ADscan - Active Directory Pentesting Tool for Linux

May 20, 2026 · View on GitHub

ADscan - Active Directory Pentesting Tool for Linux

Free active directory pentesting tool for Linux. Replace your AD pentest toolchain with one CLI.

ADscan is a free Linux CLI for pentesters, red teamers, and security consultants. It covers 41 Active Directory attack techniques in a single workflow: enumeration, Kerberoasting, AS-REP roasting, ADCS/ESC exploitation, DCSync, credential harvesting, and native attack-path analysis. No Windows required.

Docs | Discord | Website

Demo
Quick Start
ADscan vs Alternatives
Kerberoasting, ADCS and AD Attack Coverage
Common Pentest Workflows
Usage Examples
Want the Full Client Report?
Requirements
FAQ
Developer Setup
Contributing
License

Demo

Auto-pwns HTB Forest in ~3 minutes

Quick Start

pipx install adscan
adscan install
adscan start

Full installation guide at adscanpro.com/docs

Once inside the shell, start an unauthenticated recon:

(ADscan) > start_unauth

This discovers domain controllers, SMB exposure, null sessions, and roastable accounts without credentials. From there, run start_auth with a domain user to enumerate LDAP, collect BloodHound data, and build the attack graph.

ADscan vs Alternatives

Most AD pentesters use 5-8 separate tools. ADscan replaces the chain:

	ADscan	NetExec/CrackMapExec	Certipy	Impacket	BloodHound CE
Platform	Linux	Linux/Win	Linux	Linux	Linux/Win
AD enumeration	Full	Partial	No	Partial	No
Kerberoasting	Yes	Yes	No	Yes	No
ADCS ESC1-16	Yes (auto)	No	Yes (manual)	No	No
Attack paths	Native graph	No	No	No	Yes
DCSync	Yes	Yes	No	Yes	No
Single workflow	Yes	No	No	No	No
Compliance reports	PRO tier	No	No	No	No

ADscan is not a replacement for every tool in every scenario. It is the fastest path from credentials to a documented attack chain in a single terminal session.

Kerberoasting, ADCS and AD Attack Coverage

ADscan covers 41 Active Directory attack techniques across the kill chain:

LITE (Free, Source Available)

Everything a pentester could do manually, without the toolchain:

Three operation modes (automatic/semi-auto/manual)
DNS, LDAP, SMB, Kerberos enumeration
AS-REP Roasting and Kerberoasting
Password spraying
Native graph collection and attack-path analysis
Credential harvesting (SAM, LSA, DCSync)
ADCS detection and template enumeration
GPP passwords and CVE enumeration
Export to TXT/JSON
Workspace and evidence management

PRO

What takes days manually, automated:

Algorithmic attack graph generation
Auto-exploitation chains (unauthenticated to Domain Admin)
ADCS ESC1-16 auto-exploitation
MITRE-mapped Word/PDF reports
Multi-domain trust spidering
Advanced privilege escalation chains
Priority enterprise support

Full comparison | Get PRO beta free

Common Pentest Workflows

CTF and lab auto-pwn: reproduce HTB Forest, Active, and Cicada attack chains from the docs.
Unauthenticated AD recon: discover domains, DNS, SMB exposure, null sessions, users, and roastable accounts.
Authenticated enumeration: collect LDAP, SMB, Kerberos, ADCS, attack-graph data, and credential exposure.
Privilege escalation: execute Kerberoasting, AS-REP Roasting, DCSync, GPP password, ADCS, and local credential workflows.
Evidence handling: keep workspaces isolated and export findings to TXT/JSON for reports.

Usage Examples

Unauthenticated recon:

adscan start
# Inside the ADscan shell:
start_unauth

Discovers domain controllers, DNS, SMB null sessions, and roastable accounts without credentials.

Authenticated scan with BloodHound collection:

# Inside the ADscan shell (after start_auth):
start_auth

Collects LDAP data, builds the attack graph, and identifies Kerberoasting targets, ADCS misconfigurations, and privilege escalation paths.

More walkthroughs:

Want the Full Client Report?

ADscan LITE gives you enumeration, attack paths, and findings in the terminal. ADscan PRO generates four PDF deliverables in 90 seconds:

Executive Assessment Report — risk narrative, attack chains, posture score for the CISO and board
MITRE Remediation Checklist — ATT&CK-mapped action items filtered to your actual findings
AD Hardening Playbook — 30-day remediation roadmap with effort and ownership
Coverage Matrix — MITRE x ENS Alto / NIS2 / ISO 27001, audit-ready

Beta access is free for security consultants. adscanpro.com/pro

Requirements


OS	Linux (Debian/Ubuntu/Kali)
Docker	Docker Engine + Compose
Privileges	`docker` group or `sudo`
Network	Internet (pull images) + target network

FAQ

Does ADscan work without a Windows machine? Yes. ADscan runs entirely on Linux inside Docker. No Windows VM, no RDP, no agent installation required. It connects to your target AD environment over the network using standard protocols (LDAP, SMB, Kerberos).

Is ADscan safe to run in production Active Directory environments? ADscan LITE is read-only by default for enumeration. Exploitation steps (Kerberoasting, credential dumping, DCSync) require explicit operator confirmation. Run it in a test window with your client's written authorization. See the security policy for responsible use guidelines.

How is ADscan different from BloodHound? BloodHound is a graph analysis tool that requires separate data collection (SharpHound or AzureHound). ADscan collects data, builds the attack graph, and executes the attack chain from one terminal. LITE includes native graph collection compatible with BloodHound CE. PRO adds algorithmic attack path auto-exploitation.

Developer Setup

uv sync --extra dev
uv run adscan --help
uv run adscan version

Quality checks:

uv run ruff check adscan_core adscan_launcher adscan_internal
uv run pytest -m unit

Contributing

Bug reports, lab reproductions, command-output samples, and focused pull requests are welcome. See CONTRIBUTING.md for the PR workflow and required checks.

Enterprise support: hello@adscanpro.com

License

Source available under the Business Source License 1.1.

Use freely for pentesting (personal or paid engagements)
Read, modify, and redistribute the source code
Cannot create a competing commercial product
Converts to Apache 2.0 on 2029-02-01