Ping Castle v2.10 releases: assess quickly the Active Directory security level
Ping Castle
The risk level regarding Active Directory security has changed. Several vulnerabilities have been made popular with tools like mimikatz or sites likes adsecurity.org.
Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework. It does not aim at a perfect evaluation but rather as an efficiency compromise.
The tool will allow running the following functionality:
- healthcheck- report having the domain risk score. The tool will collect the most important information of the Active Directory and establish an overview. Based on a model and rules, it evaluates the score of the sub-processes of the Active Directory. Then it reports the risks.
- graph – Analyze admin groups and delegations
- conso – Aggregate multiple reports into a single one
- nullsession – Perform a specific security check
- carto – Build a map of all interconnected domains. This report produces a map of all Active Directory. This map is built based on existing health check reports or when none is available, via a special mode collecting the required information as fast as possible.
- Scanners – Perform specific security checks on workstations. checking workstations for local admin privileges, open shares, startup time.
Changelog v2.10
* change pre-win 2000 compabitility group to handle group rename
* added a setting to change the LDAP page size (to test when the AD corruption message is showing)
* update to bootstrap 4.6.0
* add the ability to see the rules for each level in the maturity report
* be more scoped when looking for sites GPO
* fix: replace “admins” string in code, because they were some strings unmatched (especially in P-Kerberoasting & P-ServiceDomainAdmin)
* fix S-PwdLastSet-45 S-PwdLastSet-90: the check was made against inactive computers instead of active ones
* added the rule A-DnsZoneTransfert which checks for DNS Zone Transfers
* added the rule A-LAPS-Joined-Computers which checks for manually joined computers – the owner of the computer objects see the LAPS password
* fix P-AdminNum for a better wording if it matches
* fix unixpassword LDAP search query for optimization (looks only on active user account)
* added the MS FAQ for Krbtgt reset in the A-Krbtgt rule links
* fix a non timeout issue when SSL connection are “suspensed” by a network device
* fix when using a custom identity, forward the impersonation token to all threads launched by the application
* added the rule A-CertTempAgent, A-CertTempAnyPurpose, A-CertTempAnyone, A-CertTempCustomSubject for certificate template abuse
* added Mitre Att&ck mapping & reports
* added the rule A-PreWin2000AuthenticatedUsers for information for the printnightmare problem
* added a detail by OS (Windows 10 edition / Windows 2008 R2)
* added the rule S-OS-W10 for Windows 10 non supported versions
* added details for DC certificate
* added DC certificates to A-CertROCA and A-WeakRSARootCert
* change the algorithm which finds the DnsAdmin group to be more flexible for translation and moves
* fix password authentication that was not working in some cases
* for honeypot accounts, change P-Kerberoasting to take it into account
* fix NetCease check to be case insensitive (thanks to @ralish)
* added an option for scanners to use a file as input instead of querying the AD
* added an export section to export users or computers (a scanner was already present and moved to this section)
* added the rule S-ADRegistrationSchema for schema class check à la CVE-2021-34470
* fixed P-AdminLogin that wasn’t effective (this check was active only during the first 35 days of the domain)
* defer DataTable initialization (css for table) to avoid any problem in table stop javascript
* fix a bug when msDS-GroupManagedServiceAccount and msDS-ManagedServiceAccount were not counted as group member
* fix a problem in P-ServiceDomainAdmin to look individually at each password change and to set them as exception if needed
* change the rule detail rendering to avoid issues with strange items
* added the option –datefile
Author: Vincent LE TOUX (vincent.letoux@gmail.com)
