⚡ execute & doctor
Run a single ADscan command non-interactively, and run a fast pre-engagement health check.
Two commands make ADscan scriptable from the shell, without opening the interactive workbench:
adscan execute <verb>— run one REPL command non-interactively (smoke tests, demos, scripting).adscan doctor— a fast GREEN/RED health check that confirms the environment works before a scan.
Both run fully non-interactively: every prompt resolves to a safe default, so they are safe in CI, pipelines, and unattended runs.
adscan doctor
A one-shot smoke test. It runs the key validations and prints a single per-check pass/fail panel so you can confirm "everything works" before (or at the start of) an engagement.
# Unauthenticated reachability check
adscan doctor -d corp.local --dc-ip 10.0.0.1
# Add credentials to also validate authentication and the posture probe
adscan doctor -d corp.local --dc-ip 10.0.0.1 -u alice -p 'Password1'What it checks:
| Check | What it confirms |
|---|---|
| Runtime preflight | Tools, system packages, and DNS configuration are in place. |
| DNS resolution | The domain resolves and its domain controllers are located. |
| DC connectivity | The DC answers on the AD ports (53 / 88 / 389 / 445). |
| Authentication | The supplied credential binds against the DC (skipped without -u/-p). |
| Posture probe | The DC is reachable and its hardening posture is recorded. |
The exit code is 0 only when every applicable check passed, so doctor is usable as a gate in scripts. Checks that do not apply (for example, authentication with no credentials) are reported as SKIP and never fail the run.
By default doctor uses an ephemeral workspace that is removed on exit. It never writes to a named workspace unless you pass one.
adscan execute
Run a single REPL command from the shell. execute establishes the minimum session context the command needs — workspace, domain, credentials, DNS, and posture — then invokes the command and exits.
# List the commands available to execute
adscan execute --list
# Resolve DNS / locate the DCs for a domain
adscan execute check_dns -d corp.local --dc-ip 10.0.0.1
# Kerberoast (authenticates, then auto-cracks)
adscan execute kerberoast -d corp.local --dc-ip 10.0.0.1 -u alice -p 'Password1'
# AS-REP roast
adscan execute asreproast -d corp.local --dc-ip 10.0.0.1 -u alice -p 'Password1'
# Inspect the hardening posture (passthrough after `--`)
adscan execute posture -d corp.local --dc-ip 10.0.0.1 -- showSession flags
execute accepts the standard session flags and forwards everything after the verb (or after --) verbatim to the command:
| Flag | Purpose |
|---|---|
-d, --domain | Target domain. |
--dc-ip | PDC / DC IP for the target domain. |
-u, --username | Auth username (for commands that authenticate). |
-p, --password | Auth password or hash. |
-w, --workspace | Named workspace to persist into. Omit for an ephemeral temp workspace. |
-i, --interface | Network interface (for myip auto-config). |
--keep-workspace | Keep an auto-created ephemeral workspace on exit. |
The command after execute parses its own arguments the same way it does inside the interactive shell. The session flags (-d, --dc-ip, …) set the context; the command itself reads the domain from that context. To pass arguments straight to the command, place them after --.
Workspaces: ephemeral by default
- No
--workspace→ an ephemeral temp workspace is created and removed on exit (use--keep-workspaceto retain it). This is the default for quick smoke tests, so a trivial check never pollutes a real workspace. --workspace <name>→ results persist in that named workspace and are available to the rest of ADscan and the platform. Use this when you want to keep the loot (for example,execute kerberoast --workspace engagement-1).
Available verbs and prerequisites
adscan execute --list prints the current set with auto-generated help. The starting set:
| Verb | Needs | What it does |
|---|---|---|
check_dns | domain | Resolve a domain's DNS / locate its domain controllers. |
posture | domain | Inspect, probe, or clear the hardening posture for a domain. |
enum_trusts | domain, creds | Enumerate domain trusts (parent/child, external, forest). |
kerberoast | domain, creds | Request SPN service tickets and auto-crack the hashes. |
asreproast | domain, creds | Roast accounts with Kerberos pre-auth disabled. |
smb_shares | domain, creds | Enumerate SMB shares and effective access. |
search_adcs | domain, creds | Enumerate ADCS templates and ESC findings. |
Not every REPL command is available to execute. Session-only commands (such as exit or set) and commands that need a prior full scan are intentionally excluded. A command that needs data from a prior scan fails with a clear message pointing you at adscan ci rather than crashing — run the full scan into a named workspace first, then re-run execute against that same --workspace.
kerberoast and asreproast request RC4 (etype 23) tickets, which are faster to crack but raise Defender for Identity alerts ("Kerberoasting / AS-REP Roasting attack suspected"). Coordinate with the client's security team or document the expected engagement noise.