Ultimate PingCastle Cheat Sheet

PingCastle is a security auditing tool designed to assess the security posture of Active Directory (AD) environments. It provides an automated and thorough audit of AD configurations, highlighting potential security risks and vulnerabilities. PingCastle generates detailed reports that help administrators and security professionals identify weaknesses and improve the overall security of their AD infrastructure.

Download PingCastle

Navigation

Basic Commands
Report Generation
Advanced Commands
Specific Tests
Common Commands
PingCastle Interactive Mode

Basic Commands

PingCastle.exe --healthcheck                                                    #Perform a health check on the Active Directory domain
PingCastle.exe --healthcheck --server mydc.example.com                          #Perform a health check on a specific domain controller
PingCastle.exe --healthcheck --server mydc.example.com --outputdir C:\Reports   #Perform a health check and save the report to a directory
PingCastle.exe --healthcheck --timeout 120                                      #Perform a health check with a specified timeout (in seconds)

Report Generation

PingCastle.exe --healthcheck --outputdir C:\Reports --format HTML   #Generate the report in HTML format
PingCastle.exe --healthcheck --outputdir C:\Reports --format XLS    #Generate the report in Excel format
PingCastle.exe --healthcheck --outputdir C:\Reports --format PDF    #Generate the report in PDF format

Advanced Commands

PingCastle.exe --risklevel                                    #Assess the risk level of the Active Directory environment
PingCastle.exe --risklevel --outputdir C:\Reports             #Assess the risk level and save the report
PingCastle.exe --consoledomainreport                          #Generate a domain-wide console report
PingCastle.exe --consoledomainreport --outputdir C:\Reports   #Generate a domain-wide console report and save it
PingCastle.exe --listgpo                                      #List all Group Policy Objects
PingCastle.exe --listgpo --outputdir C:\Reports               #List all GPOs and save the report
PingCastle.exe --explore                                      #Explore the domain interactively
PingCastle.exe --explore --server mydc.example.com            #Explore a specific domain controller interactively

Specific Tests

PingCastle.exe --checkms14-068                          #Check for vulnerability MS14-068
PingCastle.exe --checkms14-068 --outputdir C:\Reports   #Check for MS14-068 and save the report
PingCastle.exe --checksysvol                            #Check SYSVOL permissions
PingCastle.exe --checksysvol --outputdir C:\Reports     #Check SYSVOL permissions and save the report
PingCastle.exe --checkdns                               #Check DNS configurations and vulnerabilities
PingCastle.exe --checkdns --outputdir C:\Reports        #Check DNS configurations and save the report

Common Commands

Perform a Basic Health Check and Save the Report

PingCastle.exe --healthcheck --outputdir C:\Reports

Perform a Health Check on a Specific Domain Controller

PingCastle.exe --healthcheck --server mydc.example.com --outputdir C:\Reports

Generate a Domain-Wide Risk Level Report

PingCastle.exe --risklevel --outputdir C:\Reports

List All Group Policy Objects and Save the Report

PingCastle.exe --listgpo --outputdir C:\Reports

Check for MS14-068 Vulnerability and Save the Report

PingCastle.exe --checkms14-068 --outputdir C:\Reports

Check DNS Configurations and Save the Report

PingCastle.exe --checkdns --outputdir C:\Reports

PingCastle Interactive Mode

Launching Interactive Mode

PingCastle.exe --explore  #Start PingCastle in interactive mode

Basic Navigation Commands

? or help  #Display help information for commands
q or quit  #Exit the interactive mode
exit       #Exit the interactive mode

Interactive Scanner Options

nullsessions                                #Check for null session vulnerabilities
nullsessions /outputdir C:\Reports          #Check for null session vulnerabilities and save the report
smbsigning                                  #Check for SMB signing requirements
smbsigning /outputdir C:\Reports            #Check for SMB signing requirements and save the report
ldapsigning                                 #Check for LDAP signing requirements
ldapsigning /outputdir C:\Reports           #Check for LDAP signing requirements and save the report
ldapschannelbinding                         #Check for LDAPS channel binding requirements
ldapschannelbinding /outputdir C:\Reports   #Check for LDAPS channel binding requirements and save the report
checkadmincount                             #Check for users with adminCount=1 attribute
checkadmincount /outputdir C:\Reports       #Check for users with adminCount=1 attribute and save the report
printspooler                                #Check if the Print Spooler service is enabled
printspooler /outputdir C:\Reports          #Check Print Spooler service and save the report
zerologon                                   #Check for the Zerologon vulnerability
zerologon /outputdir C:\Reports             #Check for Zerologon vulnerability and save the report
passwordnotrequired                         #Check for accounts with the "Password Not Required" flag
passwordnotrequired /outputdir C:\Reports   #Check for accounts with the "Password Not Required" flag and save the report
delegation                                  #Check for accounts with delegation rights
delegation /outputdir C:\Reports            #Check for accounts with delegation rights and save the report

Health Check Commands

healthcheck                               #Perform a health check on the default domain
healthcheck server                        #Perform a health check on a specific domain controller (replace 'server' with the domain controller name)
healthcheck server /outputdir C:\Reports  #Perform a health check and save the report to a specified directory

Risk Level Assessment

risklevel                               #Assess the risk level of the default domain
risklevel server                        #Assess the risk level of a specific domain controller (replace 'server' with the domain controller name)
risklevel server /outputdir C:\Reports  #Assess the risk level and save the report to a specified directory

Group Policy Object (GPO) Commands

listgpo                         #List all Group Policy Objects (GPOs)
listgpo /outputdir C:\Reports   #List all GPOs and save the report to a specified directory

Specific Checks and Reports

checkms14-068                         #Check for vulnerability MS14-068
checkms14-068 /outputdir C:\Reports   #Check for MS14-068 and save the report to a specified directory
checksysvol                           #Check SYSVOL permissions
checksysvol /outputdir C:\Reports     #Check SYSVOL permissions and save the report to a specified directory
checkdns                              #Check DNS configurations and vulnerabilities
checkdns /outputdir C:\Reports        #Check DNS configurations and save the report to a specified directory

Data Exploration Commands

explore          #Start interactive exploration
explore server   #Explore a specific domain controller interactively (replace 'server' with the domain controller name)

Report Generation Commands

healthcheck /outputdir C:\Reports   #Perform a health check and generate a report in the specified directory
risklevel /outputdir C:\Reports     #Generate a risk level report and save it in the specified directory
listgpo /outputdir C:\Reports       #Generate a GPO list report and save it in the specified directory