📁 Workspace Management

Workspaces in ADscan allow you to organize and isolate scan data for different domains, networks, or projects. Each workspace maintains its own credentials, enumeration data, and logs.

Overview

Workspaces are stored in ~/.adscan/workspaces/ and contain:

• Discovered credentials
• Enumeration results (users, computers, groups)
• BloodHound collection data
• Scan logs and output
• Configuration settings

Commands

workspace create

Create a new workspace.

Syntax:

workspace create <name>

Example:

  (ADscan:client_audit_2024 ~/.adscan/workspaces/client_audit_2024) > workspace create client_audit_2024

  ✓ Workspace 'client_audit_2024' created

Naming Guidelines:

• Use descriptive names (domain name, client, date)
• No spaces (use underscores or hyphens)
• Keep names short and memorable

workspace select

Switch to an existing workspace.

Syntax:

workspace select [name]

Interactive Mode:

  (ADscan:default ~/.adscan/workspaces/default) > workspace select

  ? Select workspace:
  > client_audit_2024
    htb_forest
    lab_testing

Direct Selection:

  (ADscan:default ~/.adscan/workspaces/default) > workspace select htb_forest

  ✓ Switched to workspace 'htb_forest'

workspace list

List all available workspaces.

Syntax:

workspace list

Example Output:

  (ADscan:default ~/.adscan/workspaces/default) > workspace list

  Available Workspaces:
  ┌────────────────────┬─────────────────────┬───────────┐
  │ Name               │ Created             │ Size      │
  ├────────────────────┼─────────────────────┼───────────┤
  │ client_audit_2024  │ 2024-01-15 09:30    │ 45 MB     │
  │ htb_forest         │ 2024-01-10 14:22    │ 12 MB     │
  │ lab_testing        │ 2024-01-08 11:15    │ 8 MB      │
  └────────────────────┴─────────────────────┴───────────┘

workspace delete

Delete a workspace and all its data.

Syntax:

workspace delete <name>

Example:

  (ADscan:default ~/.adscan/workspaces/default) > workspace delete old_scan

  ⚠ This will permanently delete the workspace 'old_scan' and all its data
  ? Confirm deletion (y/n): y
  ✓ Workspace 'old_scan' deleted

Warning: This action is irreversible. All data in the workspace will be permanently deleted.

workspace info

Display information about the current workspace.

Syntax:

workspace info

Example Output:

  (ADscan:client_audit_2024 ~/.adscan/workspaces/client_audit_2024) > workspace info

  Workspace: client_audit_2024
  ───────────────────────────────────────────
  Path:        ~/.adscan/workspaces/client_audit_2024
  Created:     2024-01-15 09:30:45
  Size:        45 MB
  Domain:      corp.example.com
  Credentials: 12 accounts
  Users:       450 discovered
  Computers:   125 discovered
  BloodHound:  Data collected

clear_all

Clear all data from the current workspace.

Syntax:

clear_all

Example:

  (ADscan:client_audit_2024 ~/.adscan/workspaces/client_audit_2024) > clear_all

  ⚠ This will permanently delete all data in workspace 'client_audit_2024'
  ? Confirm deletion (y/n): y
  ✓ Workspace data cleared

Warning: This action removes all enumeration data, credentials, logs, and BloodHound collections from the workspace. The workspace directory structure remains but is empty.

Workspace Structure

Each workspace is a complete audit container. Inside a single workspace you can have:

• Multiple domains (e.g., domains/htb.local, domains/child.htb.local)
• Global service scans across all hosts
• Per‑domain service data, cracking artifacts, BloodHound collections, flags, and reports

Example (HTB Forest workspace):

~/.adscan/workspaces/htb_forest/
├── dacledit-20251204-075645.bak
├── dns
│   └── ips.txt
├── domains
│   └── htb.local
│       ├── admins.txt
│       ├── BH
│       │   └── htb.local_bloodhound-python.zip
│       ├── cracking
│       │   ├── cracked_asreproast.txt
│       │   └── hashes.asreproast
│       ├── dcs.txt
│       ├── dcsync
│       │   └── Administrator.txt
│       ├── dns
│       │   └── ips.txt
│       ├── enabled_computers_ips.txt
│       ├── enabled_computers.txt
│       ├── enabled_users.txt
│       ├── kerberos
│       │   └── tickets
│       │       ├── administrator.ccache
│       │       └── svc-alfresco.ccache
│       ├── ldap
│       │   ├── adcs.log
│       │   └── domain_admins.log
│       ├── nmap
│       │   └── imp_ports_scan
│       ├── privileged.txt
│       ├── smb
│       │   ├── flags.log
│       │   ├── ips.txt
│       │   ├── smb_null_general.log
│       │   ├── svc-alfresco_privs.log
│       │   ├── users_null.log
│       │   ├── verify_administrator.log
│       │   └── verify_svc-alfresco.log
│       ├── users.txt
│       └── variables.json
├── enabled_computers_ips.txt
├── enabled_computers.txt
├── flags
│   ├── root.txt
│   └── user.txt
├── ftp
├── http
├── https
├── kerberos
├── krb5.conf
├── ldap
├── mssql
├── rdp
├── report.json
├── smb
│   └── ips.txt
├── smb_scan.log
├── ssh
├── variables.json
├── vnc
└── winrm

How to read this structure:

• One workspace = one engagement container (audit or CTF)
  • You can have one or multiple domains under domains/.
• Top-level service folders (dns, smb, ftp, http, ldap, etc.):
  • These are the global rollups across all hosts where that service was enumerated.
  • Most services include an ips.txt containing all IPs where the port/service was found. If ips.txt is missing, it usually means no hosts exposed that service, but the folder may still exist because the module ran.
• domains/<domain>/ (for example domains/htb.local):
  • Per-domain view: users, computers, privileges, cracking artifacts, Kerberos tickets, LDAP/SMB logs, etc.
  • Per-domain service subfolders (smb/, ldap/, kerberos/, nmap/, dns/) group logs and artifacts for that domain only.
  • BH/ contains BloodHound export collections for that domain.
  • cracking/ contains hashes and cracked credentials (for example AS-REP).
  • dcsync/ and dcs.txt store DCSync results (for example in Forest, where multiple htb.local credentials are dumped).
• Global files:
  • report.json – structured engagement summary (used for reporting/CI).
  • flags/ – CTF flags (user.txt, root.txt) when applicable.
  • enabled_computers*.txt – global lists of live/enabled hosts.
  • variables.json – ADscan internal state/config for the workspace.

Best Practices

Naming Conventions

Choose meaningful workspace names:

# Good examples
workspace create acme_corp_jan2024
workspace create htb_forest
workspace create client_pentest_phase1

# Avoid
workspace create test
workspace create ws1
workspace create temp

Workspace Organization

• One workspace per domain - Keep domains isolated
• Use dates - Include date in name for time tracking
• Client names - Use client codes for confidentiality

Backup Strategy

Back up workspace directories manually using system tools:

# Manual backup using tar
tar -czf ~/backups/workspace_$(date +%Y%m%d).tar.gz ~/.adscan/workspaces/client_audit_2024/

# Or use rsync for incremental backups
rsync -av ~/.adscan/workspaces/client_audit_2024/ ~/backups/workspaces/

Cleanup

Delete old workspaces to save disk space:

# List old workspaces
workspace list

# Delete completed assessments
workspace delete htb_forest

Workspace Permissions

Workspace files are stored with restrictive permissions:

• Directory: 700 (rwx------)
• Credentials: 600 (rw-------)
• Logs: 644 (rw-r--r--)

This ensures sensitive data is protected from other users on the system.

Troubleshooting

"Workspace already exists"

(ADscan) > workspace create test
✗ Workspace 'test' already exists

Solution: Choose a different name or delete the existing workspace.

"Workspace not found"

(ADscan) > workspace select nonexistent
✗ Workspace 'nonexistent' not found

Solution: Check available workspaces with workspace list.

"Permission denied"

✗ Permission denied: ~/.adscan/workspaces/test

Solution: Ensure you have write permissions. If you previously ran ADscan with a legacy sudo alias, fix ownership:

sudo chown -R "$USER:$USER" ~/.adscan

Related Commands

• Scanning Commands - Start scans within workspaces

Next Steps

After creating a workspace, proceed to:

1. Configure scanning parameters
2. Run your first scan