RustHound

Summary

• Limitation
• Description
• Usage
• Demo
• How to compile it?
  • Linux x86_64 static version
  • Windows static version from Linux
• How to build documentation?
• Roadmap
• Links

Limitations

Not all SharpHound features are implemented yet. Please refer to the roadmap for more information.

Description

RustHound is a cross-platform BloodHound collector tool, written in Rust. (Linux,Windows,MacOS)

No anti-virus detection and cross-compiled.

RustHound generate users,groups,computers,ous,gpos,containers,domains json files to analyze it with BloodHound application.

💡 If you can use SharpHound.exe, use it. Rusthound is a backup solution if SharpHound.exe is detected by AV or if SharpHound.exe isn't executable from the system where you have access to.

Usage

```bash USAGE: rusthound [FLAGS] [OPTIONS] --domain

FLAGS: --dns-tcp Use TCP instead of UDP for DNS queries --fqdn-resolver [MODULE] Use fqdn-resolver module to get computers IP address -h, --help Prints help information --ldaps Prepare ldaps request. Like ldaps://G0H4N.LAB/ -v Sets the level of verbosity -V, --version Prints version information -z, --zip RustHound will compress the JSON files into a zip archive (doesn't work with Windows)

OPTIONS: -d, --domain Domain name like: G0H4N.LAB -f, --ldapfqdn Domain Controler FQDN like: DC01.G0H4N.LAB -i, --ldapip Domain Controller IP address -p, --ldappassword Ldap password to use -P, --ldapport Ldap port, default is 389 -u, --ldapusername Ldap username to use -n, --name-server Alternative IP address name server to use for queries -o, --dirpath Path where you would like to save json files ```

How to compile it?

You need to install rust in your system (Windows/Linux/MacOS).

https://www.rust-lang.org/fr/tools/install

RustHound support Kerberos/GSSAPI but this means that it needs Clang and its development libraries, as well as the Kerberos development libraries. On Debian/Ubuntu, that means clang-N, libclang-N-dev and libkrb5-dev.

For example: ```bash

Debian/Ubuntu

apt-get -y install gcc libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit ```

Here is how to compile the "release" and "debug" versions from "cargo" command.

```bash git clone https://github.com/OPENCYBER-FR/RustHound cd RustHound cargo build --release

or debug version

cargo b ```

The result can be found in "target/release" or in "target/debug" folder.

Below you can find the compilation methodology for each of the OS from Linux. If you need another compilation system, please consult the list in this link : https://doc.rust-lang.org/nightly/rustc/platform-support.html

Linux x86_64 static version

```bash

Install rustup and cargo in Linux

curl https://sh.rustup.rs -sSf | sh

Add Linux deps

rustup install stable-x8664-unknown-linux-gnu rustup target add x8664-unknown-linux-gnu

Static compilation for Linux

git clone https://github.com/OPENCYBER-FR/RustHound cd RustHound CFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnu ```

The result can be found in "target/x86_64-unknown-linux-gnu/release" folder.

Windows static version from Linux

```bash

Install rustup and cargo in Linux

curl https://sh.rustup.rs -sSf | sh

Add Windows deps

rustup install stable-x8664-pc-windows-gnu rustup target add x8664-pc-windows-gnu

Static compilation for Windows

git clone https://github.com/OPENCYBER-FR/RustHound cd RustHound RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnu ```

The result can be found in "target/x86_64-pc-windows-gnu/release" folder.

How to build documentation?

bash git clone https://github.com/OPENCYBER-FR/RustHound cd RustHound cargo doc --open --no-deps

Demo

Example are done on the GOADv2 implemented by mayfly:

```bash

Linux with username:password

./rusthound -d north.sevenkingdoms.local -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo/rusthound_north -z

Linux with username:password and ldaps

./rusthound -d north.sevenkingdoms.local -ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo/rusthound_north -z

Linux with username:password and ldaps and custom port

./rusthound -d north.sevenkingdoms.local -ldaps -P 3636 -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo/rusthound_north -z

Linux with username:password and ldaps and fqdn resolver module

./rusthound -d north.sevenkingdoms.local -ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo/rusthound_north --fqdn-resolver

Linux with username:password and ldaps and fqdn resolver module and tcp dns request and custom name server

./rusthound -d north.sevenkingdoms.local -ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo/rusthound_north --fqdn-resolver --tcp-dns --name-server 192.168.56.10 -z

Tips to redirect and append both standard output and standard error to a file > /tmp/rh_output 2>&1

./rusthound -d north.sevenkingdoms.local -ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo/rusthoundnorth --fqdn-resolver > /tmp/rhoutput 2>&1

Windows with GSSAPI session

rusthound.exe -d sevenkingdoms.local --ldapfqdn kingslanding ```

You can find the custom queries used in the demo, in the resource folder.

Use the following command to install it:

bash cp resources/customqueries.json ~/.config/bloodhound/customqueries.json

🚥 Roadmap

Authentification

• [x] ldap (389)
• [x] ldaps (636)
• [x] BIND
• [ ] NTLM
• [x] GSSAPI for Windows ok but not tested for Linux

Outputs

• [x] users.json
• [x] groups.json
• [x] computers.json
• [x] ous.json
• [x] gpos.json
• [x] containers.json
• [x] domains.json
• [x] args and function to zip json files --zip

Modules

• [x] Retreive LAPS password if your user can read them automatic
• [x] Resolve FQDN computers found to IP address --fqdn-resolver
• [ ] Retrieve certificates for ESC exploitation with Certipy --enum-certificates
• [ ] Kerberos attack module (ASREPROASTING,KERBEROASTING) --attack-kerberos
• [ ] Retrieve datas from trusted domains --follow-trust (Currently working on it, got beta version of this module)

Bloodhound v4.2

• Parsing Features

  • [x] Properties:sidhistory not tested!
    • [ ] HasSIDHistory
  • [x] ChildOus
  • [x] Direct_Members
  • [x] GPlink
  • [x] haslaps
  • [ ] Sessions
  • [ ] List users with RPC
  • [ ] DcomUsers
  • [ ] RemoteDesktopUsers
  • [ ] LocalAdmins
  • [ ] PSRemoteUsers
  • [ ] AllowedToDelegate
  • [ ] AllowedToAct

• ACL

  • [x] Add ReadGMSAPassword support

• All

  • [x] Change json header like "users" to "data"
  • [x] Properties : domainsid
  • [x] Properties : whencreated
  • [ ] IsDeleted
  • [x] IsACLProtected
• Users
  • [x] Add default NT AUTHORITY : DOMAIN.LOCAL-S-1-5-20 user
  • [x] Properties : unixpassword
  • [x] Properties : unicodepassword
  • [ ] Properties : sfupassword
  • [x] Properties : trustedtoauth
  • [x] Properties:sidhistory not tested!
  • [ ] HasSIDHistory
  • [x] Properties : samaccountname
  • [x] Properties : logonscript
• Domains
  • [x] Change ChildOus to ChildObjects
  • [x] Add the ObjectIdentifier and ObjectType for all ChildObjects
  • [x] Properties : highvalue
  • [x] GPOChanges
  • [ ] LocalAdmins
  • [ ] RemoteDesktopUsers
  • [ ] DcomUsers
  • [ ] PSRemoteUsers
  • [x] AffectedComputers
  • [x] Trusts
  • [x] TargetDomainSid
  • [x] TargetDomainName
  • [x] IsTransitive
  • [x] SidFilteringEnabled
  • [x] TrustDirection
  • [x] TrustType
• OUs
  • [x] ChildObjects
  • [x] GPOChanges
  • [ ] LocalAdmins
  • [ ] RemoteDesktopUsers
  • [ ] DcomUsers
  • [ ] PSRemoteUsers
  • [x] AffectedComputers
• Containers
  • [x] Make function to create containers.json
  • Values
  • [x] ChildObjects
    • [x] Add the ObjectIdentifier and ObjectType for all ChildObjects
  • [x] ObjectIdentifier
  • [x] IsDeleted
  • [x] IsACLProtected
  • [x] Aces
  • [x] Properties : domain
  • [x] Properties : domainsid
  • [x] Properties : name
  • [x] Properties : distinguishedname
• Computers
  • [x] Properties : samaccountname

Optimization

• [x] Log level (info,debug,trace)
• [x] Error management (working on it)
• [ ] addchildobjectsmembers() ChildObject function in checker/bh_41.rs:217
• [ ] replaceguidgplink() gplinks function in checker/bh_41.rs:302

:link: Links

• Blog post: https://www.opencyber.com/rusthound-data-collector-for-bloodhound-written-in-rust/
• BloodHound.py: https://github.com/fox-it/BloodHound.py
• SharpHound: https://github.com/BloodHoundAD/SharpHound
• BloodHound: https://github.com/BloodHoundAD/BloodHound
• BloodHound docs: https://bloodhound.readthedocs.io/en/latest/index.html
• GOADv2: https://github.com/Orange-Cyberdefense/GOAD