Multi-Domain Environments

Scan multiple domains (requires separate workspaces):

# Domain 1
workspace create domain1
start_auth domain1.local 10.10.10.1 user pass

# Domain 2
workspace create domain2
start_auth domain2.local 10.20.10.1 user pass

Workspace Management - Organize scan data

Next Steps

After completing a scan:

View discovered credentials with creds show
Select credentials for further enumeration with creds select <domain>
Analyze BloodHound data through the BloodHound UI
Continue exploitation based on identified attack paths

Scanning Commands

On this page