Running PingCastle

The program is a command line program. It can be run with switches to perform a specific work. It can be run without command line arguments to interact with the end user.

Quick Launch

Uncompress the files in a new directory.

pingcastle files
Double click on PingCastle.exe.
Press Enter twice.

If you want to get a quick status of your infrastructure, run the healthcheck (enter) and enter as domain the asterisk (*). All reachable domains will be scanned, the reachable mode will be activated and the consolidation report will be made automatically.

If you need only the map, enter “carto” and press enter.

Running PingCastle in Interactive mode

This is the default mode. The documentation refers as the interactive mode and the command to enter to perform a specific task.

Running PingCastle in Command line mode

Here is a short description of the main tasks performed by the program.

Health check

  • run the health check :
    PingCastle --healthcheck --server mydomain.com
  • run the consolidation of the health check reports:
    PingCastle --hc-conso
  • export rule list:
    PingCastle --export-hc-rule

Overview:

  • Run the report on all reachable domains and built a cartography:
    PingCastle --healthcheck --server * --reachable --hc-conso
  • Built only a cartography without scores:
    PingCastle --carto

Advanced mode:

  • run the export:
    PingCastle --advanced-export --server mydomain.com
  • build the reports:
    PingCastle --advanced-report --database thegeneratedsdffile.sdf

Other investigations:

  • Check the presence of null session:
    PingCasle --nullsession --server servertotest
  • Scan the domains for local administrators:
    PingCastle --localadmins --server domainToExplore
  • Scan the presence of local shares:
    PingCastle --shares --server domainToExplore
  • The available switches can be obtained using the “–help” switch.
    PingCastle --help

Full command line options

PingCastle version 2.4.1.1
End of support: 31/12/2018 00:00:00
Get Active Directory Security at 80% in 20% of the time
switch:
  --help              : display this message
  --interactive       : force the interactive mode
  --log               : generate a log file
  --log-console       : add log to the console

Common options when connecting to the AD
  --server <server>   : use this server (default: current domain controller)
                        the special value * or *.forest do the healthcheck for all domains
  --adws-port <port>  : use the port for ADWS (default: 9389)
  --user <user>       : use this user (default: integrated authentication)
  --password <pass>   : use this password (default: asked on a secure prompt)
  --protocol <proto>  : selection the protocol to use among LDAP or ADWS (fastest)
                      : ADWSThenLDAP (default), ADWSOnly, LDAPOnly, LDAPThenADWS

  --carto             : perform a quick cartography with domains surrounding

  --healthcheck       : perform the healthcheck (step1)
    --explore-trust   : on domains of a forest, after the healthcheck, do the hc on all trusted domains except domains of the forest and forest trusts
    --explore-forest-trust : on root domain of a forest, after the healthcheck, do the hc on all forest trusts discovered
    --explore-trust and --explore-forest-trust can be run together
    --explore-exception <domains> : comma separated values of domains that will not be explored automatically

    --encrypt         : use an RSA key stored in the .config file to crypt the content of the xml report
    --level <level>   : specify the amount of data found in the xml file
                      : level: Full, Normal, Light
    --no-enum-limit   : remove the max 100 users limitation in html report
    --reachable       : add reachable domains to the list of discovered domains
    --split-OU <level>: this is used to bypass the 30 minutes limit per ADWS request. Try 5 and increase 1 by 1.
    --sendXmlTo <emails>: send xml reports to a mailbox (comma separated email)
    --sendHtmlTo <emails>: send html reports to a mailbox
    --sendAllTo <emails>: send html reports to a mailbox
    --notifyMail <emails>: add email notification when the mail is received
    --smtplogin <user>: allow smtp credentials ...
    --smtppass <pass> : ... to be entered on the command line
    --smtptls         : enable TLS/SSL in SMTP if used on other port than 465 and 587
    --skip-null-session: do not test for null session
    --webdirectory <dir>: upload the xml report to a webdav server
    --webuser <user>  : optional user and password
    --webpassword <password>

  --generate-key      : generate and display a new RSA key for encryption

  --hc-conso          : consolidate multiple healthcheck xml reports (step2)
    --center-on <domain> : center the simplified graph on this domain
                         default is the domain with the most links
    --xmls <path>     : specify the path containing xml (default: current directory)
    --filter-date <date>: filter report generated after the date.

  --gen-hc-report <xml> : regenerate a html report based on a xml report
  --reload-report <xml> : regenerate a xml report based on a xml report
                          any healthcheck switches (send email, ..) can be reused
    --level <level>   : specify the amount of data found in the xml file
                      : level: Full, Normal, Light (default: Normal)
    --encrypt         : use an RSA key stored in the .config file to crypt the content of the xml report
                        the absence of this switch on an encrypted report will produce a decrypted report

  --advanced-live     : perform the compromise graph computation directly to the AD

  --advanced-export   : perform the export of the AD data (step1)
    --split-OU <level>: this is used to bypass the 30 minutes limit per ADWS request. Try 10 and increase 1 by 1.

  --advanced-report   : generate the default reports (step2)
    --max-depth       : maximum number of relation to explore (default:30)
    --max-nodes       : maximum number of node to include (default:1000)
    --auto-reports    : generate the default reports
    --node <node>     : create a report based on a object
                      : example: "cn=name" or "name"
    --nodes <file>    : create x report based on the nodes listed on a file
    --rev-direction   : reverse the direction when exploring nodes
  --database <file>   : specify the file to work on. Default: Ad-my.domain.com.sdf
  --save-memory       : use optimization to save memory space. Can be slower by a factor of 10
  --json-only         : do not produce node map in html but in json (for external import)

  --nullsession       : test for null session
    --nslimit <number>: Limit the number of users to enumerate (default: 5)

  --scanner <type>    : perform a scan on all computers of the domain (using --server)
           localadmin : export local admins accounts
           share      : export local shares 
           smb        : check for smb version supported
           startup    : export their startuptime

  --nulltrusts        : check if the trusts can be enumerated using null session

  --enuminbound <sid> : Enumerate accounts from inbound trust using its FQDN or sids
                        Example of SID: S-1-5-21-4005144719-3948538632-2546531719