How does ADscan reduce AD pentest time from 5 days to 2?

ADscan automates enumeration (saves 1-2 days), provides semi-guided exploitation paths (saves 1-2 days), and generates MITRE-mapped reports automatically (saves 0.5-1 day). The operator confirms all actions while ADscan handles the grunt work.

What's the difference between ADscan and PingCastle/Purple Knight?

PingCastle and Purple Knight are excellent risk assessment tools for IT teams. ADscan goes further by executing semi-guided exploitation, building complete attack chains, and outputting pentester-ready MITRE-mapped evidence for consulting deliverables.

How is ADscan different from Pentera?

Pentera is a GUI-based automated platform designed for IT teams to run simulations. ADscan is a CLI tool built for pentesters who need granular control over attack vectors, reproducible evidence, and detailed technical reporting for client deliverables.

Does ADscan work in air-gapped environments?

Yes. ADscan supports offline licenses and includes an optional on-premises license server for completely air-gapped deployments. All tools and wordlists are bundled locally.

What operating systems does ADscan support?

Currently Linux (Kali, Ubuntu, Debian, Parrot). Docker and Windows support are in the near-term roadmap. Design Partners get early access to new platform releases.

Can ADscan integrate with existing pentest workflows?

Yes. ADscan exports to JSON for integration with other tools, generates Word reports using your templates, and works alongside BloodHound, NetExec, and other standard AD pentest tools.

How much does ADscan cost for consulting companies?

PRO seats start at €997/year. Enterprise team packs (5/10/25 seats) include volume discounts, SSO, and priority support. POV Pass available at €249 per 14-day engagement for project-based testing.

What's included in the 14-day POV?

Full ADscan PRO features, setup assistance, Word report generation, and a debrief session with your team lead. No credit card required. Run in your non-production lab environment.

What is the difference between a POV and the Design Partner program?

POV is a 14-day lab evaluation to validate fit. Design Partner is a 90-day collaboration with direct support, early features and limited discounted pricing in exchange for an anonymous/public case.

Best Practices

Professional guidelines for using ADscan in security assessments and penetration tests

This guide provides best practices for using ADscan professionally in security assessments, penetration tests, and authorized security research.

Pre-Engagement Planning

Scope Verification

Before starting ADscan, ensure you have:

Written authorization to test the target environment
Clear scope definition including IP ranges and domains
Rules of engagement defining what actions are permitted
Emergency contacts for the client organization
Agreed testing windows and blackout periods

Environment Preparation

Set up your testing environment properly:

# Create isolated workspace for the engagement
(ADscan) > workspace create client_2024_pentest

# Verify network connectivity
(ADscan:client_2024_pentest) > system ping -c 3 <target_dc_ip>

# Document baseline information
(ADscan:client_2024_pentest) > system ip addr show
(ADscan:client_2024_pentest) > system route -n

Backup Your Tools

Before critical operations, ensure your tooling is backed up:

# Backup ADscan configuration
cp ~/.adscan/config.json ~/.adscan/config.json.backup

# Note your current workspace state
ls -lah ~/.adscan/workspaces/client_2024_pentest/

Operational Security

Network Isolation

Use dedicated testing infrastructure - Don't mix client data with other engagements
VPN/Network segmentation - Ensure traffic is properly isolated
Document IP addresses - Keep records of your testing source IPs

Stealth Considerations

ADscan is designed for authorized testing, not stealth operations. However, for realistic red team scenarios:

# Use verbose mode to understand what's being executed
(ADscan:workspace) > set verbose true

# Review operations before automated execution
# Consider manual execution of sensitive commands via 'system'

Note: ADscan's automated workflows are optimized for efficiency, not stealth. For highly sensitive engagements requiring operational security, consider manual execution of individual techniques.

Workspace Organization

Naming Conventions

Use consistent, meaningful workspace names:

# Good workspace names
workspace create acme_corp_2024_pentest
workspace create healthcare_internal_audit_jan2024
workspace create goad_lab_training

# Avoid generic names
workspace create test           # Too vague
workspace create workspace1     # No context
workspace create temp           # Suggests temporary/disposable

One Domain Per Workspace

Best practice: Create separate workspaces for each target domain

# Multiple domains - use separate workspaces
(ADscan) > workspace create corp_domain
(ADscan:corp_domain) > start_unauth 10.10.10.0/24

# Later, different domain
(ADscan) > workspace create dev_domain
(ADscan:dev_domain) > start_unauth 10.20.20.0/24

Why? Isolating domains prevents:

Credential cross-contamination
Confusing enumeration data
Reporting errors
Data integrity issues

Regular Workspace Information Checks

Monitor workspace state throughout your engagement:

# Check what you've collected so far
(ADscan:client_2024) > workspace info

# Review discovered credentials
(ADscan:client_2024) > creds show

# TODO: Add real 'workspace info' and 'creds show' output examples

Credential Handling

Secure Credential Management

ADscan stores discovered credentials in workspace directories. Protect this data:

# Credentials stored here:
# ~/.adscan/workspaces/<workspace>/credentials.json

# Verify permissions (should be restrictive)
ls -la ~/.adscan/workspaces/client_2024/credentials.json
# Should show: -rw------- (600) or -rw-r----- (640)

# If permissions are too open, restrict them:
chmod 600 ~/.adscan/workspaces/*/credentials.json

Credential Testing Strategy

Test credentials systematically to avoid account lockouts:

# 1. Start with least-privilege accounts
(ADscan:workspace) > creds select domain.local/lowpriv_user

# 2. Enumerate before attempting privilege escalation
(ADscan:workspace) > start_auth domain.local <dc_ip> lowpriv_user <password>

# 3. If successful, check for higher-privilege paths in BloodHound
# 4. Only then attempt escalation techniques

# TODO: Add real credential selection and authentication examples

Avoid Account Lockouts

Know the account lockout policy before password attacks
Use discovered credentials instead of brute forcing when possible
Limit authentication attempts - ADscan's automated workflows are conservative
Monitor for lockouts - Watch for authentication failures

Data Protection

Encrypt Sensitive Data

For highly sensitive engagements, encrypt workspace data at rest:

# Create encrypted volume for workspaces
# Example using LUKS (Linux)
sudo cryptsetup luksFormat /dev/sdX
sudo cryptsetup open /dev/sdX adscan_vault
sudo mkfs.ext4 /dev/mapper/adscan_vault
sudo mount /dev/mapper/adscan_vault /mnt/secure_workspaces

# Move ADscan workspaces to encrypted volume
sudo mv ~/.adscan/workspaces /mnt/secure_workspaces/
ln -s /mnt/secure_workspaces ~/.adscan/workspaces

Secure Transport

When transferring data:

# Use SCP with encryption for workspace backups
scp -r ~/.adscan/workspaces/client_2024 secure-backup-server:/backups/

# Or use rsync over SSH
rsync -avz -e ssh ~/.adscan/workspaces/client_2024/ backup:/secure/

Data Retention

Follow your organization's data retention policies:

# After engagement completion and reporting
# Securely delete workspace data when no longer needed
(ADscan:client_2024) > clear_all

# Then remove the workspace
(ADscan) > workspace delete client_2024

# For secure deletion of sensitive files
shred -vfz -n 3 ~/.adscan/workspaces/client_2024/credentials.json

Post-Engagement Cleanup

Workspace Archival

Before deleting data, archive for records:

# Create timestamped archive
tar -czf client_2024_final_$(date +%Y%m%d).tar.gz \
  ~/.adscan/workspaces/client_2024/

# Encrypt the archive
gpg --symmetric --cipher-algo AES256 client_2024_final_20240115.tar.gz

# Store encrypted archive securely
mv client_2024_final_20240115.tar.gz.gpg /secure/archives/

Data Sanitization

Remove workspace data after archival:

# Clear workspace contents
(ADscan:client_2024) > clear_all

# Delete workspace
(ADscan) > workspace delete client_2024

# Verify deletion
ls ~/.adscan/workspaces/

BloodHound Data Cleanup

BloodHound CE may retain data outside workspace directories:

# Check BloodHound data location
docker exec bloodhound ls /opt/bloodhound/data/

# If needed, remove specific domain data from BloodHound
# Access BloodHound UI and use data management features
# Or stop/restart BloodHound container for clean slate

Legal and Compliance

Documentation Requirements

Maintain detailed records of your testing:

# ADscan logs all operations
tail -f ~/.adscan/logs/adscan.log

# Keep logs for your records
cp ~/.adscan/logs/adscan.log ./engagement_logs/adscan_$(date +%Y%m%d_%H%M%S).log

Authorized Use Only

CRITICAL REMINDER:

ADscan must only be used on systems you are authorized to test
Unauthorized access to computer systems is illegal in most jurisdictions
Always obtain written permission before testing
Respect scope limitations and rules of engagement
Stop testing immediately if you encounter systems outside your scope

Incident Response

If you accidentally compromise a production system or cause disruption:

Stop testing immediately
Notify the client contact
Document exactly what happened
Preserve logs and evidence
Follow the incident response plan agreed in rules of engagement

Performance Optimization

Target Scope Optimization

Reduce scan time by targeting specific systems:

# Instead of scanning entire /24
(ADscan:workspace) > set hosts 10.10.10.0/24

# Target only domain controllers
(ADscan:workspace) > set hosts 10.10.10.10,10.10.10.11

# TODO: Add real 'set hosts' examples and output

Network Latency Considerations

High-latency connections (VPN, international links) affect performance:

# Check latency to target
(ADscan:workspace) > system ping -c 10 <dc_ip>

# If latency is high (>100ms), expect slower enumeration
# Consider adjusting timeouts or running during off-hours

Resource Monitoring

Monitor system resources during large scans:

# Watch memory and CPU usage
(ADscan:workspace) > system htop

# Check disk space for large environments
(ADscan:workspace) > system df -h ~/.adscan/

BloodHound Best Practices

Data Collection Strategy

# Start with standard collection
(ADscan:workspace) > start_auth domain.local <dc_ip> user password

# ADscan automatically collects BloodHound data during authenticated scans

# Access BloodHound to analyze results
# Open browser to http://localhost:8080

Query Strategy

Efficient BloodHound queries for common paths:

Shortest Path to Domain Admins - From your compromised user
Kerberoastable Users - High-value targets for credential attacks
AS-REP Roastable Users - Unauthenticated attack opportunities
Unconstrained Delegation - High-impact misconfigurations
DCSync Rights - Direct domain compromise paths

Regular Data Refresh

Update BloodHound data as you gain new access:

# After gaining new credentials, re-run authenticated scan
(ADscan:workspace) > creds select domain.local/new_user
(ADscan:workspace) > start_auth domain.local <dc_ip> new_user <password>

# BloodHound data will be automatically updated with new perspective

Common Mistakes to Avoid

1. Mixing Multiple Engagements in One Workspace

Wrong:

(ADscan:test) > start_auth client1.local 10.10.10.1 user pass
(ADscan:test) > start_auth client2.local 10.20.20.1 user pass
# Credentials and data are now mixed

Right:

(ADscan) > workspace create client1_engagement
(ADscan:client1_engagement) > start_auth client1.local 10.10.10.1 user pass

(ADscan) > workspace create client2_engagement
(ADscan:client2_engagement) > start_auth client2.local 10.20.20.1 user pass

2. Not Backing Up Before Risky Operations

Wrong:

(ADscan:critical_client) > clear_all
# Oops, lost all data

Right:

# Backup first
$ tar -czf backup_before_cleanup.tar.gz ~/.adscan/workspaces/critical_client/

# Then proceed
(ADscan:critical_client) > clear_all

3. Ignoring Scope Boundaries

Always verify you're targeting authorized systems:

# Check your target range
(ADscan:workspace) > system nmap -sn 10.10.10.0/24

# Compare with authorized scope from rules of engagement
# If anything is out of scope, adjust your targets

4. Not Reviewing Logs

Check logs regularly for errors or unexpected behavior:

# Monitor logs in real-time during scans
$ tail -f ~/.adscan/logs/adscan.log

# Review logs after completion
$ less ~/.adscan/logs/adscan.log

Quick Reference Checklist

Before starting an engagement:

Written authorization obtained
Scope clearly defined and documented
Testing infrastructure prepared and isolated
Dedicated workspace created with meaningful name
Network connectivity to target verified
Emergency contacts documented
Backup procedures tested

During engagement:

Monitor workspace info regularly
Document findings as you progress
Test credentials systematically (avoid lockouts)
Keep BloodHound data updated
Watch for scope boundaries
Review logs for errors

After engagement:

Archive workspace data securely
Generate reports from collected data
Clean up sensitive data per retention policy
Verify all data is properly secured or deleted
Document lessons learned

Best Practices

On this page