How does ADscan reduce AD pentest time from 5 days to 2?

ADscan automates enumeration (saves 1-2 days), provides semi-guided exploitation paths (saves 1-2 days), and generates MITRE-mapped reports automatically (saves 0.5-1 day). The operator confirms all actions while ADscan handles the grunt work.

What's the difference between ADscan and PingCastle/Purple Knight?

PingCastle and Purple Knight are excellent risk assessment tools for IT teams. ADscan goes further by executing semi-guided exploitation, building complete attack chains, and outputting pentester-ready MITRE-mapped evidence for consulting deliverables.

How is ADscan different from Pentera?

Pentera is a GUI-based automated platform designed for IT teams to run simulations. ADscan is a CLI tool built for pentesters who need granular control over attack vectors, reproducible evidence, and detailed technical reporting for client deliverables.

Does ADscan work in air-gapped environments?

Yes. ADscan supports offline licenses and includes an optional on-premises license server for completely air-gapped deployments. All tools and wordlists are bundled locally.

What operating systems does ADscan support?

Currently Linux (Kali, Ubuntu, Debian, Parrot). Docker and Windows support are in the near-term roadmap. Design Partners get early access to new platform releases.

Can ADscan integrate with existing pentest workflows?

Yes. ADscan exports to JSON for integration with other tools, generates Word reports using your templates, and works alongside BloodHound, NetExec, and other standard AD pentest tools.

How much does ADscan cost for consulting companies?

PRO seats start at €997/year. Enterprise team packs (5/10/25 seats) include volume discounts, SSO, and priority support. POV Pass available at €249 per 14-day engagement for project-based testing.

What's included in the 14-day POV?

Full ADscan PRO features, setup assistance, Word report generation, and a debrief session with your team lead. No credit card required. Run in your non-production lab environment.

What is the difference between a POV and the Design Partner program?

POV is a 14-day lab evaluation to validate fit. Design Partner is a 90-day collaboration with direct support, early features and limited discounted pricing in exchange for an anonymous/public case.

Command Reference

Quick reference for all ADscan commands. For detailed documentation, see individual command pages.

Workspace Commands

Command	Description	Syntax
`workspace create`	Create new workspace	`workspace create <name>`
`workspace list`	List all workspaces	`workspace list`
`workspace switch`	Switch to different workspace	`workspace switch <name>`
`workspace delete`	Delete workspace	`workspace delete <name>`
`workspace info`	Show workspace details	`workspace info`
`clear_all`	Clear all workspace data	`clear_all`

Configuration Commands

Command	Description	Syntax	Example
`set iface`	Set network interface	`set iface <interface>`	`set iface tun0`
`set hosts`	Set target IP range	`set hosts <cidr\|ip>`	`set hosts 10.10.10.0/24`
`set auto`	Set automation level	`set auto <True\|False>`	`set auto False`
`set verbose`	Set verbose mode	`set verbose <True\|False>`	`set verbose True`
`set telemetry`	Enable/disable telemetry	`set telemetry <on\|off>`	`set telemetry on`

Scanning Commands

Command	Description	Syntax
`start_unauth`	Start unauthenticated scan	`start_unauth`
`start_auth`	Start authenticated scan	`start_auth <domain> <dc_ip> <user> <pass\|hash>`

start_auth Syntax

# With password
start_auth <domain> <dc_ip> <username> <password>

# With NTLM hash
start_auth <domain> <dc_ip> <username> <ntlm_hash>

# Examples
start_auth corp.local 10.10.10.1 jdoe Password123
start_auth htb.local 10.10.10.161 svc-alfresco s3rvice
start_auth example.local 10.0.0.1 admin aad3b435b51404eeaad3b435b51404ee:hash

Credential Commands

Command	Description	Syntax
`creds show`	Display discovered credentials	`creds show`
`creds select`	Select credential for enumeration	`creds select <domain>`

System Command

Command	Description	Syntax
`system`	Execute local system command	`system <command>`

Local Execution

system runs commands on your local machine (where ADscan is running), NOT on the target domain.

Common system commands:

system whoami                    # Local user
system ip addr show             # Network interfaces
system ping <ip>                # Test connectivity
system ls ~/.adscan/workspaces/ # List workspaces
system df -h                    # Disk space
system docker ps                # BloodHound status

Help Commands

Command	Description	Syntax
`help`	List all commands	`help`
`help <command>`	Get help for specific command	`help start_auth`
`exit`	Exit ADscan	`exit`

CLI Flags

Launch ADscan with these flags:

adscan start                 # Start interactive TUI
adscan start -v              # Start with verbose mode
adscan start --verbose       # Same as -v
adscan start --debug         # Start with debug mode
adscan install               # Install dependencies
adscan check                 # Check installation status
adscan --version             # Show version
adscan --help                # Show help

Workflow Quick Start

Unauthenticated Scan

adscan start -v
workspace create <name>
set iface tun0
set hosts 10.10.10.0/24
set auto False
start_unauth

Authenticated Scan

adscan start -v
workspace create <name>
set iface tun0
set auto False
start_auth <domain> <dc_ip> <user> <pass>

Credential Management

creds show                   # View all credentials
creds select <domain>        # Select credential
# ADscan enumerates with selected credential

Using Discovered Credentials

# After discovering credentials in unauthenticated scan
start_unauth                 # Discovers credentials
creds show                   # View what was found
creds select <domain>        # Pick credential
start_auth ...               # Enumerate as that user

Configuration Cheat Sheet

For Production/Client Engagements

set auto False               # Semi-automatic mode
set verbose True             # Detailed output
set telemetry off            # Disable if required

For Labs/CTFs

set auto True                # Automatic mode
set verbose True             # See what's happening

Network Configuration

# Find your interface
system ip addr show

# Common interfaces
set iface eth0               # Ethernet
set iface tun0               # VPN (HTB, VulnHub)
set iface wlan0              # WiFi

Automation Modes

Mode	Description	Use Case	Prompts
`auto=False`	Semi-automatic	Production, client engagements	Before each risky operation
`auto=True`	Automatic	Labs, CTFs, testing	Minimal, fast

Production Safety

Always use auto=False in production environments. Automatic mode may execute disruptive operations without confirmation.

File Locations

Workspace Data

~/.adscan/workspaces/<workspace>/
├── credentials.json          # Discovered credentials
├── users.txt                 # Domain users
├── computers.txt             # Domain computers
├── bloodhound/               # BloodHound data
└── logs/                     # Scan logs

Logs

~/.adscan/logs/adscan.log     # Main log file

Configuration

~/.adscan/config.json         # User configuration
~/.adscan/tools/              # Installed tools

BloodHound Integration

ADscan automatically collects and uploads BloodHound data during authenticated scans.

# BloodHound CE runs on
http://localhost:8080

# Default credentials (set during adscan install)
# Username: admin
# Password: <set during installation>

# Data is auto-uploaded during scans
# Access BloodHound to view attack paths

Common Workflows

1. CTF Auto-Pwn

adscan start -v
workspace create htb_forest
set iface tun0
set auto True
set hosts 10.10.10.161
start_unauth
# ADscan automatically discovers, cracks, and escalates

2. Client Pentest (Conservative)

adscan start -v
workspace create client_jan2024
set iface eth0
set auto False
set hosts 192.168.1.0/24
start_unauth
# Review findings, then:
creds show
creds select corp.local
start_auth corp.local 192.168.1.10 user password

3. Credential Testing

workspace create cred_test
set iface eth0
set auto False
start_auth corp.local 10.0.0.1 testuser TestPass123
# Enumerate access and privileges

Tips and Tricks

Check VPN Before Scanning

system ping <target_ip>
system ip addr show | grep tun0

Monitor Scan Progress

# In another terminal
tail -f ~/.adscan/logs/adscan.log

View Workspace Files

system ls -la ~/.adscan/workspaces/<workspace>/

Backup Workspace

system tar -czf backup.tar.gz ~/.adscan/workspaces/<workspace>/

Check BloodHound Status

system docker ps | grep bloodhound
system docker logs bloodhound

Troubleshooting Quick Reference

Issue	Quick Fix
Docker not running	`system sudo systemctl start docker`
Interface not found	`system ip addr show` to find correct interface
Authentication failed	Verify credentials with `system nxc smb <ip> -u <user> -p <pass>`
BloodHound not accessible	`system docker restart bloodhound`
Out of disk space	Delete old workspaces or use `clear_all`

For detailed troubleshooting, see the Troubleshooting Guide.

Workspace Management - Detailed workspace documentation
Scanning Commands - In-depth scanning guide
Credential Management - Credential command details
Best Practices - Professional usage guidelines
Troubleshooting - Common issues and solutions

Command Reference

On this page