Skip to content
ADscan Docs

⚡ execute & doctor

Run a single ADscan command non-interactively, and run a fast pre-engagement health check.

Two commands make ADscan scriptable from the shell, without opening the interactive workbench:

  • adscan execute <verb> — run one REPL command non-interactively (smoke tests, demos, scripting).
  • adscan doctor — a fast GREEN/RED health check that confirms the environment works before a scan.

Both run fully non-interactively: every prompt resolves to a safe default, so they are safe in CI, pipelines, and unattended runs.

adscan doctor

A one-shot smoke test. It runs the key validations and prints a single per-check pass/fail panel so you can confirm "everything works" before (or at the start of) an engagement.

# Unauthenticated reachability check
adscan doctor -d corp.local --dc-ip 10.0.0.1

# Add credentials to also validate authentication and the posture probe
adscan doctor -d corp.local --dc-ip 10.0.0.1 -u alice -p 'Password1'

What it checks:

CheckWhat it confirms
Runtime preflightTools, system packages, and DNS configuration are in place.
DNS resolutionThe domain resolves and its domain controllers are located.
DC connectivityThe DC answers on the AD ports (53 / 88 / 389 / 445).
AuthenticationThe supplied credential binds against the DC (skipped without -u/-p).
Posture probeThe DC is reachable and its hardening posture is recorded.

The exit code is 0 only when every applicable check passed, so doctor is usable as a gate in scripts. Checks that do not apply (for example, authentication with no credentials) are reported as SKIP and never fail the run.

By default doctor uses an ephemeral workspace that is removed on exit. It never writes to a named workspace unless you pass one.

adscan execute

Run a single REPL command from the shell. execute establishes the minimum session context the command needs — workspace, domain, credentials, DNS, and posture — then invokes the command and exits.

# List the commands available to execute
adscan execute --list

# Resolve DNS / locate the DCs for a domain
adscan execute check_dns -d corp.local --dc-ip 10.0.0.1

# Kerberoast (authenticates, then auto-cracks)
adscan execute kerberoast -d corp.local --dc-ip 10.0.0.1 -u alice -p 'Password1'

# AS-REP roast
adscan execute asreproast -d corp.local --dc-ip 10.0.0.1 -u alice -p 'Password1'

# Inspect the hardening posture (passthrough after `--`)
adscan execute posture -d corp.local --dc-ip 10.0.0.1 -- show

Session flags

execute accepts the standard session flags and forwards everything after the verb (or after --) verbatim to the command:

FlagPurpose
-d, --domainTarget domain.
--dc-ipPDC / DC IP for the target domain.
-u, --usernameAuth username (for commands that authenticate).
-p, --passwordAuth password or hash.
-w, --workspaceNamed workspace to persist into. Omit for an ephemeral temp workspace.
-i, --interfaceNetwork interface (for myip auto-config).
--keep-workspaceKeep an auto-created ephemeral workspace on exit.

The command after execute parses its own arguments the same way it does inside the interactive shell. The session flags (-d, --dc-ip, …) set the context; the command itself reads the domain from that context. To pass arguments straight to the command, place them after --.

Workspaces: ephemeral by default

  • No --workspace → an ephemeral temp workspace is created and removed on exit (use --keep-workspace to retain it). This is the default for quick smoke tests, so a trivial check never pollutes a real workspace.
  • --workspace <name> → results persist in that named workspace and are available to the rest of ADscan and the platform. Use this when you want to keep the loot (for example, execute kerberoast --workspace engagement-1).

Available verbs and prerequisites

adscan execute --list prints the current set with auto-generated help. The starting set:

VerbNeedsWhat it does
check_dnsdomainResolve a domain's DNS / locate its domain controllers.
posturedomainInspect, probe, or clear the hardening posture for a domain.
enum_trustsdomain, credsEnumerate domain trusts (parent/child, external, forest).
kerberoastdomain, credsRequest SPN service tickets and auto-crack the hashes.
asreproastdomain, credsRoast accounts with Kerberos pre-auth disabled.
smb_sharesdomain, credsEnumerate SMB shares and effective access.
search_adcsdomain, credsEnumerate ADCS templates and ESC findings.

Not every REPL command is available to execute. Session-only commands (such as exit or set) and commands that need a prior full scan are intentionally excluded. A command that needs data from a prior scan fails with a clear message pointing you at adscan ci rather than crashing — run the full scan into a named workspace first, then re-run execute against that same --workspace.

kerberoast and asreproast request RC4 (etype 23) tickets, which are faster to crack but raise Defender for Identity alerts ("Kerberoasting / AS-REP Roasting attack suspected"). Coordinate with the client's security team or document the expected engagement noise.

Find this useful?
Pass it to the next pentester running an AD engagement
Running 2+ AD engagements/year?
Get PRO free — beta access·Free in exchange for feedback
Automated PDF reports. Save ≥1 day per engagement.

ADscan — AD pentest automation for security consultants

⚡ execute & doctor | ADscan