Getting Started with PRO
Log in to GitHub Container Registry, pull the ADscan PRO image, and run your first engagement in under 10 minutes.
Prerequisites
- Linux x86_64 host
- Docker Engine installed and running (
docker versionto verify) - Your GitHub account — we grant it read access to the PRO image. You log in as yourself.
- A classic GitHub Personal Access Token with only the
read:packagesscope, which you create (see step 2) - The partner tag from your onboarding email
- ADscan launcher installed:
pip install adscanorpipx install adscan
Verify Docker is running
docker versionIf you see Cannot connect to the Docker daemon, start it:
sudo systemctl start docker
# Add your user to the docker group to avoid sudo on every command:
sudo usermod -aG docker "$USER" && newgrp dockerLog in to GitHub Container Registry
The PRO image lives on GitHub Container Registry at ghcr.io/adscanpro/adscan-pro. We grant your GitHub account read access to it, so you log in as yourself.
First, create a classic Personal Access Token: GitHub → Settings → Developer settings → Personal access tokens → Tokens (classic) → Generate new token (classic). Tick only the read:packages scope, generate it, and copy it. Then log in:
docker login ghcr.io -u <YOUR_GITHUB_USERNAME>
# Paste the token when prompted for a passwordYou should see Login Succeeded. The token only needs read:packages; it can't push or touch anything else.
Keep the token out of your shell history
Logging in interactively (no -p flag) keeps the token off your command line. To script it, pipe the token from a file: cat token.txt | docker login ghcr.io -u <YOUR_GITHUB_USERNAME> --password-stdin.
Point the launcher to PRO and pull the image
Export the image variable so every adscan command uses PRO, then pull it:
export ADSCAN_DOCKER_IMAGE=ghcr.io/adscanpro/adscan-pro:latest
adscan updateadscan update runs docker pull under the hood. The first pull downloads the full image; on later releases it fetches only the layers that changed.
Persist the export across shells:
echo 'export ADSCAN_DOCKER_IMAGE=ghcr.io/adscanpro/adscan-pro:latest' >> ~/.zshrc
# or ~/.bashrc for bashAlternative: per-command flag
You can also pass --image 'ghcr.io/adscanpro/adscan-pro:latest' to any launcher command instead of exporting the variable. Useful if you switch between LITE and PRO regularly. --image takes precedence if both are set.
Verify PRO is active
adscan --versionYou should see the PRO image in the version line:
ℹ ADscan launcher: 9.0.1
ℹ Docker image: ghcr.io/adscanpro/adscan-pro:latestIf the image line shows the LITE image, the ADSCAN_DOCKER_IMAGE variable did not take. Re-export it and reload the shell.
Start PRO and enter your partner tag
adscan start ADscan 9.0.1 PRO
Automate the AD kill chain.On the first PRO launch, ADscan asks once for your partner tag (from the onboarding email). It validates the tag and stores it, so you are never prompted again:
? Partner tag: ****************
✓ Partner tag validated.From here the interactive REPL walks every phase (recon → kerberos → ACL → attack-path collection → exploitation) with full visibility. When done, deliver packages the four client PDFs.
One-time setup complete
From here, the recommended flow is adscan start — the interactive REPL walks every phase with full visibility and the ability to pause or adjust mid-scan. When done, deliver packages the four client PDFs.
For one-shot CI pipelines (experimental — narrower flag coverage), see Generate a Report for the adscan ci reference.
Updating PRO
On every new release, pull the updated image:
adscan updateThis re-runs docker pull against ghcr.io/adscanpro/adscan-pro:latest and downloads only the layers that changed — not the whole image. Your stored partner tag carries over; no re-entry needed.
If your PAT has expired, create a new classic token with the read:packages scope and log in again first:
docker login ghcr.io -u <YOUR_GITHUB_USERNAME>
# Paste the new token when prompted for a password
adscan update