pingcastle
pingcastle copied to clipboard
vletoux
PingCastle - Get Active Directory Security at 80% in 20% of the time
hi Vincent, would be useful to write to the reports the used - user - host - DC - command line params - maybe the whole output to the cmd.exe...
hi Vincent, would be nice if problems with gathering gpo data would reflect in the report, e.g. during execution this error is shown: [10:38:28] Gathering gpo data Exception while generating...
Hi, on a Linux CentOS7 AD member, I have forbidden `weak_crypto` algorithms : ```bash $ grep -B1 allow_weak_crypto /etc/krb5.conf [libdefaults] allow_weak_crypto = false ``` On the DC, I have seen...
Hello, As i've scratched my head on this one ;) For info : Pingcastle was reporting a misleading number of DCs in my environment, with 1 "ghost DC" This was...
Scans for the KDC armoring settings do not include the WOW6432Node path for the policy templates and therefore sometimes do not recognize the correctly configured GPOs: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters Issue encountered...
Upon looking at the flags available, it doesnt seem capable of specifying an alternate output path.
Hi, Is it possible to run Ping Castle over an AD Explorer snapshot? If yes, how? Or maybe over other non-prod snapshot? maybe over bloodhound data... Thanks in advance,
When Multiple HoneyPot Exclusions are added with DistinguishedName....: Pingcastle.exe fails with: Starting the task: Perform analysis for DOMAIN [16:44:55] An exception occured when doing the task: Perform analysis for DOMAIN...
If I understand correctly, the ListTrustedToAuthenticateForDelegation (and NumberTrustedToAuthenticateForDelegation) is taken from [HealthCheckAnalyser.cs#L772](https://github.com/vletoux/pingcastle/blob/933316dab78685caaf4e2cee3dd541511035e73a/Healthcheck/HealthcheckAnalyzer.cs#L772): if ((x.UserAccountControl & 0x80000) != 0) { data.AddDetail("TrustedToAuthenticateForDelegation", GetAccountDetail(x)); } In our report, we have : 2 CN=some-DC1,OU=Domain...
PingCastle does not report when computers are allowed to enroll for vulnerable certificate templates, so a direct critical path to DA remains undetected. e.g.: 1) Flag: EnrolleSuppliesSubject 2) EKU: Client...
