Skip to content
ADscan Docs

🎯 Stop Wasting 30–60 Minutes Per Lab on DNS, Tooling & Copy/Paste

Auto-pwn HTB Active Directory labs in 2–5 minutes with ADscan LITE. Forest, Active & Cicada walkthroughs with baseline vs automated time comparisons.

The Problem Every AD Pentester Knows

You connect to a fresh HTB lab. The environment is ready. You know the attack path.

But before you can start the real work:

  • 15–20 minutes configuring DNS, NTP sync, VPN routes, and tooling
  • 10–15 minutes copy/pasting between BloodHound, nxc, certipy, and your notes
  • 5–10 minutes manually chaining credentials, re-typing queries, managing evidence

30–60 minutes of plumbing work before you even start exploiting the actual AD weaknesses.

ADscan LITE: From “Fresh Lab” to “Full Domain Compromise” in 2–5 Minutes

ADscan LITE orchestrates the boring parts so you can focus on learning real attack paths and building repeatable mental models.

Proven Speed on Real Labs

LabManual path (experienced)ADscan LITE auto-pwnTime saved
HTB Active~15–30 min~2 min13–28 min
HTB Forest~20–35 min~3 min17–32 min
HTB Cicada~25–40 min~5 min20–35 min

What you get

Same tools (BloodHound, nxc, certipy) — just orchestrated, logged, and tied to a workspace so you’re not copy/pasting credentials or losing track of evidence.

Getting Started with Labs

🎓 Individual pentesters (learning AD attacks)

Use these walkthroughs to learn the chain, then repeat it faster with a clean, logged workflow.

👉 Install ADscan LITE or view the GitHub repo

About These Walkthroughs

These walkthroughs demonstrate how ADscan can automatically compromise retired CTF machines and intentionally vulnerable labs. Each guide includes:

  • Complete attack chain breakdown
  • Automated ADscan approach vs manual techniques
  • Security lessons and detection opportunities
  • Template outputs for you to fill with real data

Hack The Box Labs

HTB Forest

AS-REP Roasting and Exchange Permissions abuse. Auto-pwn in ~3 minutes.

HTB Active

GPP password extraction and Kerberoasting. Auto-pwn in ~2 minutes.

HTB Cicada

SMB share spidering, password spraying, and DCSync-based credential dumping. Auto-pwn in ~5 minutes.

Labs Scope & Coverage

See which lab types ADscan automates end-to-end, and which scenarios stay intentionally out of scope.

Difficulty Levels

Easy

  • HTB Forest - Perfect introduction to automated AD pentesting
  • HTB Active - Classic GPP and Kerberoasting attacks
  • HTB Cicada - Guest HR share spidering, password spraying, and DCSync chaining

Medium

  • More labs coming soon

Attack Techniques Covered

Initial Access

  • AS-REP Roasting - Forest
  • GPP Password Extraction - Active
  • Guest SMB + HR Share Spidering - Cicada

Credential Access

  • Kerberoasting - Active
  • LDAP Attributes / Descriptions - Cicada
  • Password Spraying Chains - Cicada

Privilege Escalation

Using These Walkthroughs

For Learners

  1. Set up the lab environment (VPN to HTB network)
  2. Follow the walkthrough with ADscan in automatic mode
  3. Review the attack chain breakdown to understand what happened
  4. Try manual mode to make decisions at each step
  5. Study the manual equivalent commands to learn traditional techniques

For Practitioners

  • Use as reference for penetration testing techniques
  • Understand how ADscan automates complex attack chains
  • Learn detection opportunities for defensive security
  • Compare manual vs automated approach timings

For CTF Players

  • Speed run retired machines with ADscan
  • Verify your manual approach against automated paths
  • Practice for OSCP/CRTP style exams
  • Share your times in the ADscan community

Prerequisites

All labs require:

  • ADscan installed and configured
  • Active VPN connection to CTF network
  • Network interface configured (typically tun0)

See Installation Guide for setup instructions.

Contributing

Have you auto-pwned a machine with ADscan? Share your walkthrough:

  1. Join ADscan Discord
  2. Share your attack timeline and output
  3. Help expand the lab collection

All labs and machines featured are:

  • Retired from active CTF platforms
  • Intended for educational purposes
  • Authorized for testing by platform owners

Never use these techniques on systems without explicit authorization.

Next Steps

Getting Started

New to ADscan? Start here

Scanning Commands

Deep dive into ADscan capabilities

Best Practices

Tips for effective AD pentesting

Share with another pentester
Send an installation link to another pentester so they can try ADscan LITE.

Telemetry

What ADscan collects, how it's sanitized, and how to opt out.

🧪 HTB Active Directory Labs (Auto-Pwn Benchmarks)

Auto-pwn retired HTB AD machines in 2–5 minutes with ADscan LITE. Use these walkthroughs to learn real attack chains and compare manual vs automated timings.

On this page

The Problem Every AD Pentester KnowsADscan LITE: From “Fresh Lab” to “Full Domain Compromise” in 2–5 MinutesProven Speed on Real LabsGetting Started with Labs🎓 Individual pentesters (learning AD attacks)About These WalkthroughsHack The Box LabsDifficulty LevelsEasyMediumAttack Techniques CoveredInitial AccessCredential AccessPrivilege EscalationUsing These WalkthroughsFor LearnersFor PractitionersFor CTF PlayersPrerequisitesContributingLegal NoticeNext Steps
Find this useful?
Pass it to the next pentester running an AD engagement
Running 2+ AD engagements/year?
Get PRO free — beta access·Free in exchange for feedback
Automated PDF reports. Save ≥1 day per engagement.

ADscan — AD pentest automation for security consultants

🎯 Stop Wasting 30–60 Minutes Per Lab on DNS, Tooling & Copy/Paste | ADscan