ADscan

ADscan is a pentesting tool focused on automating collection, enumeration and common attack paths in Active Directory. It provides an interactive TUI with a wide range of commands to streamline internal audits and AD-focused pentests.

🔥 Why ADscan‑LITE?
Shrinks AD recon/exploitation from hours to minutes – auto‑roots several retired HTB machines.
100% CLI → perfect for CTFs, jump‑boxes and headless labs.
Seamless path to the coming PRO edition (target: late‑2025 / early‑2026).
👉 Request a 14‑day POV (free – no card): adscanpro.com

---

Announcement: ADscan was presented at the Hackén 2025 cybersecurity conference.

Table of Contents

• Key Features
• System Requirements
• Installation
• Running ADscan
• Basic Usage Example
• Interactive Demos
• Reporting Bugs
• Roadmap
• Acknowledgements

---

Key Features

Core engine (Lite & Pro foundation)

Capability
Interactive shell (autocomplete, history)
Colored, structured output (Rich)
Sequential unauth/auth scans (SMB · LDAP · RPC)
Workspaces & credential persistence
Kerberos enumeration & roasting (AS‑REP / Kerberoast) + cracking helpers
BloodHound collection helpers
(When available) credential dump / post‑ex primitives (SAM · LSA · DPAPI · DCSync)*

*Availability depends on license and safety prompts. Disruptive actions always require explicit confirmation.

What LITE gives you today 🔓

Feature
Auto‑pwn some HTB boxes
Semi‑automatic workflow prompts
Community support on Discord

What PRO adds (target: late‑2025 / early‑2026) 🔒

Feature
Trust‑relationships auto‑enumeration
ADCS ESC auto‑exploit
One‑click Word/PDF report (MITRE/CVSS templated)
Cloud‑accelerated NTLM/TGS/AS‑REP cracking orchestration
Broad CVE/misconfig checks (LAPS, WinRM/RDP/SMB access, DA sessions, etc.)

PRO activation will be delivered as a simple license command when the edition ships.
Want early access for your consultancy? 👉 Request a 14‑day POV: adscanpro.com

---

System Requirements

• OS: Linux (Debian/Ubuntu/Kali and other Debian‑based distros). Older versions supported.

• Privileges: Root access required for installation & full functionality (tooling installs, low‑level ops).

• Dependencies: Managed via adscan install (external tools + Python libs).

---

Installation

1. Install with pipx (recommended):

pipx install adscan

Or using pip:

pip install adscan

Verify the CLI is available:

adscan --version

Alternatively, download a pre‑built binary from the releases page.

2. Run the installer

adscan install

This will:

• Set up the Python virtual environment.

• Install required Python packages.

• Download & configure external tools and wordlists.

3. Verify installation

adscan check

Performs checks and reports the status of dependencies and tools.

⚡ Ready to hack your first domain?
Run adscan start and share your asciicast with #adscan on X/Twitter.

---

Running ADscan

1. Start the TUI

adscan start

2. Verbose mode (optional)

adscan start -v
# or
adscan start --verbose

3. Interactive prompt

(ADscan:your_workspace) >

4. Getting help

help                 # categories
help <command>       # command‑level help

---

Basic Usage Example

1. Create/select a workspace

(ADscan) > workspace create my_audit
(ADscan:my_audit) >
# or
(ADscan) > workspace select

2. Configure network interface

(ADscan:my_audit) > set iface eth0

3. Choose automation level

(ADscan:my_audit) > set auto False   # recommended for real audits
# set auto True   # faster for labs/CTFs

4. Run scans

• Unauthenticated

(ADscan:my_audit) > set hosts 192.168.1.0/24
(ADscan:my_audit) > start_unauth

• Authenticated

(ADscan:my_audit) > start_auth <domain> <pdc_ip> <username> <password_or_hash>

5. Enumeration & exploitation
   Follow interactive prompts. Disruptive actions always prompt for confirmation, even in auto=True.

---

Interactive Demos

⚙️ Semi-Automatic Mode (auto=False)

⚙️ Automatic Mode (auto=True)

Auto‑pwns Forest (HTB retired) in ~3 minutes with ADscan‑LITE.
Want trust‑enum, CVE, report and much more? 👉 Request a 14‑day POV: adscanpro.com

---

Highlight: Modes & Data Handling

• Automatic/Semi‑Automatic: auto=True accelerates enumeration; auto=False provides more control for production networks.

• Evidence & backups: Credentials and progress are stored per‑workspace (JSON), making it easy to resume.

• Service detection: IPs are grouped by detected services (SMB, WinRM, LDAP, etc.) for next steps.

• Safety: Potentially disruptive operations are gated and require explicit confirmation.

• Telemetry: Opt‑in by default for the LITE build; toggle off anytime with set telemetry off (no sensitive payloads; used to improve speed & stability).

---

Reporting Bugs

Open an issue in this repo or chat on Discord: https://discord.com/invite/fXBR3P8H74
Your feedback shapes the PRO roadmap.

---

Roadmap

Quarter	Milestone
Q3‑2025	More ACL exploitation & pre‑2k module · Kerberos unconstrained pathing
Q4‑2025	PRO release target – trust enum, ADCS ESC exploit, auto Word/PDF report
Q1‑2026	NTLM relay chain · SCCM module
Q2‑2026	PwnDoc report integration · Cloud‑accelerated cracking for AS‑REP/Kerberoast

Timelines are targets, not promises; feature scope may adjust based on POV feedback.

---

Acknowledgements

• NetExec — SMB/WinRM enumeration

• BloodHound & bloodhound.py — AD attack path collection & analysis

• Impacket — network protocol tooling

• Rich — CLI UX

• Prompt Toolkit — interactive shell

• Certipy — ADCS escalation enumeration

• And the broader community of researchers and maintainers powering the AD ecosystem.

---

© 2025 Yeray Martín Domínguez – Released under EULA.
ADscan 2.1.2‑lite · PRO edition target: late‑2025 / early‑2026.