How does ADscan reduce AD pentest time from 5 days to 2?

ADscan automates enumeration (saves 1-2 days), provides semi-guided exploitation paths (saves 1-2 days), and generates MITRE-mapped reports automatically (saves 0.5-1 day). The operator confirms all actions while ADscan handles the grunt work.

What's the difference between ADscan and PingCastle/Purple Knight?

PingCastle and Purple Knight are excellent risk assessment tools for IT teams. ADscan goes further by executing semi-guided exploitation, building complete attack chains, and outputting pentester-ready MITRE-mapped evidence for consulting deliverables.

How is ADscan different from Pentera?

Pentera is a GUI-based automated platform designed for IT teams to run simulations. ADscan is a CLI tool built for pentesters who need granular control over attack vectors, reproducible evidence, and detailed technical reporting for client deliverables.

Does ADscan work in air-gapped environments?

Yes. ADscan supports offline licenses and includes an optional on-premises license server for completely air-gapped deployments. All tools and wordlists are bundled locally.

What operating systems does ADscan support?

Currently Linux (Kali, Ubuntu, Debian, Parrot). Docker and Windows support are in the near-term roadmap. Design Partners get early access to new platform releases.

Can ADscan integrate with existing pentest workflows?

Yes. ADscan exports to JSON for integration with other tools, generates Word reports using your templates, and works alongside BloodHound, NetExec, and other standard AD pentest tools.

How much does ADscan cost for consulting companies?

PRO seats start at €997/year. Enterprise team packs (5/10/25 seats) include volume discounts, SSO, and priority support. POV Pass available at €249 per 14-day engagement for project-based testing.

What's included in the 14-day POV?

Full ADscan PRO features, setup assistance, Word report generation, and a debrief session with your team lead. No credit card required. Run in your non-production lab environment.

What is the difference between a POV and the Design Partner program?

POV is a 14-day lab evaluation to validate fit. Design Partner is a 90-day collaboration with direct support, early features and limited discounted pricing in exchange for an anonymous/public case.

Quick Start | ADscan

This guide walks you through your first scan with ADscan in less than 5 minutes.

Authorization Required

Only use ADscan on systems you have written authorization to test. Unauthorized access to computer systems is illegal.

Prerequisites

Make sure you have:

✅ ADscan installed (Installation guide)
✅ Dependencies installed (adscan install)
✅ Root/sudo access
✅ Network access to target domain

Step 1: Start ADscan

Launch the interactive TUI:

adscan start

You'll see the ADscan prompt:

(ADscan) >

Enable Verbose Mode (Optional)

For more detailed output during your first scan:

adscan start -v
# or
adscan start --verbose

Step 2: Create a Workspace

Workspaces keep your scan data organized. Create one for your target:

(ADscan) > workspace create my_first_scan

Your prompt will change to show the active workspace:

(ADscan:my_first_scan) >

Workspace Isolation

Each workspace stores credentials, enumeration data, and BloodHound collections separately. Use one workspace per target domain to avoid data mixing.

Step 3: Configure Network Interface

Set your network interface (e.g., eth0, tun0 for VPN):

(ADscan:my_first_scan) > set iface tun0

Step 4: Choose Automation Level

ADscan offers two modes:

Semi-automatic (auto=False) - Prompts for each action (recommended for production)
Automatic (auto=True) - Faster, minimal prompts (good for labs/CTFs)

For your first scan, use semi-automatic mode:

(ADscan:my_first_scan) > set auto False

Production Environments

Always use auto=False (semi-automatic mode) in production environments. Automatic mode may perform disruptive operations without confirmation, which could cause service disruptions or trigger detection mechanisms.

Step 5: Run Your First Scan

Option A: Unauthenticated Scan

Start with an unauthenticated scan to discover targets:

# Set target range
(ADscan:my_first_scan) > set hosts 10.10.10.0/24

# Start unauthenticated scan
(ADscan:my_first_scan) > start_unauth

ADscan will:

Discover Active Directory domain controllers
Enumerate users and computers
Perform anonymous LDAP queries
Extract useful information without credentials

Option B: Authenticated Scan

If you have credentials, start with an authenticated scan:

(ADscan:my_first_scan) > start_auth example.local 10.10.10.1 username password

ADscan will:

Verify credentials
Enumerate domain users, groups, and computers
Check for common vulnerabilities
Perform Kerberoasting and AS-REP roasting
Collect BloodHound data
Suggest next steps

Step 6: Follow Interactive Prompts

ADscan will guide you through the enumeration and exploitation process:

Green prompts: Safe enumeration actions
Yellow warnings: Potentially noisy operations
Red confirmations: Disruptive actions (always require explicit confirmation)

Example interactive flow:

[?] AS-REP roastable accounts found. Attempt to crack hashes? (y/n):
[?] Kerberoastable accounts discovered. Perform Kerberoasting? (y/n):
[?] Credentials found! Attempt credential spraying? (y/n):

Step 7: View Results

ADscan stores all results in your workspace directory:

ls ~/.adscan/workspaces/my_first_scan/

You'll find:

credentials.json - Discovered credentials
users.txt - Domain users
computers.txt - Domain computers
bloodhound/ - BloodHound collection data
logs/ - Scan logs

Example: Complete CTF Scan

Here's a complete example for a CTF box:

# Start ADscan
adscan start -v

# Create workspace
(ADscan) > workspace create htb_forest
(ADscan:htb_forest) >

# Configure
(ADscan:htb_forest) > set iface tun0
(ADscan:htb_forest) > set auto True

# Set target
(ADscan:htb_forest) > set hosts 10.10.10.161

# Run unauthenticated scan
(ADscan:htb_forest) > start_unauth

# ADscan will automatically:
# - Discover domain (htb.local)
# - Find AS-REP roastable accounts
# - Crack hashes
# - Authenticate with found credentials
# - Escalate to Domain Admin
# - Dump credentials

For the HTB Forest machine, this process takes ~3 minutes in automatic mode.

Next Steps

Now that you've completed your first scan:

📚 Learn about workspace management
🔍 Explore scanning commands
🔍 Manage credentials
🎯 Follow a CTF walkthrough

Getting Help

Within the ADscan shell, you can always get help:

# List all commands
(ADscan:workspace) > help

# Get help for specific command
(ADscan:workspace) > help start_auth

Community Support

Need help? Join our community:

Discord: discord.com/invite/fXBR3P8H74
GitHub Issues: github.com/ADscanPro/adscan/issues

Quick Start

On this page