ADscan 3.2.2 — Patch release

This release ships a handful of reliability + correctness fixes focused on real-world lab workflows and privilege discovery.

Fixed

• Fixed a dcsync issue when using --all (previously could fail/behave incorrectly in some cases).
• Fixed a bug where some admin principals were not being included in privileged.txt.
• Fixed a bug affecting admins detection/writing to privileged.txt (edge cases with list generation).

Improved

• check: now detects system.txt flags commonly present in TryHackMe-style CTF/lab environments.
• Faster transcription file lookup (more efficient search).

Notes

• Docker-first workflow remains the recommended path; legacy host install is still available via --legacy.
• As always: authorized testing only.

If you hit any issues, please open an issue with:
OS + Docker version (if applicable) + ADscan version + the exact error/log snippet.

ADscan 3.2.1 — Docker-first release (migrate-docker)

🚀 Major change: Docker is now the default runtime

ADscan now installs and runs inside a Docker container by default to dramatically improve installation reliability across user environments. This reduces dependency issues caused by distro differences, Python tooling, apt repos, PATH contamination, and permissions.

• adscan install now pulls the ADscan Docker image and prepares the BloodHound CE compose stack.
• adscan start now launches ADscan inside the container with host workspaces mounted.
• adscan check validates Docker prerequisites and container readiness (and avoids legacy host dependency checks unless explicitly requested).

🧰 Legacy mode still available (explicit)

For users who still want the previous “install everything on the host” flow:

• Use --legacy (where supported) to run the legacy installer/check path.

🩸 BloodHound CE integration

• Docker-mode includes automatic handling for the BloodHound CE stack (compose-based), ensuring required images/configs are present and containers can be started when needed.

🔧 Reliability improvements

• Robust DNS discovery using dig (with compatibility fallbacks like disabling EDNS/cookies where needed).
• Better handling of transient network/DNS failures during tool installation/pulls with retries and clearer diagnostics.
• Improved handling of permission issues introduced by prior root-based installs (workspaces, tool state directories).

🐳 Container runtime enhancements

• Workspace and log directories are bind-mounted from the host so data persists across runs.
• Container entrypoint handles UID/GID mapping to reduce root-owned files on the host.
• Added Docker runtime detection helpers to prevent Docker-in-Docker pitfalls and keep behavior consistent.

📦 Publishing & versioning

• Release workflow now tags Docker images with the same version as the PyPI release (e.g. adscan/adscan:3.2.1) and updates latest to match.

⚠ Notes / Known behavior changes

• Some host-level operations (e.g., system time sync and privileged actions) are now mediated through container/host helper logic depending on environment and permissions.
• Older Kali/edge environments may still require manual Docker setup; see updated docs.

✅ Upgrade path

• Existing users: run adscan install to pull the latest image and update the BloodHound CE stack.
• For legacy installations, migrate by switching to Docker mode (recommended) or continue using --legacy.

ADscan v1.3.4

Highlights

• No more root-required workflow: ADscan now runs without root by default and only prompts for sudo when needed.

• BloodHound-CE reliability boost: Better detection, startup, and conflict handling—especially around port 8080 and “installed but not running” scenarios.

• Stronger DNS + network resilience: Improved DNS resolution (including UDP→TCP fallback) and smoother installs in restricted or slow networks.

---

Fixes

• Fixed double prompt questions bug during scans.

• Fixed LDAPConnection bug.

• Fixed BloodHound-CE bug when it was installed but not running.

• Fixed dhcpd error on first run after install.

• Fixed RDP timeout exception and now runs the RDP check in the background.

• Fixed BloodHound-CE container not running when port 8080 is already used by another service.

• Fixed bug where ADscan didn’t check pyenv Python version if pyenv was already installed.

• Fixed bug searching BloodHound YAML files in an incorrect location.

• Fixed manspider log permission errors.

• Fixed NetExec workspace conflicts.

---

Improvements

• Added a port 8080 check during BloodHound-CE install/launch and prompts the user to free it.

• Fixed official Docker installation flow.

• Added DNS resolution fallback to TCP when UDP fails.

• More robust PDC selection, including edge cases where the PDC internal IP appears.

• Tuned NetExec execution: fewer threads + improved timeout handling for more stable runs.

• ADscan now exits when apt update fails (instead of only warning), preventing broken dependency states.

• If batch package installation fails, ADscan now falls back to slower one-by-one installs.

• Added a first-start tutorial and a reference to the documentation page.

• Switched to Unbound for more robust DNS resolution management.

• Domain discovery now retries properly (up to three attempts).

• Fixed pyenv shims permission error.

• Installation made more robust and efficient for slow/restricted networks.

• Added --fix parameter to the check command to automatically fix detected issues.

• Moved the version upgrade check to the beginning of the check command.

• Reordered authenticated enumeration to achieve “quick wins” earlier.

---

Notes / Potentially Breaking Behavior

• apt update errors now stop the process instead of continuing. This is intentional to avoid half-installed dependencies.

If you want, I can also rewrite these into a GitHub Releases-ready format (with “Added / Changed / Fixed” headings) or a shorter changelog for Discord/LinkedIn.

ADscan 3.1.0

ADscan v3.1.0

This release focuses on finding more credentials automatically, improving the password spraying workflow, and increasing overall reliability (install, Docker, enumeration, and session handling).

Highlights

• Automatic credential extraction from common “real-world” sources (SMB descriptions and PowerShell transcripts).
• Smarter password spraying: when ADscan finds a valid password, it can help you search for more users reusing it.
• Better stability in real environments: improvements across Docker, kerberoasting, RDP launching, and noisy enumeration paths.
• More robust installation: tooling upgrades, stronger checks, and dependency fixes.

Added

• Automatic password extraction from SMB descriptions (including null session scenarios).
• Password extraction from PSTranscripts via WinRM.
• Prompt/flow to re-run password spraying using discovered passwords to identify additional users.
• Handler-based shell improvements.
• Support for custom agents.

Changed / Improved

• bloodhound-cli moved into an isolated environment for better consistency.
• Enumeration: skips some low-value ACLs to reduce noise.
• SMB share spidering + description extraction: timeouts disabled to avoid timeout-related errors (may run longer on large environments).
• Telemetry: logging consolidated into sessions, added countries, and fixed a time synchronization issue.
• Various UX and lab updates.

Fixed

• Bug: null session context was not added correctly to auth context.
• Bug: password spraying failed when the Kerberos folder was missing.
• RID cycling: expanded the set of enumerated IDs.
• Kerberoasting: fixed issues with preauth sessions due to async behavior.
• BloodHound: fixed user search for users belonging to an OU.
• False positive: unconstrained delegation on DC.
• Bug: creating a new workspace (client/prod).
• RDP session auto launcher issues.
• Docker: containers not initialized when the Docker service wasn’t up; crawling failure when libmagic was missing.
• Dependencies: fixed bloodyad minikerberos dependency error; improved robustness of installed-tools checks.

Installation / upgrade notes

• Recommended: rerun the install/upgrade flow to pick up:
  • tool version upgrades,
  • pinned-commit installs where applicable,
  • dependency fixes (including bloodyad/minikerberos).
• Note: with SMB spidering/description extraction timeouts disabled, runs may take longer on very large scopes—limit targets if needed.

ADscan v3.0.2 — krbtgt fix & polished UI for lab guides ✨

TL;DR

• 🧬 Fixed a bug where the krbtgt hash was not being extracted from DCSync results.

• 🎨 More UX/UI improvements to make console output easier to read and follow in lab guides and demos.

After upgrading, it’s still a good idea to refresh and check your setup:

pipx upgrade adscan
adscan install
adscan check

---

🛠 Fixes

• Fixed an issue where DCSync runs would succeed but the krbtgt hash was not properly extracted and surfaced in the output.

  • This mainly affected attack chains and reporting where krbtgt is expected as a key outcome.

---

🎨 UX / UI improvements

• Further TUI layout and styling tweaks to make:

  • important findings stand out more clearly in the console,

  • multi-step attack chains easier to follow in real time,

  • screenshots and guides (e.g. HTB lab docs) more readable and consistent.

These changes are especially targeted at improving the experience when following the new HTB lab guides under https://www.adscanpro.com/docs/labs

---

📣 Feedback

If you notice any odd behavior around DCSync, krbtgt extraction, or the new UI:

• Open an issue with:

  • ADscan version

  • Distro/version

  • A redacted snippet of the relevant console output

This is a small but important patch on top of 3.0.1 to make both attack chains and lab walkthroughs more reliable and easier to understand.

ADscan v3.0.1

TL;DR

• 🕒 Much tougher time handling: PDC retries, RPC fallback, NTP edge cases fixed.

• 🌐 More reliable DNS & domain management: dhcpcd/dnsmasq//etc/hosts issues fixed and cleaned up.

• 🧠 BloodHound-first group enumeration with LDAP as a fallback.

• ⚙️ New CI command to run ADscan in CI pipelines.

• 🔐 Spraying & rusthound-ce hardened: LDAPS timeout fallback, isolated venv, spraying bug fixes.

• 🧷 Better automation: auto password extraction during spidering/search, extra retries for flaky flag retrieval.

• 🎨 General UX/UI improvements and redesign of the TUI.

After upgrading to 3.0.1, run:

pipx upgrade adscan && adscan install && adscan check

---

🔄 Important behavior changes

BloodHound-first group enumeration

Group enumeration now uses BloodHound as the primary source, with LDAP used as a fallback when BH is unavailable or fails.
This improves consistency of group data and lines up better with BH-centric workflows.

New CI command

A dedicated CI command has been added to integrate ADscan into CI pipelines (CI/CD, nightly lab checks, etc.).
Check adscan --help for the new CI entrypoint and available flags.

Spraying toolkit in an isolated venv

The password spraying toolkit has been moved into its own isolated virtualenv, reducing dependency conflicts and side effects on the system Python.

---

🧭 Reliability & stability improvements

Time sync hardening

• Added 3 attempts to synchronize the clock with the PDC, making Kerberos and other time-sensitive operations more reliable.

• Added a clock synchronization fallback via RPC when the primary method fails.

• Fixed a bug that occurred when NTP was closed/unavailable so time sync now degrades gracefully instead of breaking flows.

DNS & network robustness

• Fixed a bug where dhcpcd could remove /etc/resolv.conf during dnsmasq setup.

• Introduced a new method to remove stale entries from both the dnsmasq configuration and /etc/hosts, improving reliability when domains/IPs change between runs.

• Fixed a bug where DNS would not resolve correctly if start_auth or start_unauth had not been executed yet.

BloodHound / rusthound-ce integration

• Fixed an LDAPS timeout issue in rusthound-ce and ensured a proper fallback without LDAPS when secure LDAP is not reachable.

Spraying & flags

• Fixed a password spraying bug introduced with the newer bloodhound-cli version.

• Ensured the spraying toolkit runs in an isolated venv (see above) to avoid dependency clashes.

• Fixed cases where flags were sometimes not retrieved by adding 3 retries on the relevant operations.

System integration

• Fixed a system command bus error that could sporadically break shell/system calls.

---

🤖 UX / automation improvements

Automatic password extraction

• Added automatic password extraction during spidering and when searching descriptions.
  When ADscan finds content that looks like credentials, it now attempts to extract and surface them more reliably.

DNS / domain management polish

• The new stale-entry removal for dnsmasq and /etc/hosts keeps your environment closer to a “known good” state across multiple runs and domain changes.

General UX/UI redesign

• General TUI/UX improvements and layout tweaks to make output more readable and navigation smoother (more structured output, better grouping, clearer prompts).

---

🛠️ Additional fixes & checks

• Added specific Python tool version checks to avoid subtle incompatibility issues.

• Fixed the check summary so it now accurately reflects the real state of the environment.

---

📦 Upgrade notes

After installing 3.0.1, refresh the toolchain and verify everything is healthy:

pipx upgrade adscan && adscan install && adscan check

If you already run ADscan in CI/CD, review the new CI command via adscan --help and adjust your pipeline scripts accordingly.

---

📣 Feedback

If you hit issues or regressions:

• Open a GitHub issue with:

  • ADscan version

  • Distro/version

  • Redacted logs (no domains/hostnames/creds)

This release is heavily focused on reliability (time, DNS, BH integration) and operator experience, so any edge cases you report help harden ADscan for everyone. 🙏

ADscan v2.2.1

TL;DR

• Idempotent installs: fixes when pyenv or BloodHound CE were already present.

• No more CLI collisions: resolves bloodhound-cli name clash with SpecterOps’ tool and ensures the custom bloodhound-cli is upgraded correctly.

• Security & hygiene: automated BH CE password change during adscan install + isolated venvs for all external tools.

• After upgrade, run: adscan install.

---

🛠 Fixes

• pyenv: fixed installer error when pyenv was already installed. 🔺 🔗

• BloodHound CE: fixed installer error when BH CE was already installed. 🔺

• CLI collision: fixed bloodhound-cli name conflict with SpecterOps’ binary vs. ADscan’s custom script. 🔺 🔗

• Custom CLI updates: fixed custom bloodhound-cli not upgrading during adscan install. 🔺 🔗

⬆️ Improvements

• Automated BH CE password rotation in adscan install (no manual prompts). ⏫ 🔗

• Per-tool isolated virtualenvs for all external tools (cleaner deps, fewer conflicts). 🔼 🔗

---

⚠️ Action after upgrading

Run the toolchain refresh to apply venv isolation & BH CE changes:

pipx upgrade adscan adscan install adscan check

---

🧭 Notes

• If you previously had SpecterOps’ bloodhound-cli on PATH, adscan install now resolves the collision and ensures ADscan’s custom bloodhound-cli is reachable and upgraded.

• Isolated venvs may change where dependencies live; use adscan check to verify environment health.

---

📣 Feedback / Issues

If something breaks or you spot a regression, open an issue with a redacted log plus your distro and ADscan version.

ADscan v2.2.0

TL;DR

• Switched to BloodHound Community Edition (BHCE).

• Fixed start flags and stability issues (ACLs, domain resolution, Kali 2025.1).

• Action required after upgrade: run adscan install.

---

🚀 Highlights

• BloodHound Community Edition replaces legacy edition for collection/graph workflows. Expect better compatibility and a cleaner path forward.

---

⚠️ Required action (post-upgrade)

After upgrading to 2.2.0, refresh the toolchain:

pipx upgrade adscan & adscan install & adscan check

The switch to BHCE changes dependencies/paths. Running adscan install is mandatory.

---

✨ Improvements

• Switched from BloodHound Legacy to BloodHound Community Edition in the install and execution flow.

---

🐛 Fixes

• Auth flag gating: fixed a bug preventing scans from starting when auth=false.

• ACL enumeration: fixed an issue where ACLs weren’t enumerated if Neo4j was down.

• Domain resolution: multiple fixes improving multi-domain resolution reliability.

• Kali 2025.1 install: resolved installer issue on Kali 2025.1.

---

🧪 How to verify after upgrading

1. adscan install (fetch BHCE + deps)

2. Run a quick lab profile (CTF) or a dry run (audit) and confirm techniques execute as expected.

---

🧭 Known notes

• If you previously pinned legacy BloodHound paths or custom configs, re-run adscan install and re-check your environment with adscan check.

---

📣 Feedback / Issues

If something breaks or you spot a regression, please open an issue with a redacted log and your distro/version details. Thanks for helping us make the LITE flow faster and more reliable.

ADscan LITE v2.1.2 - Patch (bugfix & reliability)

In two lines: more stable, better SMB/Kerberos, more reliable automatic NTLM cracking, smoother DX.

Highlights

• ✅ SMB improvements for large ranges and share spidering.
• ✅ Kerberos: real-time user enumeration with cancel
• ✅ WinRM admin access with hashes (PTH) fixed.
• ✅ More reliable automatic NTLM hash cracking.

Changelog

Fixed

• WinRM admin access using hash instead of password. 🔺 🔗
• Automatic NTLM cracking reliability issues. 🔺 🔗
• SMB shares spidering: fixes for password output collection. 🔺 🔗
• Automatically add adscan binary to PATH when not installed via PyPI. 🔗

Changed

• Kerberos user enumeration timeout → now real-time capture with user-controlled cancel. 🔺 🔗
• Removed timeout in start_unauth SMB scan for large host ranges (prevents “timeout error”). 🔺 🔗

📦 ADscan v2.1.1 — Bug-bash & Kerberos polish

Release date: 18 Jul 2025

Heads-up: Pure maintenance drop—no breaking changes.
Upgrade: pipx upgrade adscan or pip install -U adscan.

---

✨ Highlights

Category	Change
Bug fix	Password-spraying now handles any special character in usernames & passwords.
Bug fix	Domain look-ups are forced to lower-case → “Domain not found” is gone.
Bug fix	SMB share spidering no longer fails on XML regex mismatch; passwords are captured.
Bug fix	dump_registries no longer crashes on empty hives.
Bug fix	Fixed “open smb” error on share enumeration.
Improvement	Added Kerberos authentication support to flag collection and group-membership checks.
Improvement	New custom wordlist for kerberos enum-users (higher hit-rate on real names).

---

🔍 Full changelog

fix: spraying failed on special-char creds
fix: domain lookup => force lower()
fix: open smb error on share enum
fix: regex miss in XML spidering
fix: dump_registries crash on empty hive
add: kerberos auth for flag & membership checks
add: kerb custom user wordlist

---

⬆️ How to upgrade

# with pipx (recommended)
pipx upgrade adscan

# or inside your venv
pip install -U adscan

After upgrading, run adscan install once to refresh external tools.

---

Huge thanks to the early testers—especially @K0B4KS—for battle-testing Lite in the wild.
Keep the bug reports coming; they shape PRO.

— Yeray