Use PingCastle to perform the Active Directory domain discovery. Draw a map without setup nor privileges.
Operations to perform
Option 1: do the healthcheck on several domains (recommended)
If you want to get a quick status of your infrastructure, run the program with the “healthcheck” mode (just press enter) and enter as domain the asterisk (*). All reachable domains will be scanned, the reachable mode will be activated and the consolidation report will be made automatically. This takes from a few minutes to one hour.
Then open the cartography reports (see below).
Option 2: perform a quick domain exploration (fastest but not scalable)
If you need only a quick map (< 5 minutes of execution), enter “carto” when using the interactive mode or run the program with the switch –carto.
The program discovers all the reachable domains, does a light scan and produce the same map than in the health check consolidation mode. The SID Filtering status is accurate but the individual scores are not available. Scans are performed in parallel. Cartography reports cannot be combined when run on more than one point of view. If you need to combine data from multiple AD, you should run the healthchecking reports and consolidate their reports.
When the cartography has been performed, many files are generated. Two kinds of map exists. The full domain map is a cartography where each trust is represented. It is good when there is no much domains or trusts. The simple domain map is a simplified cartography. Each domain is present but not all trusts. This simplified map is computed to have a synthetic view when the number of trusts become too important.
Full domain map
The full domain map is represented by the files xxx_full_node_map.html. Each map is a dynamic map. Each node can be moved.
These files embeds the Ovali Tool made by the ANSSI
Copyright (c) 2016, ANSSI All rights reserved.
These file MUST be opened by Firefox or Chrome. Internet Explorer doesn’t work.
Example of graph produced by the tool
The colored circles are the domain on which the reports have been run. The color depends on the score. The purple bordered circles are the domains on which the script has not been run but that they program found using trust link.
When the mouse is on a circle, the full name of the domain appears:
If the mouse is hold on a trust, the detail is shown at the bottom right of the Windows:
Simple domain map
The simple domain map is represented by the files xxx_simple_node_map.html. It is a static map (domains cannot be rearranged). This file can be opened in Internet Explorer, Chrome or Firefox and some details can be obtained when the mouse is on a domain. Specifically if it has been generated with the BU/Entity information (advanced consolidation), the BU and Entity can be shown.
A domain is present only one time in the graph and connected with only one trust. The domain which has the most trust is automatically selected to be at the center of the graph. The domain at the center can be specified manually.
Methodology used to build the maps
PingCastle is using the data included in the report from the most reliable source to the less reliable source.
- The most reliable source is domain where the report has been generated.
- Then the tool is using direct trust data.
- Then the tool is using forest trust information. This information is located in the msDS-TrustForestTrustInfo attribute of a forest trust and in the partition element of the configuration binding context.
- The tool is using the information provided by the domain locator service when examining trusts. This information can add the Netbios name or the forest name of a trusted domain.
- If the “reachable” option has been set when producing a report, the tool is using domain SID found (in foreign security principals or sid history) to query the domain locator service and guess forest trusts.