PingCastle
PingCastle is a security auditing tool designed to assess the security posture of Active Directory (AD) environments. It provides an automated and thorough audit of AD configurations, highlighting potential security risks and vulnerabilities. PingCastle generates detailed reports that help administrators and security professionals identify weaknesses and improve the overall security of their AD infrastructure.
Basic Commands
PingCastle.exe --healthcheck #Perform a health check on the Active Directory domain PingCastle.exe --healthcheck --server mydc.example.com #Perform a health check on a specific domain controller PingCastle.exe --healthcheck --server mydc.example.com --outputdir C:\Reports #Perform a health check and save the report to a directory PingCastle.exe --healthcheck --timeout 120 #Perform a health check with a specified timeout (in seconds)
Core Modes
PingCastle.exe --healthcheck --server domain.local #Perform security assessment of a single domain PingCastle.exe --healthcheck --server * #Scan all reachable domains in the forest PingCastle.exe --healthcheck --privileged #AD security assessment with privileged mode PingCastle.exe --hc-conso #Consolidate multiple XML reports into summary reports PingCastle.exe --carto #Quick trust mapping without full healthcheck scores PingCastle.exe --scanner <type> --server domain.local #Run specific scanner (see Scanners section) PingCastle.exe --graph --server domain.local #Compute compromise graph for a domain PingCastle.exe --regen-report report.xml #Regenerate HTML report from XML file PingCastle.exe --reload-report report.xml #Regenerate XML report from existing XML (useful for decryption) PingCastle.exe --rules #Generate HTML documentation of all PingCastle rules PingCastle.exe --generate-key #Generate new RSA key pair for report encryption PingCastle.exe --upload-all-reports --api-endpoint https://api.domain.local --api-key APIKEY123 #Upload all reports in current directory to API
Domain Health Check
PingCastle.exe --healthcheck --level Full #Full detailed report PingCastle.exe --healthcheck --server mydc.example.com #Target specific DC PingCastle.exe --healthcheck --privileged #Run with privileged checks PingCastle.exe --healthcheck --reachable #Scan all reachable domains
Scanners
PingCastle.exe --scanner aclcheck --server domain.local #Check authorization related to users/groups against AD ACLs (Everyone, Authenticated Users, Domain Users) PingCastle.exe --scanner antivirus --server domain.local #Identify computers without known antivirus installed PingCastle.exe --scanner computerversion --server domain.local #Detect obsolete/unsupported operating systems PingCastle.exe --scanner foreignusers --foreigndomain domain.local --server domain.local #Enumerate users in denied/foreign domains via trusts (MS-LSAT) PingCastle.exe --scanner kerberoschecksumhotfix --server domain.local #Check MS14-068 vulnerability via KB3011780 installation status PingCastle.exe --scanner laps_bitlocker --server domain.local #Verify if LAPS and/or BitLocker is enabled on domain computers PingCastle.exe --scanner localadmin --server domain.local #Enumerate local administrators on domain computers PingCastle.exe --scanner nullsession --server domain.local #Check if null sessions are enabled and provide access examples PingCastle.exe --scanner nullsession-trust --server domain.local #Attempt to dump domain trusts via null session PingCastle.exe --scanner oxidbindings --server domain.local #Enumerate IPs via OXID Resolver (DCOM) to identify admin networks (no auth required) PingCastle.exe --scanner remote --server domain.local #Detect installed remote desktop/remote access solutions PingCastle.exe --scanner share --server domain.local #Enumerate shares and identify publicly accessible ones PingCastle.exe --scanner smb --server domain.local #Check SMB versions and whether SMB signing is enforced PingCastle.exe --scanner smb3querynetwork --server domain.local #Enumerate IPs and interface speeds via SMB3 (auth required) PingCastle.exe --scanner smbhotfix --server domain.local #Check MS17-010 (EternalBlue/WannaCry) vulnerability status PingCastle.exe --scanner spooler --server domain.local #Check if print spooler service is remotely accessible (delegation abuse risk) PingCastle.exe --scanner startup --server domain.local #Retrieve last startup time to identify unpatched systems (legacy) PingCastle.exe --scanner zerologon --server domain.local #Test for ZeroLogon vulnerability (safe check, non-destructive)
Report Generation
PingCastle.exe --healthcheck --outputdir C:\Reports --format HTML #Generate the report in HTML format PingCastle.exe --healthcheck --outputdir C:\Reports --format XLS #Generate the report in Excel format PingCastle.exe --healthcheck --outputdir C:\Reports --format PDF #Generate the report in PDF format PingCastle.exe --healthcheck --log #Enable logging PingCastle.exe --healthcheck --log-console #Verbose console output
Workflows
PingCastle.exe --healthcheck --server domain.local #Single domain healthcheck PingCastle.exe --healthcheck --server * --reachable --hc-conso #Full forest assessment with automatic consolidation PingCastle.exe --healthcheck --server domain.local --encrypt --sendAllTo [email protected] #Encrypt reports and email to security team PingCastle.exe --healthcheck --server domain.local --privileged --level Full --datefile #Run with elevated checks, full detail, and date-based filename PingCastle.exe --healthcheck --server domain.local --explore-trust #Explore all trusted domains PingCastle.exe --healthcheck --server forest.root --explore-forest-trust #Explore forest trusts from root domain PingCastle.exe --healthcheck --server domain.local --explore-trust --explore-forest-trust --explore-exception bastion.local,dmz.local #Enumerate trusts with exclusions PingCastle.exe --healthcheck --server domain.local --api-endpoint https://enterprise.local --api-key APIKEY123 --encrypt --level Full #Automated enterprise scan with encrypted API upload PingCastle.exe --hc-conso --filter-date 2024-01-01 --center-on primary.local --xmls C:\Reports #Consolidate reports with date filtering and domain focus
PingCastle Interactive Mode
Launching Interactive Mode
PingCastle.exe #Start PingCastle in interactive mode exit #Exit the interactive mode
Interactive Scanner Options
aclcheck #Check authorization related to users or groups. Default to everyone, authenticated users and domain users antivirus #Check for computers without known antivirus installed. It is used to detect unprotected computers but may also report computers with unknown antivirus. computerversion #Get the version of a computer. Can be used to determine if obsolete operating systems are still present. foreignusers #Use trusts to enumerate users located in domain denied such as bastion or domains too far away. kerberoschecksumhotfix #Check MS14-068 vulnerability. Analyses KB3011780 installation status. laps_bitlocker #Check on the AD if LAPS and/or BitLocker has been enabled for all computers on the domain. localadmin #Enumerate the local administrators of a computer. nullsession #Check if null sessions are enabled and provide example(s). nullsession-trust #Dump the trusts of a domain via null session if possible oxidbindings #List all IP of the computer via the Oxid Resolver (part of DCOM). No authentication. Used to find other networks such as the one used for administration. remote #Check if a remote desktop solution is installed on the computer. share #List all shares published on a computer and determine if the share can be accessed by anyone smb #Scan a computer and determine the smb version available. Also if SMB signing is active. smb3querynetwork #List all IP of the computer and the interface speed using SMB3. Authentication required. Used to find other networks such as the one used for administration. smbhotfix #Check MS17-010 (EternalBlue/WannaCry) vulnerability status. Analyzes SMB1 support and installed security patches. spooler #Check if the spooler service is remotely active. The spooler can be abused to get computer tokens when unconstrained delegations are exploited. startup #Get the last startup date of a computer. Can be used to determine if latest patches have been applied. zerologon #Test for the ZeroLogon vulnerability. Important: the tester must be inside the domain. Trusts cannot be used. ##Scanner Options all #This is a domain. Scan all computers. one #This is a computer. Scan only this computer. workstation #Scan all computers except servers. server #Scan all servers. domaincontrollers #Scan all domain controllers. file #Import items from a file (one computer per line).
Health Check Commands
healthcheck #Perform a health check on the default domain Do you want to use privileged mode? #Yes or No option domain.local or 10.1.1.1 #Perform a health check on a specific domain controller (replace 'server' with the domain controller name)
Risk Level Assessment of EntraID
entraid #Assess the risk level of the EntraID Security. Produces a report which will give you an overview of your EntraID security. useprt #Use the Primary Refresh Token available on this computer to connect automatically without credential prompting. askcredential #Ask for credentials. The identity may be asked multiple times during the healthcheck.
Aggregate multiple reports into a single one
conso #Aggregate multiple reports into a single one. With many healthcheck reports, you can get a single report for a whole scope. Maps will be generated.
Build a map of all interconnected domains
carto #Build a map of all interconnected domains. It combines the healthcheck reports that would be run on all trusted domains and then the conso option. But lighter and and faster.
Export
export #Export users or computers. changes #Export all modifications that occurs in the domain in real time computers #Export all computers entraguest #Export all Entra ID users from an Entra ID guest account users #Export all users
Advanced Menu
advanced #Open the advanced menu. configure PingCastle without using command line switches. protocol #Change the protocol used to query the AD (LDAP, ADWS, ...) hcrules #Generate a report containing all rules applied by PingCastle generatekey #Generate RSA keys used to encrypt and decrypt reports noenumlimit #Remove the 100 items limitation in healthcheck reports decrypt #Decrypt a xml report regenerate #Regenerate the html report based on the xml report log #Enable logging (log is disabled) apilicense #Try get an agent license