Active Directory pentesting often starts with the same repetitive checks, but ADScan and ADPulse can help you automate them.

Welcome back, aspiring cyberwarriors!

In offensive security, repetition is part of the job. Whether you’re working on a client engagement or in a lab environment, you usually start with the same set of checks. That means figuring out if SMB is exposed, confirming whether LDAP is reachable, and taking a close look at password policies to see how strong they really are. It also includes identifying stale or misconfigured privileged accounts, finding any roastable Kerberos accounts, and reviewing ADCS configurations for potential escalation paths. These are the checks that come up over and over again in real-world Active Directory assessments.

Because of that, experienced pentesters rarely do everything by hand. They write scripts, build workflows, or rely on tools that collapse repetitive work into something faster. Today we are looking at two tools that fit that mindset: ADScan and ADPulse. ADScan is built for active enumeration and attack-path work, while ADPulse is focused on read-only auditing and reporting. Together, they cover two important sides of the same Active Directory.

ADScan

We will begin with ADScan, a tool that shows how far automation in Active Directory pentesting has come. Instead of jumping between separate scripts, tools, and scattered notes, ADScan lets us work from a single interface, moving from reconnaissance into exploitation without breaking your flow. It handles enumeration across key protocols like DNS, LDAP, SMB, and Kerberos, while also collecting data that can be fed directly into BloodHound for deeper analysis. The tool acts on what it finds by launching attacks such as Kerberoasting, AS-REP roasting, password spraying, or even DCSync.

Another key strength is its flexibility in different access scenarios. In real engagements, you might start with no credentials at all, or you might be handed a low-privileged account. ADScan works well in both cases.

Setting Up

The installation process requires some patience, as ADScan relies on Docker to manage its environment and dependencies. Before starting, you need to ensure Docker is properly installed on your Kali Linux system.

kali > sudo apt install docker.io
kali > sudo apt install docker-compose
kali > sudo service docker start
kali > sudo systemctl enable docker

Once Docker is ready, you can proceed with installing ADScan itself.

kali > pipx install adscan
kali > adscan install

During this process, the tool will download several components, including services required for BloodHound integration. A stable internet connection is important here, as interruptions may cause the installation to fail.

After installation completes, you will receive credentials for the BloodHound interface. At this point, everything is ready, and you can start the tool.

kali > adscan start

Inside the interface, you can access a help menu that organizes commands into logical sections. 

Each section has its own subcommands.

Exploitation

As mentioned earlier, ADScan supports both credentialed and non-credentialed assessments. For this example, we will focus on a scenario where credentials are available.

start_auth

After launching this mode, you provide the domain details along with your credentials.

From that point forward, ADScan begins running a series of automated checks. It pulls in BloodHound data, looks for Kerberoastable and AS-REP roastable accounts, evaluates your current privilege level, and inspects Active Directory Certificate Services for potential escalation paths.

It produces results. In our case, the tool revealed that our lowpriv user has GenericAll permissions over sensitive groups. In real environments, situations like this may come from persistence techniques such as SDProp manipulation, where permissions are assigned in ways that are not immediately visible through standard administrative tools like RSAT.

Once enumeration wraps up, ADScan provides two different attack path engines. The first integrates with BloodHound, organizing findings into attack paths. These paths can include techniques like password spraying, Kerberos-based attacks, NTLM hash capture, and other steps that gradually lead to higher levels of access.

The second engine uses a local Python-based depth-first search approach that focuses more directly on permission abuse, especially through DACL misconfigurations. In our example, it showed that the user can directly modify membership in critical groups such as Domain Admins.

ADScan may also check for known vulnerabilities affecting domain controllers. It is not unusual to encounter older systems still in use, which can be exposed to issues like Zerologon or NoPac. Catching these early can be valuable for both offensive and defensive teams.

ADScan does not replace understanding, but it significantly improves efficiency.

ADPulse

ADPulse takes a different angle. While ADScan is focused on active operations and exploitation, ADPulse is built as a read-only auditing tool that evaluates the overall security posture of an Active Directory environment. ADPulse connects to a domain controller over LDAP or LDAPS and runs a defined set of security checks. These checks look for common misconfigurations, weak policies, and potential attack paths. The results are presented in several formats.

Setting Up

Compared to ADScan, setting up ADPulse is straightforward and does not require complex dependencies.

kali > git clone https://github.com/yourorg/adpulse.git
kali > cd adpulse
kali > python -m venv venv
kali > source venv/bin/activate
kali > pip install -r requirements.txt

Once the environment is ready, the tool can be executed with a simple command.

kali > python ADPulse.py –domain sekvoya.local –user lowpriv –password 'P@ssw0rd123!'

As it runs, ADPulse displays summaries directly in the terminal, giving you immediate insight into the environment. When the scan completes, it generates both JSON and HTML reports. The HTML version is particularly useful, as it presents findings in a clean, hierarchical structure with recommendations.

These reports are practical documents that can be shared with system administrators and decision-makers, helping them understand what needs to be fixed and why it matters.

Summary

Active Directory pentesting is a process that begins with discovery and often moves toward exploitation, but it does not always end with full domain compromise. In real engagements, success is not measured by whether you obtain Domain Admin privileges, but by how well you identify and communicate risks that could impact the organization. Sometimes the most critical findings involve exposed data, weak configurations, or small mistakes that could later be chained into larger attacks.

With ADScan you can move quickly through enumeration and exploitation. ADPulse, on the other hand, gives you a clear view of the environment, highlighting weaknesses and offering guidance for improvement.

If you’re interested in red teaming and want to build the skills required to be a pentester, we offer our Red Team Operator training program.

Source: HackersArise
Source Link: https://hackers-arise.com/offensive-security-speeding-up-active-directory-pentests-with-adscan-and-adpulse/