How does ADscan reduce AD pentest time from 5 days to 2?

ADscan automates enumeration (saves 1-2 days), provides semi-guided exploitation paths (saves 1-2 days), and generates MITRE-mapped reports automatically (saves 0.5-1 day). The operator confirms all actions while ADscan handles the grunt work.

What's the difference between ADscan and PingCastle/Purple Knight?

PingCastle and Purple Knight are excellent risk assessment tools for IT teams. ADscan goes further by executing semi-guided exploitation, building complete attack chains, and outputting pentester-ready MITRE-mapped evidence for consulting deliverables.

How is ADscan different from Pentera?

Pentera is a GUI-based automated platform designed for IT teams to run simulations. ADscan is a CLI tool built for pentesters who need granular control over attack vectors, reproducible evidence, and detailed technical reporting for client deliverables.

Does ADscan work in air-gapped environments?

Yes. ADscan supports offline licenses and includes an optional on-premises license server for completely air-gapped deployments. All tools and wordlists are bundled locally.

What operating systems does ADscan support?

Currently Linux (Kali, Ubuntu, Debian, Parrot). Docker and Windows support are in the near-term roadmap. Design Partners get early access to new platform releases.

Can ADscan integrate with existing pentest workflows?

Yes. ADscan exports to JSON for integration with other tools, generates Word reports using your templates, and works alongside BloodHound, NetExec, and other standard AD pentest tools.

How much does ADscan cost for consulting companies?

PRO seats start at €997/year. Enterprise team packs (5/10/25 seats) include volume discounts, SSO, and priority support. POV Pass available at €249 per 14-day engagement for project-based testing.

What's included in the 14-day POV?

Full ADscan PRO features, setup assistance, Word report generation, and a debrief session with your team lead. No credit card required. Run in your non-production lab environment.

What is the difference between a POV and the Design Partner program?

POV is a 14-day lab evaluation to validate fit. Design Partner is a 90-day collaboration with direct support, early features and limited discounted pricing in exchange for an anonymous/public case.

Troubleshooting

This guide covers common issues you may encounter when using ADscan and how to resolve them.

Installation Issues

Docker Not Running

Error:

✗ Docker daemon not running
✗ Cannot install BloodHound CE

Solution:

# Check Docker status
sudo systemctl status docker

# Start Docker
sudo systemctl start docker

# Enable Docker on boot
sudo systemctl enable docker

# Verify Docker is running
docker ps

Permission Denied

Error:

✗ Permission denied: /root/.adscan/

Solution:

# Run ADscan with sudo for installation
sudo adscan install

# Or fix permissions
sudo chown -R $USER:$USER ~/.adscan/

Python Version Mismatch

Error:

✗ Python 3.8+ required, found 3.7

Solution:

# Install Python 3.12 with pyenv
pyenv install 3.12.3
pyenv global 3.12.3

# Verify version
python --version

Scanning Issues

Network Interface Not Found

Error:

✗ Interface 'tun0' not found

Solution:

# List available interfaces
ip addr show

# Check VPN connection
ping 10.10.10.1

# Restart VPN if needed
sudo openvpn --config lab.ovpn

Domain Not Found

Error:

✗ No Active Directory domain found in range

Solutions:

Verify network connectivity:

# Ping domain controller
ping 10.10.10.1

# Check DNS resolution
nslookup dc01.example.local

# Test SMB connectivity
smbclient -L //10.10.10.1 -N

Check firewall rules:

# Required ports:
# - 88 (Kerberos)
# - 389/636 (LDAP/LDAPS)
# - 445 (SMB)
# - 3389 (RDP)

# Test port connectivity
nc -zv 10.10.10.1 445
nc -zv 10.10.10.1 389
nc -zv 10.10.10.1 88

Expand IP range:

# Try broader range if scanning specific subnet
(ADscan:workspace) > set hosts 10.10.10.0/24

Authentication Failed

Error:

✗ Authentication failed for user 'jdoe'

Troubleshooting steps:

Verify credentials:

# Test with NetExec
nxc smb 10.10.10.1 -u 'jdoe' -p 'password'

# Test with smbclient
smbclient //10.10.10.1/IPC$ -U 'DOMAIN\jdoe%password'

Check account status:
- Account may be locked
- Password may have expired
- Account may be disabled
- Wrong domain name
Use NTLM hash instead:

# If password doesn't work, try hash
(ADscan:workspace) > start_auth domain.local 10.10.10.1 jdoe aad3b435b51404eeaad3b435b51404ee:hash

BloodHound Issues

BloodHound Not Starting

Error:

✗ BloodHound CE not accessible at http://localhost:8080

Solution:

# Check if BloodHound container is running
docker ps | grep bloodhound

# View container logs
docker logs bloodhound

# Restart BloodHound
docker restart bloodhound

# Check ports
sudo netstat -tlnp | grep 8080

Cannot Upload Data

Error:

✗ Failed to upload BloodHound data

Solution:

# Verify BloodHound credentials
curl -u 'admin:password' http://localhost:8080

# Manual upload via UI
# 1. Open http://localhost:8080
# 2. Login with admin credentials
# 3. Click Upload Data
# 4. Select files from ~/.adscan/workspaces/<workspace>/bloodhound/

Credential Issues

Hash Cracking Failed

Error:

✗ Failed to crack hash after 1000000 attempts

Solutions:

Use custom wordlist:

# Copy custom wordlist to ADscan
cp custom_passwords.txt ~/.adscan/wordlists/

# ADscan will prompt to select wordlist

Use external cracking:

# Export hash
cat ~/.adscan/workspaces/<workspace>/asrep/hashes.txt

# Crack with hashcat
hashcat -m 18200 hashes.txt rockyou.txt

# Crack with john
john --wordlist=rockyou.txt hashes.txt

No Credentials Found

Scenario: Scan completes but no credentials discovered.

Troubleshooting:

Check scan mode:

# Ensure authenticated scan was run
(ADscan:workspace) > start_auth domain.local 10.10.10.1 user pass

Review BloodHound paths:
- Open BloodHound UI
- Search for your user
- Look for "Shortest Path to Domain Admins"
- Check for exploitable paths
Try different attack vectors:
- AS-REP roasting (unauthenticated)
- Kerberoasting (authenticated)
- Password spraying
- SMB relay
- LLMNR/NBT-NS poisoning

Workspace Issues

Workspace Corruption

Error:

✗ Failed to load workspace data

Solution:

# Check workspace integrity
ls -la ~/.adscan/workspaces/<workspace>/

# Recreate workspace if corrupted
(ADscan) > workspace delete corrupted_workspace
(ADscan) > workspace create new_workspace

Disk Space Full

Error:

✗ No space left on device

Solution:

# Check disk usage
df -h ~/.adscan/

# Clear old workspaces
(ADscan) > workspace list
(ADscan) > workspace delete old_workspace

# Or manually delete
rm -rf ~/.adscan/workspaces/old_workspace/

# Clear logs
rm ~/.adscan/logs/*.log

Performance Issues

Slow Scanning

Symptoms:

Enumeration takes very long
Timeouts during scanning

Solutions:

Reduce target range:

# Scan specific DC instead of entire subnet
(ADscan:workspace) > set hosts 10.10.10.1

Check network latency:

# High latency affects performance
ping -c 10 10.10.10.1

Use verbose mode for debugging:

adscan start -v

High Memory Usage

Solution:

# Monitor memory usage
htop

# Restart ADscan if memory leak suspected
# (exit and restart the TUI)

Error Messages

"Command not found"

Error:

bash: adscan: command not found

Solution:

# Check installation
which adscan

# If installed with pipx
pipx ensurepath
source ~/.bashrc

# If installed with pip
pip show adscan

# Reinstall if needed
pipx install --force adscan

"Module not found"

Error:

ModuleNotFoundError: No module named 'rich'

Solution:

# Reinstall dependencies
adscan install --force

# Or manually install
pip install -r requirements.txt

Getting Help

If you're still experiencing issues:

Check logs:

tail -f ~/.adscan/logs/adscan.log

Enable debug mode:

adscan start --debug

Report issue on GitHub:
- GitHub Issues
- Include logs, error messages, and steps to reproduce
Join Discord:
- ADscan Discord
- Get real-time help from the community

Troubleshooting

On this page