Skip to content
ADscan Docs
🎯 CTF Labs

🎯 Labs Scope & Coverage

Understand what types of CTF labs ADscan automates end-to-end, and which scenarios remain intentionally out of scope.

ADscan Is an AD Automation Specialist

ADscan focuses on realistic Active Directory attack paths: once you have network access and a meaningful AD surface, it automates enumeration, privilege escalation, and credential dumping.

It is not designed to solve every puzzle in a CTF from zero (web exploitation, reversing, stego, image puzzles, etc.).

Rule of thumb: If a step is something you’d do on a real client’s internal AD (enumerate, pivot, escalate, dump creds), ADscan automates it. If it’s a one-off CTF puzzle, that part is intentionally left to you.

Officially Supported Labs (CI-verified)

These labs are part of our continuous integration (CI): every release of ADscan LITE is tested against them to ensure full domain compromise still works as documented.

HTB Forest

Full AS-REP → BloodHound → WriteDacl → DCSync chain. Domain Admin + 9 credential dump verified every release.

HTB Active

GPP password extraction, Kerberoasting, Domain Admin, flags and DCSync in ~1.5 minutes (automatic mode).

HTB Cicada

Guest HR share spidering, multi-stage password spraying, Backup Operators → DA, flags and full DCSync.

What “supported” means

For these labs, ADscan LITE is expected to:

  • Discover the domain and AD attack surface
  • Gain initial access using AD-specific weaknesses
  • Escalate to Domain Admin automatically
  • Capture user and root flags
  • Perform a complete DCSync to dump domain credentials

Scenarios ADscan Does Not Aim to Solve

Some CTF labs are built around non-AD puzzles that do not reflect typical internal AD engagements. ADscan does not try to automate those parts.

Examples of out-of-scope patterns:

  • Labs where the initial foothold requires:
    • Exploiting a web app and scraping usernames or passwords from HTML/JS
    • Analyzing an image, video, or other media to extract hidden credentials
    • Reversing a custom binary to recover a password or key
    • Extracting secrets from a printer, IoT device, or non-AD service only
  • Labs where the key step is a one-off CTF trick that does not generalize to real-world AD assessments.

In those labs, ADscan is still useful once you already have AD credentials or a domain foothold, but it will not perform the web/reversing/puzzle part for you.

Design philosophy

ADscan is built for internal AD security assessments and real-world pentests, not for solving every single CTF trick.

The goal is to automate the AD side of the engagement (enumeration, escalation, credential harvesting, reporting) once you have access to the domain.

Using ADscan in Hybrid Labs

Many labs combine external puzzles with a later AD component. A practical workflow is:

  1. Solve the non-AD part manually

    • Web exploitation, image analysis, binary reversing, printer/FTP puzzles, etc.
    • Use those steps to obtain network access and initial AD credentials.

  2. Switch to ADscan for the AD phase

    • Create a workspace (workspace create <lab_name>) and configure iface/hosts.
    • Use start_unauth / start_auth and credential commands to let ADscan:
      • Enumerate users, groups, computers, ACLs, and services
      • Identify attack paths (AS-REP, Kerberoast, Backup Operators, WriteDacl…)
      • Automate escalation, DCSync, and flag retrieval where applicable.

  3. Use ADscan outputs in your writeup/report

    • Workspace data (variables.json, report.json), credential tables, and flags
    • BloodHound-compatible attack_graph.json export per workspace (load into your own BH CE instance for graph visualisation if needed).

Rule of thumb

If a step is something you could reasonably do on a real client’s internal AD (enumerate, pivot, escalate, dump creds), ADscan tries to automate it.

If a step is a one-off CTF puzzle (decode a QR in an image to find a password, reverse a game binary, brute-force a printer menu), that part is intentionally left to you.

How to Read Lab Guides with Scope in Mind

When you see an HTB lab marked as “Auto-Pwn Walkthrough” in these docs:

  • The walkthrough focuses on the AD/infra side of the lab.
  • Any non-AD foothold requirements are assumed to be solved manually beforehand (if present).
  • Once AD is in play, the guide shows how ADscan automates the rest.

For labs that are mostly web/reversing/image puzzles with only a tiny AD component, ADscan LITE is not a great fit as a primary tool. Use it to accelerate the AD part, not to replace the CTF-specific steps.

🐛 Cicada - Auto-Pwn Walkthrough

Automatically compromise HTB Cicada using ADscan through SMB share spidering, password spraying, and domain credential dumping

📚 Guides

Comprehensive guides for using ADscan professionally

On this page

ADscan Is an AD Automation SpecialistOfficially Supported Labs (CI-verified)Scenarios ADscan Does Not Aim to SolveUsing ADscan in Hybrid LabsHow to Read Lab Guides with Scope in Mind
Find this useful?
Pass it to the next pentester running an AD engagement
Running 2+ AD engagements/year?
Get PRO free — beta access·Free in exchange for feedback
Automated PDF reports. Save ≥1 day per engagement.

ADscan — AD pentest automation for security consultants

🎯 Labs Scope & Coverage | ADscan