Skip to content
pentestpath
Blog

Domain Enumeration with PingCastle

You’ve mapped the attack paths with BloodHound and read the kingdom’s laws with Plumhound. But what if you could get an instant, high-level “security score” for the entire domain? What if a tool could automatically check for dozens of common misconfigurations and vulnerabilities and present them in a clean, prioritized report?

Enter PingCastle. This tool isn’t a stealthy attacker’s scalpel; it’s a security auditor’s powerful scanner. It connects to the domain, performs a huge number of checks based on a built-in model of AD security maturity, and then generates a beautiful HTML report that tells you exactly where the bodies are buried.

Think of PingCastle as hiring an independent inspector to do a full health and safety audit of your castle. It will check for unlocked doors, weak points in the walls, and guards who are asleep on duty, then hand you a color-coded report showing what needs to be fixed first.

What Is It and Why Use It?

Section titled “What Is It and Why Use It?”

PingCastle is a standalone executable that runs a series of checks against an Active Directory domain to evaluate its security posture. It doesn’t visualize paths like BloodHound; instead, it scores the domain based on risk levels and provides concrete findings.

Why would a pentester use PingCastle?

  • Blazing Fast Reconnaissance: In a few minutes, PingCastle can give you a list of the most critical vulnerabilities in the domain, saving you hours of manual enumeration.
  • Prioritized Findings: It scores the risks it finds, allowing you to immediately focus on what’s most important. A “Privilege Escalation” finding is more critical than a minor informational one.
  • Finds Things Others Miss: It checks for a wide range of issues, from stale accounts and dangerous trust relationships to outdated systems and specific privilege vulnerabilities that can be time-consuming to find manually.
  • Minimal Footprint: It’s a single executable that you can run from any domain-joined machine. It performs its checks using standard LDAP queries, making it relatively low-noise.

Let’s Inspect the Castle: The Commands

Section titled “Let’s Inspect the Castle: The Commands”

Using PingCastle is incredibly simple. There’s no complex setup.

Step 1: Get the Tool

Section titled “Step 1: Get the Tool”

Download the PingCastle executable from its official website and place it on a domain-joined machine where you have a shell.

Step 2: Run the Health Check

Section titled “Step 2: Run the Health Check”

Open a command prompt or PowerShell and run the default health check. This requires no special privileges.

Terminal window
.\\PingCastle.exe --healthcheck

That’s it. PingCastle will automatically discover the current domain and begin its assessment. You’ll see it progressing through various checks.

When it’s done, it will generate an HTML report (and sometimes an XML file) in the same directory. This report is your deliverable.

Analyzing the Royal Decree: The Report

Section titled “Analyzing the Royal Decree: The Report”

The HTML report generated by PingCastle is the crown jewel. It’s broken down into logical sections with clear scoring.

A sample of the risk-based scoring from a PingCastle report.

What to look for in the report:

  1. The Risk Score: The report starts with an overall score and a graph. This is great for an executive summary, showing at a glance how mature the domain’s security is.

  2. Stale Objects: PingCastle is excellent at finding “stale” user and computer accounts—accounts that haven’t been used in months. These are prime targets, as their passwords are never changed, and nobody will notice if they’re suddenly used for malicious activity.

  3. Privilege Vulnerabilities: This is the most important section for a pentester. PingCastle will flag things like:

    • Unconstrained Delegation: Points out computers that can be abused to steal powerful Kerberos tickets.
    • Anomalous Privileges: Identifies non-standard users who have dangerous rights like DCSync.
    • AdminSDHolder: Checks for inconsistencies in permissions on protected administrative accounts.

  4. Trust Relationships: It provides a map of all domain and forest trusts. In a large environment, you might discover a forgotten trust relationship to a less-secure development domain, which could be an easy path for privilege escalation.

  5. Anomalies and Outdated Systems: It will flag computers running old, unsupported operating systems (like Windows Server 2008) which are likely vulnerable to known exploits.

How It Fits into Your Attack Strategy

Section titled “How It Fits into Your Attack Strategy”

PingCastle is an initial reconnaissance and opportunity analysis tool. It’s one of the first things you should run after gaining a foothold.

  • It Guides Your Attack: The report gives you an instant “to-do” list. If PingCastle flags a stale admin account, your next step is to try to crack its password. If it flags an Unconstrained Delegation server, your next step is to compromise that server.

  • It Complements BloodHound: Run PingCastle first to get a quick overview and identify obvious vulnerabilities. Then, use BloodHound to visualize the complex attack paths related to the users and computers that PingCastle identified as high-risk.

  • It’s Ammunition for Your Report: The clean graphs and prioritized findings from the PingCastle report can be used directly in your own final pentest report to provide clear, evidence-backed recommendations to the client.

While BloodHound helps you navigate the maze, PingCastle inspects the bricks of the maze itself, telling you which ones are loose before you even start walking.