adscanpro.com / blog
Security Intelligence
Active Directory security guides for pentesters, security consultants, and CISOs. Techniques, compliance, and reporting.
start here
Active Directory Pentesting: Complete Operator Guide (2026)
Full AD pentest methodology — from unauthenticated recon to Domain Admin. Enumeration, Kerberos attacks, ADCS, attack paths, credential harvesting, and reporting.
Read guide →
all posts
Active Directory Initial Access Without Credentials: 6-Step Operator Workflow
How to get a foothold in an AD environment from zero — no credentials, no prior access. LinkedIn OSINT, Kerbrute, and password spraying. Verified from real engagements.
OneRuleToRuleThemStill: The Hashcat Rule Upgrade Most Pentesters Are Missing
In 2023, the creator of OneRuleToRuleThemAll published a faster, cleaner version. Same crack rate. 11% fewer rules. Most pentesters are still using the old one.
Best Wordlists for Active Directory Hash Cracking (2026 Benchmarks)
Ranked wordlists for cracking NTLM hashes from AD engagements. Real crack rates from weakpass.com. rockyou.txt is Rank C. Here's what actually works.
Kerberoasting Active Directory: Complete Operator Guide (2026)
How Kerberoasting works, how to find roastable accounts, extract TGS tickets, crack offline with hashcat, and what ADscan automates.
AS-REP Roasting Active Directory: Operator Guide (2026)
Find accounts with Kerberos pre-auth disabled, extract hashes without credentials, crack offline. No special privileges needed.
ADCS ESC1 Exploitation: From Low-Priv User to Domain Admin
How misconfigured certificate templates let any domain user request a DA certificate. Step-by-step with Certipy.
ADCS ESC8: NTLM Relay to Active Directory Certificate Services
Relay NTLM to the AD CS enrollment endpoint, obtain a DC certificate, and compromise the domain. No template permissions needed.
AD Attack Paths: Map and Exploit with BloodHound (2026)
Use BloodHound CE to map AD relationships, find the shortest path to Domain Admin, and execute with operator control.
DCSync Attack: How It Works, How to Execute, and How to Detect It
DCSync mimics DC replication to dump all AD password hashes — no LSASS, no code on the DC. Find rights, execute, detect.
DORA and Active Directory: Security Obligations for Financial Entities
What DORA requires from EU financial entities about Active Directory security. Concrete controls, required evidence, and how to audit before the supervisor asks.
How to Make the Business Case for an AD Security Audit (Without Technical Jargon)
The 4 arguments that work with a CFO to approve an AD security audit budget. No technical jargon. Includes a 5-minute conversation script.
tool
ADscan LITE — free, open source
Everything in these guides, automated. From unauthenticated recon to DA in one workflow.