ADscan - Active Directory Pentesting CLI

Automate Active Directory pentesting. From DNS to Domain Admin.

ADscan is a free Active Directory pentesting CLI for pentesters, red teamers, and CTF players who need fast AD enumeration, BloodHound collection, Kerberoasting, AS-REP Roasting, ADCS checks, password spraying, credential dumping, attack-path execution, and evidence export from one Linux terminal.

Docs | Discord | Website

---

🎬 Demo

Auto-pwns HTB Forest in ~3 minutes

---

🚀 Quick Start

pipx install adscan
adscan install
adscan start

Full installation guide & docs at adscanpro.com/docs

⚡ Common Pentest Workflows

Use ADscan when you need to move quickly through internal Active Directory assessments:

• CTF and lab auto-pwn: reproduce HTB Forest, Active, and Cicada attack chains from the docs.
• Unauthenticated AD recon: discover domains, DNS, SMB exposure, null sessions, users, and roastable accounts.
• Authenticated enumeration: collect LDAP, SMB, Kerberos, ADCS, BloodHound CE data, and credential exposure.
• Privilege escalation: execute supported Kerberoasting, AS-REP Roasting, DCSync, GPP password, ADCS, and local credential workflows.
• Evidence handling: keep workspaces isolated and export findings to TXT/JSON for reports.

🧭 Usage Examples

adscan start
start_unauth

More walkthroughs:

• HTB Forest auto-pwn
• HTB Active walkthrough
• HTB Cicada walkthrough

🧪 Developer Setup (uv)

For local development in this repository:

uv sync --extra dev
uv run adscan --help
uv run adscan version

Quality checks:

uv run ruff check adscan_core adscan_launcher adscan_internal
uv run pytest -m unit
uv run python -m build

---

✨ Features

LITE (Free, Source Available) Everything a pentester could do manually, 10x faster: ✅ Three operation modes (automatic/semi-auto/manual) ✅ DNS, LDAP, SMB, Kerberos enumeration ✅ AS-REP Roasting & Kerberoasting ✅ Password spraying ✅ BloodHound collection & analysis ✅ Credential harvesting (SAM, LSA, DCSync) ✅ ADCS detection & template enumeration ✅ GPP passwords & CVE enumeration ✅ Export to TXT/JSON ✅ Workspace & evidence management

PRO What nobody can do manually in reasonable time: 🎯 Algorithmic attack graph generation 🎯 Auto-exploitation chains (DNS to DA) 🎯 ADCS ESC1-13 auto-exploitation 🎯 MITRE-mapped Word/PDF reports 🎯 Multi-domain trust spidering 🎯 Advanced privilege escalation chains 🎯 Priority enterprise support Full comparison | Learn more

---

📋 Requirements

OS	Linux (Debian/Ubuntu/Kali)
Docker	Docker Engine + Compose
Privileges	docker group or sudo
Network	Internet (pull images) + target network

---

📜 License

Source available under the Business Source License 1.1.

• Use freely for pentesting (personal or paid engagements)
• Read, modify, and redistribute the source code
• Cannot create a competing commercial product
• Converts to Apache 2.0 on 2029-02-01

---

💬 Community

🤝 Contributing

Bug reports, lab reproductions, command-output samples, and focused pull requests are welcome. See CONTRIBUTING.md and open an issue with your OS, Docker version, ADscan version, command, and sanitized output.

Enterprise support: hello@adscanpro.com

---

(c) 2024-2026 Yeray Martin Dominguez | adscanpro.com