PingCastle

PingCastle is a free, opensource Active Directory security assessment tool that automates health checks, vulnerability scanning, and compliance auditing. It generates detailed HTML reports with risk scoring, maturity levels, and actionable remediation guidance for AD hardening.

Installation

PingCastle runs on Windows with .NET Framework 4.5+. Download from the official site, extract the archive, and execute with administrator privileges.

# Download from pingcastle.com and extract
unzip PingCastle_x.x.x.zip

# Navigate to directory
cd PingCastle

# Verify executable exists
ls -la PingCastle.exe

Requires administrator rights on the domain controller or a high-privilege service account with domain admin credentials for comprehensive scanning.

Quick Start

Generate a basic health check report in one command:

# Basic health check (interactive mode)
.\PingCastle.exe --healthcheck

# Health check specific domain
.\PingCastle.exe --healthcheck --domain contoso.com

# Health check against specific server
.\PingCastle.exe --healthcheck --server 192.168.1.10

Output is an HTML file in the current directory with risk scores and findings summary.

Health Check Mode

Health check mode scans the entire AD environment and generates a comprehensive risk assessment report.

# Standard health check
.\PingCastle.exe --healthcheck

# Specify target domain
.\PingCastle.exe --healthcheck --domain corp.example.com

# Target specific domain controller
.\PingCastle.exe --healthcheck --server DC01.corp.example.com

# Specify credentials (prompted if not provided)
.\PingCastle.exe --healthcheck --user adminaccount --password P@ssw0rd

# Output to custom filename
.\PingCastle.exe --healthcheck --healthcheckfile report_$(Get-Date -f 'yyyy-MM-dd').html

# Limit to specific OU
.\PingCastle.exe --healthcheck --filter "(&(objectClass=user)(ou=IT Staff))"

Health check mode analyzes:

• Stale user and computer accounts
• Privileged group membership anomalies
• Password policy configurations
• Domain trust relationships
• Kerberos settings
• Exchange integration risks

Scanner Modes

PingCastle includes specialized scanners targeting specific vulnerabilities and misconfigurations.

# Local admin scanner (discovers local admins via enumeration)
.\PingCastle.exe --scanner localadmin

# Null session scanner (checks RPC null session access)
.\PingCastle.exe --scanner nullsession

# SMB scanner (checks for SMB vulnerabilities)
.\PingCastle.exe --scanner smb

# ACL check scanner (audits permission anomalies)
.\PingCastle.exe --scanner aclcheck

# Antivirus scanner (detects AV software across systems)
.\PingCastle.exe --scanner antivirus

# Foreign users scanner (finds users from other domains)
.\PingCastle.exe --scanner foreignusers

# Share scanner (enumerates accessible network shares)
.\PingCastle.exe --scanner share

# Spooler scanner (detects PrinterNightmare vulnerability)
.\PingCastle.exe --scanner spooler

# Startup time scanner (measures DC startup duration)
.\PingCastle.exe --scanner startuptime

# Zerologon scanner (checks CVE-2020-1472 vulnerability)
.\PingCastle.exe --scanner zerologon

# Run all scanners
.\PingCastle.exe --scanner all

Scanner	Purpose	Risk Level
localadmin	Identify local admin accounts	Medium
nullsession	RPC null session enumeration	High
smb	SMB protocol vulnerabilities	Critical
aclcheck	Permission/delegation anomalies	High
antivirus	AV deployment verification	Low
foreignusers	Cross-domain user accounts	Medium
share	Network share enumeration	Medium
spooler	PrinterNightmare vectors	Critical
startuptime	DC performance metrics	Low
zerologon	Netlogon crypto vulnerability	Critical

Carto Mode

Carto mode maps Active Directory forest trusts and displays trust relationships in a visual graph format.

# Generate trust map
.\PingCastle.exe --carto

# Carto with specific domain
.\PingCastle.exe --carto --domain contoso.com

# Carto with server target
.\PingCastle.exe --carto --server 192.168.1.10

# Output trust map to specific file
.\PingCastle.exe --carto --cartofile trust_map_$(Get-Date -f 'yyyy-MM-dd').html

Carto visualizes:

• Forest trusts (transitive, external, forest)
• Trust directions (inbound, outbound, bidirectional)
• Cross-domain relationships
• Trust path chains
• Risk scoring per trust relationship

Advanced Options

Fine-tune PingCastle behavior with command-line flags and filters.

# Set risk level (1-4, higher = stricter)
.\PingCastle.exe --healthcheck --level 3

# Limit results (e.g., top 100 findings)
.\PingCastle.exe --healthcheck --limit 100

# Filter objects by LDAP query
.\PingCastle.exe --healthcheck --filter "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4294967295))"

# Disable enumeration limits (scan all objects)
.\PingCastle.exe --healthcheck --no-enum-limit

# Reachability check only (no deep scan)
.\PingCastle.exe --healthcheck --reachable

# Specify port for domain controller connection
.\PingCastle.exe --healthcheck --port 389

# Set timeout in seconds
.\PingCastle.exe --healthcheck --timeout 30

# Quiet mode (no console output)
.\PingCastle.exe --healthcheck --quiet

Option	Effect
—level	Risk assessment strictness (1-4)
—limit	Cap number of findings
—filter	LDAP filter for targeted scanning
—no-enum-limit	Scan entire directory (slower)
—reachable	Connectivity test only
—port	Specify LDAP port (default 389)
—timeout	Connection timeout in seconds
—quiet	Suppress console output

Report Analysis

PingCastle generates detailed HTML reports with risk metrics, rule descriptions, and remediation steps.

Risk Score Interpretation

The overall risk score ranges from 0-100:

• 0-25: Secure (green)
• 25-50: Caution (yellow)
• 50-75: Warning (orange)
• 75-100: Critical (red)

Maturity Levels

Each finding includes a maturity classification:

Level	Meaning
1	Initial/Ad Hoc
2	Repeatable
3	Defined
4	Managed
5	Optimized

Key Report Sections

Stale Objects — Users and computers inactive for 90+ days. High risk for credential reuse and lateral movement.

Privileged Accounts — Members of Domain Admins, Enterprise Admins, and Administrators groups. Excessive membership indicates privilege creep.

Trust Relationships — Bidirectional trusts, external trusts, and forest trusts. Transitive trusts increase attack surface.

Anomalies — Service accounts with administrative rights, disabled accounts still in privileged groups, kerberoastable accounts.

Password Policies — Domain password age, complexity, lockout policies. Report flags overly permissive settings.

Kerberos Settings — Constrained delegation, unconstrained delegation, protocol transition misconfigurations.

Exchange Integration — Dangerous ACLs from Exchange installation, orphaned accounts, excessive permissions.

Automation

Integrate PingCastle into scheduled assessments and CI/CD pipelines using task scheduler and PowerShell automation.

# PowerShell wrapper with timestamp
$timestamp = Get-Date -Format 'yyyy-MM-dd_HHmmss'
$reportPath = "C:\PingCastle\Reports\healthcheck_$timestamp.html"

.\PingCastle.exe --healthcheck `
  --domain contoso.com `
  --healthcheckfile $reportPath `
  --quiet

Write-Host "Report generated: $reportPath"

# Batch scanning multiple domains
$domains = @("contoso.com", "subsidiary.com", "partner.com")
foreach ($domain in $domains) {
  $timestamp = Get-Date -Format 'yyyy-MM-dd_HHmmss'
  .\PingCastle.exe --healthcheck `
    --domain $domain `
    --healthcheckfile "reports\$domain_$timestamp.html"
}

# Scheduled task (runs daily at 2 AM)
$action = New-ScheduledTaskAction -Execute "C:\PingCastle\PingCastle.exe" `
  -Argument '--healthcheck --domain contoso.com --quiet'

$trigger = New-ScheduledTaskTrigger -Daily -At 02:00AM

Register-ScheduledTask -Action $action -Trigger $trigger `
  -TaskName "PingCastle_DailyHealthCheck" -Description "Daily AD health assessment"

Export and Integration

Export PingCastle findings to XML and integrate with other security tools and dashboards.

# Export to XML format
.\PingCastle.exe --healthcheck --xmls

# XML file with custom name
.\PingCastle.exe --healthcheck --xmlfile report_$(Get-Date -f 'yyyy-MM-dd').xml

# Generate both HTML and XML
.\PingCastle.exe --healthcheck --healthcheckfile report.html --xmlfile report.xml

# Parse XML output in PowerShell
[xml]$pingcastleReport = Get-Content 'report.xml'
$findings = $pingcastleReport.PingCastleReport.RiskRules.RiskRule
$findings | Where-Object { $_.Severity -eq 'Critical' } | ForEach-Object {
  Write-Host "CRITICAL: $($_.Title)"
}

XML export enables:

• Integration with SIEM platforms (Splunk, ELK, QRadar)
• Custom dashboard development
• Automated alerting and ticketing
• Compliance reporting aggregation
• Trend analysis across multiple scans

Rule Categories

PingCastle organizes findings into logical categories that map to AD security domains.

Stale Objects — User/computer accounts with no recent activity. Risk: forgotten credentials, orphaned accounts compromised.

Privileged Accounts — Excessive administrative group membership. Risk: privilege escalation, lateral movement paths.

Trust & Delegation — Risky delegation configurations and external trusts. Risk: cross-forest compromise, protocol transition abuse.

Account & Kerberos — Weak password policies, kerberoastable accounts, unconstrained delegation. Risk: credential attacks, ticket forging.

Network & Services — Exchange permissions, null sessions, share misconfigurations. Risk: data exfiltration, privilege escalation.

Password Policies — Weak complexity, short history, long maximum age. Risk: brute force, credential reuse.

Security Baselines — Deviation from Microsoft and CIS benchmarks. Risk: configuration drift, unpatched vulnerabilities.

Each rule includes:

• Finding: What was detected
• Evidence: Specific objects affected
• Rationale: Why it’s risky
• Remediation: Step-by-step fix
• Reference: MITRE ATT&CK mapping, CVE numbers

Troubleshooting

Common Issues and Solutions

Access Denied Errors

• Ensure account has domain admin or equivalent rights
• Validate credentials with whoami /all
• Check firewall rules on domain controllers (LDAP 389, RPC 135)

Timeout on Large Forests

• Increase timeout: --timeout 60
• Disable enumeration limits: --no-enum-limit
• Target specific DCs instead of forest

No Findings Returned

• Verify connectivity to domain controller
• Check LDAP filter syntax if using --filter
• Run without filters to establish baseline

Out of Memory / Killed Process

• Reduce scope with --limit or --filter
• Target reachability only: --reachable
• Split forest into OUs and scan separately

Report Won’t Open

• Verify HTML file created (check file size > 10KB)
• Disable browser security policies temporarily
• Try opening with different browser

Best Practices

• Schedule Weekly: Run health checks weekly to track trend changes and catch new misconfigurations.
• Archive Reports: Keep historical reports for compliance audits and trend analysis.
• Baseline First: Generate baseline report in known-good state, then compare future scans against it.
• Review Anomalies: Investigate finding context before dismissing; PingCastle flags valid security deviations.
• Prioritize Critical: Address red/critical findings before yellow warnings.
• Document Exceptions: Maintain exception register for findings that are accepted business risks.
• Remediate Incrementally: Fix issues in order of impact to minimize disruption.
• Validate Fixes: Re-run scanners after remediation to verify improvements.
• Limit Privilege: Run with minimum required permissions; avoid domain admin for routine scans if possible.
• Secure Reports: Store reports in restricted access location; they contain sensitive AD structure information.

Related Tools

BloodHound — Graph-based AD attack path analysis. Complements PingCastle by visualizing privilege escalation chains.

Purple Knight — Competitor tool with similar health checking. Offers cloud-based dashboards and multi-forest management.

ADRecon — Comprehensive AD enumeration framework. Generates detailed reports on users, groups, computers, trusts.

Impacket — Python toolkit for network protocol testing including Kerberos attacks and LDAP queries.

Responder — LLMNR/NBNS poisoning for credential harvesting. Tests network segmentation and responder controls.

Get-ADUser / Get-ADComputer — Native PowerShell AD cmdlets for custom queries and scripting.

LAPS — Microsoft Local Administrator Password Solution. Recommended control to mitigate local admin abuse findings.