Skip to content
ADscan Docs
ADscan PRO

Getting Started with PRO

Log in to GitHub Container Registry, pull the ADscan PRO image, and run your first engagement in under 10 minutes.

Prerequisites

  • Linux x86_64 host
  • Docker Engine installed and running (docker version to verify)
  • Your GitHub account — we grant it read access to the PRO image. You log in as yourself.
  • A classic GitHub Personal Access Token with only the read:packages scope, which you create (see step 2)
  • The partner tag from your onboarding email
  • ADscan launcher installed: pip install adscan or pipx install adscan

Verify Docker is running

docker version

If you see Cannot connect to the Docker daemon, start it:

sudo systemctl start docker
# Add your user to the docker group to avoid sudo on every command:
sudo usermod -aG docker "$USER" && newgrp docker

Log in to GitHub Container Registry

The PRO image lives on GitHub Container Registry at ghcr.io/adscanpro/adscan-pro. We grant your GitHub account read access to it, so you log in as yourself.

First, create a classic Personal Access Token: GitHub → Settings → Developer settings → Personal access tokens → Tokens (classic) → Generate new token (classic). Tick only the read:packages scope, generate it, and copy it. Then log in:

docker login ghcr.io -u <YOUR_GITHUB_USERNAME>
# Paste the token when prompted for a password

You should see Login Succeeded. The token only needs read:packages; it can't push or touch anything else.

Keep the token out of your shell history

Logging in interactively (no -p flag) keeps the token off your command line. To script it, pipe the token from a file: cat token.txt | docker login ghcr.io -u <YOUR_GITHUB_USERNAME> --password-stdin.

Point the launcher to PRO and pull the image

Export the image variable so every adscan command uses PRO, then pull it:

export ADSCAN_DOCKER_IMAGE=ghcr.io/adscanpro/adscan-pro:latest
adscan update

adscan update runs docker pull under the hood. The first pull downloads the full image; on later releases it fetches only the layers that changed.

Persist the export across shells:

echo 'export ADSCAN_DOCKER_IMAGE=ghcr.io/adscanpro/adscan-pro:latest' >> ~/.zshrc
# or ~/.bashrc for bash

Alternative: per-command flag

You can also pass --image 'ghcr.io/adscanpro/adscan-pro:latest' to any launcher command instead of exporting the variable. Useful if you switch between LITE and PRO regularly. --image takes precedence if both are set.

Verify PRO is active

adscan --version

You should see the PRO image in the version line:

ℹ ADscan launcher: 9.0.1
ℹ Docker image: ghcr.io/adscanpro/adscan-pro:latest

If the image line shows the LITE image, the ADSCAN_DOCKER_IMAGE variable did not take. Re-export it and reload the shell.

Start PRO and enter your partner tag

adscan start
  ADscan  9.0.1  PRO
  Automate the AD kill chain.

On the first PRO launch, ADscan asks once for your partner tag (from the onboarding email). It validates the tag and stores it, so you are never prompted again:

?  Partner tag: ****************
   ✓ Partner tag validated.

From here the interactive REPL walks every phase (recon → kerberos → ACL → attack-path collection → exploitation) with full visibility. When done, deliver packages the four client PDFs.

One-time setup complete

From here, the recommended flow is adscan start — the interactive REPL walks every phase with full visibility and the ability to pause or adjust mid-scan. When done, deliver packages the four client PDFs.

For one-shot CI pipelines (experimental — narrower flag coverage), see Generate a Report for the adscan ci reference.

Updating PRO

On every new release, pull the updated image:

adscan update

This re-runs docker pull against ghcr.io/adscanpro/adscan-pro:latest and downloads only the layers that changed — not the whole image. Your stored partner tag carries over; no re-entry needed.

If your PAT has expired, create a new classic token with the read:packages scope and log in again first:

docker login ghcr.io -u <YOUR_GITHUB_USERNAME>
# Paste the new token when prompted for a password
adscan update
Find this useful?
Pass it to the next pentester running an AD engagement
Running 2+ AD engagements/year?
Get PRO free — beta access·Free in exchange for feedback
Automated PDF reports. Save ≥1 day per engagement.

ADscan — AD pentest automation for security consultants

Getting Started with PRO | ADscan