Ping Castle

Tous sur l'analyse des vulnérabilités "réseau" de nos SIH, sonde IDS, scanner de vulnérabilités...
Répondre
Avatar du membre
charles
Administrateur du site
Messages : 4942
Enregistré le : 06 avr. 2015 09:02
Etablissement : GHT 15 - CH Saint-Flour
Fonction : RSSI
DPO / DPD : Oui
Site Internet de l'établissement : https://www.ch-stflour.fr
Site Internet personnel ou blog : https://www.forum-sih.fr
Contact :

Ping Castle

Message par charles » 18 août 2020 23:14

Après 3 versions beta consécutives, la version stable 2.9.0 de Ping Castle a été publiée le 06/08/2020. Deux règles de contrôles préconisés par le CERT-FR de l'ANSSI ici : viewtopic.php?f=84&t=1447&p=5971#p5971 qui n'étaient pas encore intégrées ont été ajoutées.

Pour plus de détails :
* when building the map, the program was taking the first part of the FQDN as a shortname. Now it uses the Netbios name if it is available
* change tooltip description for the trust section of the healthcheck report
* added the rule S-DC-2008 and S-OS-2008 to check for obsolete 2008 servers which are no longer supported
* Fix: A-AuditDC - GPO at the root level was ignored and OU specific too. Now the GPO is checked per DC.
* Fix: A-AuditDC - Reword the rule A-AuditDC for better understanding
* change A-Krbtgt to be triggered only after 1 year (previously 40 days)
* Fix: In some scanners, the comma was used instead of a tab
* Fix: Avoid a crash if the security descriptor of the msi files cannot be retrieved
* Fix: better switch in case of failure of ADWS to LDAP
* Added the rule A-CertROCA to check for recoverable public key (ROCA vulnerability) [ANSSI: vuln1_certificates_vuln]
* Added the rule A-CertWeakDSA to check for DSA key use in certificate used for digital signature [ANSSI: vuln1_certificates_vuln]
* Added the rule A-CertWeakRsaComponent to check for low RSA exponent
* Added the rule A-WeakRSARootCert2 to check for rsa module length between 1024 & 2048 (friend of A-WeakRSARootCert)
* Added the rule A-DsHeuristicsAllowAnonNSPI to check if the heuristics fAllowAnonNSPI is enabled
* Added the rule P-RODCAllowedGroup to check for the Allowed RODC Password Replication Group group
* Added the rule P-RODCDeniedGroup to check for the Denied RODC Password Replication Group group
* Added the rule A-NTFRSOnSysvol to check the usage of the old protocol NTFRS on SYSVOL replication
* Added the rules A-DnsZoneUpdate1 and A-DnsZoneUpdate2 about DNS unsecure updates
* Added the rule S-DC-Inactive to check for inactive DC
* Added the rule S-PwdLastSet-DC to check for regular password change on DC
* Added the rule T-SIDHistoryDangerous to check for SID lower than 1000 or well known in SIDHistory
* Added the rule S-PwdNeverExpires to check for accounts with never expiring passwords
* Added the rule S-DCRegistration to check if DC are well registered (aka detect fake DC)
* Added the rule P-DelegationDCt2a4d P-DelegationDCa2d2 and P-DelegationDCsourcedeleg for DC delegation analysis
* Added the rule A-PreWin2000Other to be the companion of A-PreWin2000Anonymous
* Added the rule P-ProtectedUsers to check if all privileged accounts are member of the protected users group
* Added the rule S-PwdLastSet-45 and S-PwdLastSet-90 for workstations without the automatic password change disabled
* Added the rule P-AdminPwdTooOld to check for admin passwords older than 3 years
* Added the rule S-NoPreAuthAdmin, which is a split of the rule S-NoPreAuth, to match admins
* Added the rule P-DNSAdmin to check for members of the DNS Admins group
* Added the rule P-RODCRevealOnDemand P-RODCNeverReveal and P-RODCAdminRevealed for RODC checks
* Added the rule P-RODCSYSVOLWrite to check for RODC write access to the SYSVOL volume
* Added the rule A-NoNetSessionHardening to check if the NetCease mitigation has been applied
* Added the rule A-UnixPwd to check for attributes known to contains password
* Added the rule T-AzureADSSO to check for password rotation with AzureAD SSO (AZUREADSSOACC)
* Added the rule S-OS-Win7 to check for Windows 7. PingCastle is looking for support purchased from MS.
* Change the rule reports to include ANSSI rules
* Change the threshold of S-Inactive from 15 to 25% to match user_accounts_dormant rule
* Change the category of P-ControlPathIndirectMany and P-ControlPathIndirectEveryone to the new Control Path category
* Change the rule P-AdminNum to add a new limit of 50 admins
* Change the cagory of the rule P-DelegationEveryone, P-PrivilegeEveryone, P-TrustedCredManAccessPrivilege, P-UnconstrainedDelegation, P-UnkownDelegation
* Change the rule A-MinPwdLen to check only GPO applied to something
* Change the way GPO are evaluated in rules: if the GPO is disabled or not applied, no anomaly is found
* Change the rule A-MembershipEveryone to not trigger an alert when Authenticated users is a member of BUILTIN\Users
* Adding features exclusive for our customers, such as maturity evaluation, and charts
* Added the scanner export_user for a quick user analysis
* Added pagination and search in healthcheck report
* For AdminSDHolder users check, added the date in the report (written as 'Event') when the attribute admincount has been set (via replication metadata)
* Auditor & Enterprise licensee can now brand the report by using Appsettings/BrandLogo for base64 logo and Appsettings/BrandCss & BrandJs for raw Css & Js to inject
* make visible the rule ID in the healthcheck report in the rule description
* Removed BSI reference as the document is not online anymore
* Added ms-mcs-admpwd read check in delegations
* Fix members of admin groups outside the AD were not visible in the report
Sources : https://raw.githubusercontent.com/vleto ... ngelog.txt
https://github.com/vletoux/pingcastle/r ... ag/2.9.0.0

michael
Messages : 190
Enregistré le : 12 févr. 2016 13:38
Etablissement : CHU Nimes
Fonction : RSSI
DPO / DPD : Non

Re: Ping Castle

Message par michael » 20 août 2020 16:31

On prend des points à chaque nouvelle version... je vais arrêter de les suivre :lol:

Avatar du membre
charles
Administrateur du site
Messages : 4942
Enregistré le : 06 avr. 2015 09:02
Etablissement : GHT 15 - CH Saint-Flour
Fonction : RSSI
DPO / DPD : Oui
Site Internet de l'établissement : https://www.ch-stflour.fr
Site Internet personnel ou blog : https://www.forum-sih.fr
Contact :

Re: Ping Castle

Message par charles » 23 sept. 2020 08:02

La V2.9.1 de Ping Casle est arrivée le 17/09/2020. Elle contient de nouvelles options pour les scanner, permettant de choisir s'ils doivent être exécutés uniquement sur les DC, serveurs, postes ou toutes les machines. On retrouve un scanner pour pour la vulnérabilité Zerologon (viewforum.php?f=325 / viewtopic.php?f=78&t=742&p=6267#p6267), ainsi que ma petite pierre à cet édifice, un scanner permettant de connaitre les solutions de prise de main à distance installées.


ping_castle_scanner_2_9_1.jpg


https://github.com/vletoux/pingcastle/r ... ag/2.9.1.0
Vous n’avez pas les permissions nécessaires pour voir les fichiers joints à ce message.

Gérard
Messages : 74
Enregistré le : 03 oct. 2016 11:00
Etablissement : LNA-Santé
Fonction : RSSI
DPO / DPD : Oui

Re: Ping Castle

Message par Gérard » 24 sept. 2020 08:50

Belle contribution Charles, je viens de m'empresser de la tester, très intéressant comme rapport.

Avatar du membre
charles
Administrateur du site
Messages : 4942
Enregistré le : 06 avr. 2015 09:02
Etablissement : GHT 15 - CH Saint-Flour
Fonction : RSSI
DPO / DPD : Oui
Site Internet de l'établissement : https://www.ch-stflour.fr
Site Internet personnel ou blog : https://www.forum-sih.fr
Contact :

Re: Ping Castle

Message par charles » 24 sept. 2020 09:59

Merci Gérard ;)
J'avais ça dans les tiroirs depuis un moment, j'ai enfin pris le temps de faire une pull request :)

Répondre

Retourner vers « Analyse des vulnérabilités »