Skip to content

PingCastle

Active Directory security assessment and risk scoring

C#GitHubWebsite

Overview

PingCastle is a free auditing tool designed to evaluate the security level of an Active Directory infrastructure quickly. It identifies security weaknesses, maps out trusts, and generates highly detailed, readable HTML reports, making it a favorite for both internal blue teams and offensive red teams conducting security audits.

Key Features

  • Out-of-the-box maturity scoring for domains.
  • Comprehensive assessments covering Privileged Accounts, Trusts, Anomalies, and Stale Objects.
  • Highlights common misconfigurations (e.g., Kerberoastable admin accounts, LAPS misconfigurations, unconstrained delegation).
  • Quick scanning speed (evaluating an entire AD environment securely in minutes).

Typical Workflow

PingCastle relies on standard LDAP and Microsoft API endpoints and typically requires only a basic, unprivileged domain user account to run.

You execute the binary on a domain-joined machine. It reaches out to the domain controller, parses the schemas, and generates an interactive HTML and XML report right in the terminal directory.

Usage Examples

Basic Health Check

Run the interactive menu and automatically perform the standard health check:

BASH 
PingCastle.exe
> Select option '1' (Healthcheck)

Or run it directly from the command line without the interactive prompt:

BASH 
# Perform a health check of the current domain
PingCastle.exe --healthcheck

# Specify an explicit domain and credentials (if running from an unjoined machine but with routing access)
PingCastle.exe --server target.local --user alice --password Password123 --healthcheck

Trust Assessment

Map out and evaluate all intra-forest and extra-forest trusts.

BASH 
PingCastle.exe --scanner trust

Advanced Scanners

PingCastle contains many granular scanners for specific enumeration tasks:

BASH 
# Find all local administrators across the domain using GPO enumeration
PingCastle.exe --scanner localadmin

# Check for shares across domain machines
PingCastle.exe --scanner share

# Retrieve all Antivirus status information globally (if readable)
PingCastle.exe --scanner antivirus

Output Analysis

After execution, PingCastle outputs a file typically named ad_hc_target.local.html. You can open this HTML file in any browser. It will categorize risks into:

  1. Stale Objects (Old computers/users)
  2. Privileged Groups (Who is in Domain Admins?)
  3. Trusts (Insecure relationships)
  4. Anomalies (Spn mapped to Admin accounts, null passwords, etc.)
Back to Network Pentesting