Skip to content
ADscan Docs

🧭 Command Reference

Workflows and command shortcuts for scanning, credentials, and workspace-based evidence.

ADscan is a workflow tool: scan → discover attack steps → review attack paths → execute with operator control. This page gives you the shortest path to the commands that matter.

Core Pages

📁 Workspace Management

Keep credentials, artifacts, logs, and attack-path graphs isolated per engagement.

🔍 Scanning Commands

Unauthenticated + authenticated enumeration, automation modes, and safe defaults.

🧠 Attack Paths & Steps

Find escalation chains from owned users to high-value targets and execute supported paths.

🔐 Credential Management

View, select, and rotate discovered credentials without losing context.

🤖 AI Assistant

Configure ask command with API providers or ChatGPT Plus/Pro via Codex subscription.

Workspace Commands

CommandDescriptionSyntax
workspace createCreate new workspaceworkspace create <name>
workspace listList all workspacesworkspace list
workspace switchSwitch to different workspaceworkspace switch <name>
workspace deleteDelete workspaceworkspace delete <name>
workspace infoShow workspace detailsworkspace info
clear_allClear all workspace dataclear_all

Configuration Commands

CommandDescriptionSyntaxExample
set ifaceSet network interfaceset iface <interface>set iface tun0
set hostsSet target IP rangeset hosts <cidr|ip>set hosts 10.10.10.0/24
set autoSet automation levelset auto <True|False>set auto False
set telemetryEnable/disable telemetryset telemetry <on|off>set telemetry on

Scanning Commands

CommandDescriptionSyntax
start_unauthStart unauthenticated scanstart_unauth [domain|dc_ip] [dc_ip]
start_authStart authenticated scanstart_auth or start_auth <domain> <dc_ip> <user> <pass|hash>

Attack Graph Commands

CommandDescriptionSyntax
attack_pathsList and inspect attack pathsattack_paths <domain> [user|owned] [index] [--max N] [--depth N] [--all]
attack_stepsList discovered attack stepsattack_steps <domain> [user] [--max N]

Credential Commands

CommandDescriptionSyntax
creds showDisplay discovered credentialscreds show
creds selectSelect credential for enumerationcreds select <domain>

System Command

CommandDescriptionSyntax
systemExecute local system commandsystem <command>

AI Assistant Commands

CommandDescriptionSyntax
ask setupConfigure AI backend/providerask setup
ask statusShow AI backend statusask status
ask doctorValidate AI runtime prerequisitesask doctor
ask login codexSign in to Codex (ChatGPT Plus/Pro)ask login codex
ask auth-status codexValidate Codex authenticationask auth-status codex
ask logout codexSign out from Codexask logout codex
ask "<prompt>"Run one AI promptask "summarize findings"
askInteractive AI modeask

Docker Mode Note

By default, ADscan runs inside a Docker container. That means system executes inside the ADscan container (with host networking), not directly on your host OS.

If you need to run host commands (for example docker ps), use a separate terminal on the host.

Common system commands:

system whoami                   # Container user
system ip addr show             # Network interfaces
system ping <ip>                # Test connectivity
system df -h                    # Disk space

Help Commands

CommandDescriptionSyntax
helpList all commandshelp
help <command>Get help for specific commandhelp start_auth
exitExit ADscanexit

CLI Flags

Launch ADscan with these flags:

adscan start                 # Start interactive CLI
adscan start -v              # Start with verbose mode
adscan start --verbose       # Same as -v
adscan install               # Pull the ADscan runtime image
adscan check                 # Verify Docker/images are available
adscan install --legacy      # Legacy host-based installer (not recommended)
adscan check --legacy --fix  # Legacy automatic repairs (best-effort)
adscan start --legacy        # Run legacy host-based ADscan
adscan --version             # Show version
adscan --help                # Show help

Workflow Quick Start

Unauthenticated Scan

# Start ADscan
adscan start
Unauthenticated scan
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > workspace create quickstart_lab
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > set iface tun0
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > set hosts 10.10.10.0/24
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > set auto False
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > start_unauth

Authenticated Scan

# Start ADscan
adscan start
Authenticated scan
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > workspace create quickstart_auth
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > set iface tun0
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > set auto False
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > start_auth
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > attack_paths corp.local owned

start_auth will prompt you for credentials and the target context (domain/DC). If you already know everything, you can also run start_auth <domain> <dc_ip> <user> <pass|hash>.

Credential Management

Credential management
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > creds show
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > creds select corp.local

Using Discovered Credentials

Using discovered credentials
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > start_unauth # Discover credentials
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > creds show # View what was found
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > creds select corp.local # Pick credential
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > start_auth # Guided authenticated scan (recommended)
  (ADscan:quickstart ~/.adscan/workspaces/quickstart) > attack_paths corp.local owned # Review paths from owned users

Configuration Cheat Sheet

For Production/Client Engagements

set auto False               # Semi-automatic mode
set verbose True             # Detailed output
set telemetry off            # Disable if required

For Labs/CTFs

set auto True                # Automatic mode (safe actions auto-run)
set verbose True             # See what's happening

Network Configuration

# Find your interface
system ip addr show

# Common interfaces
set iface eth0               # Ethernet
set iface tun0               # VPN (HTB, VulnHub)
set iface wlan0              # WiFi

Automation Modes

ModeDescriptionUse CasePrompts
auto=FalseSemi-automaticProduction, client engagementsBefore each risky operation
auto=TrueAutomatic (safe-first)Labs, CTFs, testingMinimal, still confirms high-impact actions

Production Safety

Use auto=False as the default in production environments. auto=True is optimized for labs and testing: it runs low-risk steps automatically but still asks for confirmation before noisy, disruptive, or out-of-scope operations.

File Locations

Workspace Data

~/.adscan/workspaces/<workspace>/
├── variables.json            # Structured workspace state (domains, creds, services, config)
├── report.json               # JSON report of discovered vulnerabilities and findings
├── domains/<domain>/attack_graph.json  # BloodHound-compatible attack-path export
├── users.txt                 # Domain users (all domains)
├── computers.txt             # Domain computers (all domains)
└── logs/                     # Scan logs

Logs

~/.adscan/logs/adscan.log     # Main log file

Configuration

~/.adscan/config.json         # User configuration
~/.adscan/tools/              # Legacy-installed tools (legacy mode only)

Attack-Path Analysis

ADscan's native graph collector runs as part of every authenticated scan and writes a BloodHound-compatible export per domain. Three ways to consume it:

# Inspect paths directly from the ADscan CLI
attack_paths <domain> owned
attack_paths <domain> owned --tier0-only
attack_paths <domain> owned --lowpriv

# Or load the JSON into your own BloodHound CE instance
# Path: ~/.adscan/workspaces/<ws>/domains/<domain>/attack_graph.json

No bundled BloodHound CE since v9.0.0

Earlier ADscan releases bundled a managed BloodHound CE container stack. Starting with v9.0.0, ADscan ships a native graph collector that produces the same BloodHound-compatible JSON without requiring a Docker Compose stack or a separate web UI.

If you want the BloodHound graph UI experience, run your own BloodHound CE instance and upload the JSON via its Upload Data action. The ADscan runtime does not need to talk to your BloodHound instance — the export is the only handoff.

Common Workflows

1. CTF Auto-Pwn

adscan start
workspace create htb_forest
set iface tun0
set auto True
set hosts 10.10.10.161
start_unauth
# ADscan automatically discovers, cracks, and escalates

2. Client Pentest (Conservative)

adscan start
workspace create client_jan2024
set iface eth0
set auto False
set hosts 192.168.1.0/24
start_unauth
# Review findings, then:
creds show
creds select corp.local
start_auth corp.local 192.168.1.10 user password

3. Credential Testing

workspace create cred_test
set iface eth0
set auto False
start_auth corp.local 10.0.0.1 testuser TestPass123
# Enumerate access and privileges

Tips and Tricks

Check VPN Before Scanning

system ping <target_ip>
system ip addr show | grep tun0

Monitor Scan Progress

# In another terminal
tail -f ~/.adscan/logs/adscan.log

View Workspace Files

# On the host (separate terminal)
ls -la ~/.adscan/workspaces/<workspace>/

Backup Workspace

# On the host (separate terminal)
tar -czf backup.tar.gz ~/.adscan/workspaces/<workspace>/

Inspect Attack-Path Export

# On the host (separate terminal)
ls -la ~/.adscan/workspaces/<workspace>/domains/<domain>/attack_graph.json
# Then load that file into your own BloodHound CE instance if you want the graph UI

Troubleshooting Quick Reference

IssueQuick Fix
Docker not runningsudo systemctl start docker
Interface not foundsystem ip addr show to find correct interface
Authentication failedVerify credentials with nxc smb <ip> -u <user> -p <pass>
Attack-path graph missing for domainRe-run start_auth with a credential that has LDAP read access
Out of disk spaceDelete old workspaces or use clear_all

For detailed troubleshooting, see the Troubleshooting Guide.

⚡ Quick Start

Run your first Active Directory scan with ADscan in under 5 minutes

📁 Workspace Management

Organize and isolate scan data using ADscan workspaces

On this page

Core PagesWorkspace CommandsConfiguration CommandsScanning CommandsAttack Graph CommandsCredential CommandsSystem CommandAI Assistant CommandsHelp CommandsCLI FlagsWorkflow Quick StartUnauthenticated ScanAuthenticated ScanCredential ManagementUsing Discovered CredentialsConfiguration Cheat SheetFor Production/Client EngagementsFor Labs/CTFsNetwork ConfigurationAutomation ModesFile LocationsWorkspace DataLogsConfigurationAttack-Path AnalysisCommon Workflows1. CTF Auto-Pwn2. Client Pentest (Conservative)3. Credential TestingTips and TricksCheck VPN Before ScanningMonitor Scan ProgressView Workspace FilesBackup WorkspaceInspect Attack-Path ExportTroubleshooting Quick ReferenceRelated Pages
Find this useful?
Pass it to the next pentester running an AD engagement
Running 2+ AD engagements/year?
Get PRO free — beta access·Free in exchange for feedback
Automated PDF reports. Save ≥1 day per engagement.

ADscan — AD pentest automation for security consultants

🧭 Command Reference | ADscan