PingCastle : Active Directory Security Assessment Tool

  • Post author:
  • Post category:Blog
  • Post comments:0 Comments

What is PingCastle?

PingCastle is a lightweight Active Directory (AD) security audit tool designed to quickly identify vulnerabilities and misconfigurations in an AD environment. It provides a comprehensive security score and graph-based risk analysis, helping organizations assess their AD security posture and detect potential attack paths.

  • No installation required (Portable .exe file) for the free edition
  • Generates HTML security reports
  • Fast AD scanning (~5-15 min depending on the size of AD)
  • Helps detect weaknesses used in real-world attacks (e.g., Kerberoasting, delegation issues, unconstrained trusts, etc.)

Recently PingCastle has been bought by Netwrix and there are 3 different licensed versions :

  • PingCastle Standard (formerly Auditor – 1 domain included)
  • PingCastle Pro (up to 5 domains included)
  • PingCastle Enterprise (6 or more domains included)

PingCastle is inspired from CMMI which is a well known methodology from the Carnegie Mellon university.

PingCastle is a c# project which can be build from Visual Studio 2012 to Visual Studio 2022 written by Vincent le TOUX (a Security Ninja)

Github repository :

https://github.com/netwrix/pingcastle

How Does PingCastle free version Work?

  • PingCastle runs a non-intrusive audit of Active Directory by analyzing:
  • Domain Trusts & Delegation Risks (Inter-forest and intra-forest trust relationships)
  • Old/Inactive Accounts (Stale user and computer accounts)
  • Privileged Accounts & Admin Groups (Detects weak permissions)
  • Kerberos & NTLM Authentication Issues (Weak encryption, RC4 usage, etc.)
  • Domain Controller (DC) Security Checks (SMB, LDAP exposure, and security policies)

It assigns a global health score (0-100), where 0 = Perfect Security and 100 = High Risk.

HTML report sample :

https://www.pingcastle.com/PingCastleFiles/ad_hc_test.mysmartlogon.com.html

How to Use PingCastle free version

Download PingCastle

  1. Go to the official PingCastle repository:
    https://www.pingcastle.com/
  2. Download the latest version (PingCastle.exe).
  3. Copy the file to a Windows system with Active Directory access (Domain-Joined PC or a Domain Controller).

Run PingCastle free version for an AD Audit

Basic AD Security Report

Run this command in Command Prompt (cmd.exe) with Administrator privileges:

PingCastle.exe --healthcheck

Full AD forest scan and consolidation report with no objects limitations and enable the logging

Run this command in Command Prompt (cmd.exe) with Administrator privileges:

PingCastle.exe --healthcheck --hc-conso --no-enum-limit --server * --log
  • It will scan Active Directory and generate a full HTML report.
  • Output: PingCastleReport-YYYY-MM-DD.html

Trusts & Delegation Analysis

To analyze domain trusts and delegation risks:

PingCastle.exe --consoletopology
  • Output: A graph-based visualization of trust relationships between AD forests.

Check User Privileges & Admin Accounts

To list high-privilege accounts:

PingCastle.exe --nullsession
  • This identifies misconfigured accounts that allow unauthenticated access.

Audit Stale Users (Inactive Accounts)

Find users who haven’t logged in for 90+ days:

PingCastle.exe --carto
  • Helps detect orphaned admin accounts and old machine accounts.

Analyze the PingCastle Report

Open the HTML report (PingCastleReport-YYYY-MM-DD.html).

  • You will see:
  • Overall Security Score (0-100, lower is better)
  • Critical Issues & Risk Categories
  • Trust Relationship Graph
  • Actionable Recommendations

Watch For:

  • High number of stale admin accounts
  • Weak Kerberos encryption (RC4 usage)
  • Unconstrained delegation risks
  • Privileged accounts with weak passwords

Improve Security After PingCastle Scan

Fix Weak Kerberos Encryption

  • Disable RC4 and enforce AES-128/AES-256:

Set-ADUser -Identity <User> -Replace @{msDS-SupportedEncryptionTypes=24}

Remove Stale Admin Accounts

  • List inactive accounts:

Get-ADUser -Filter * -Properties LastLogonDate | Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-90) }

  • Disable or delete unused accounts.

Secure Domain Trusts

  • Check trust relationships in AD Domains and Trusts (domain.msc).
  • Remove unnecessary trusts or enforce SID Filtering.

To resume

  • PingCastle is a powerful tool to quickly assess AD security.
  • Generates easy-to-read reports with actionable fixes.
  • Helps identify Kerberos vulnerabilities, stale accounts, and trust misconfigurations.

Leave a Reply