PingCastle can be used to make quick security analysis like:
- Who can get the control of the CEO account or the domain ?
- Can an auditor enumerate all the users of the domain without an account ?
- How much local admins are there ?
- How much public shares are published on local computers ?
- Are there any unpatched computer ?
- Can an attacker collect all accounts of the bastion even from an unidirectional trust ?
The tool can be used to build compromise graph analysis (thanks to AD-control-paths from Geraud de Drouas and Lucas Bouillot, Emmanuel Gras), check null sessions, local admins or local share.
Compromise graphs are networks where user, groups, computer are connected. They explain how a user can take the control of another account. It can be used to answer the question: Who can get the control of the CEO account or the domain ?
SQL CE must be installed (download). This component is installed by default in most of the OS but may not be installed on servers.
The advanced mode is a two steps process:
- collect the data from the AD
- run an analysis to find links between a target and all AD objects.
PingCastle supports 2 modes:
- live mode where all the queries are made online (recommended)
Pro: quick Con: no archive and no reverse direction analysis
- dump mode where the data is stored in a SqlCE database
Pro: offline analysis, reverse direction analysis Con: more time required to export data
This process can be run quickly using the interactive mode or manually using the command line:
- Using the live mode
PingCastle --advanced-live--server mydomain.com
- Using the dump mode
- Run the export:
PingCastle --advanced-export --server mydomain.com
- Build the reports:
PingCastle --advanced-report --database thegeneratedsdffile.sdf
In the case of the interactive mode, the .html for the most common reports are generated automatically.
A graph is shown on the window.
Some explanation about the nodes:
- u: user
- g: group
- o: OU
- w: well known security principals
- -: other common type like domain, built-in, …
- ?: the program was not able to get more information. Typically SID not resolved or account from other domains
In this example, a path can be found using the SID History and the name of the account can be displayed.
A real life example:
Null sessions are an old Windows NT4 problem. It should have been disappears but is still present on 20-30% of the domains. When it is enabled, an auditor with no account on the domain can use this to enumerate all the account of the domain. Then this list can be used to generated wrong authentication attempts and lock the accounts. Or perform brute-force attacks.
You can use PingCastle to attempt to extract a list of user account using this functionality. Run the following command:
PingCastle --nullsession --server <servertotest>
The local administrator accounts can be used in an attack to recover passwords in memory with tools like mimikatz. You can enumerate most of them without any privilege with PingCastle with the following command:
PingCastle --scanner localadmin --server <domainToExplore>
Local shares can be opened to everyone and be storing confidential information like login and passwords or backups. PingCastle can do a quick scan without any privilege and locate open share using the following command:
PingCastle --scanner share --server <domainToExplore>
Any authenticated users can get the start time of a computer in the domain and even unauthenticated ones if SMB v2 is activated. PingCastle can do a quick scan without any privilege and gather the start time of all computers of the domain:
PingCastle --scanner startup --server <domainToExplore>
PingCastle can do a quick scan without any privilege to know which version is supported as server for each computer of a domain:
PingCastle --scanner smb --server <domainToExplore>
Exploit inbound trust to get the user list
A inbound trust ( an unidirectional trust) is understood as a diode. Nothing is supposed to be extracted. But this is not true. PingCastle can extract the list of users from an inbound trust via a MS-LSAT enumeration:
PingCastle --enuminbound <remote domain or sid> --server <domainToExplore>