RustHound

Summary

Limitation
Description
How to compile it?
How to build documentation?
Usage
Demo
Statistics
Roadmap
Links

Limitations

Not all SharpHound features are implemented yet but some are existing in RustHound and do not in SharpHound or BloodHound-Python. Please refer to the roadmap for more information.

Description

RustHound is a cross-platform BloodHound collector tool, written in Rust. (Linux,Windows,MacOS)

No anti-virus detection and cross-compiled.

RustHound generate users,groups,computers,ous,gpos,containers,domains json files to analyze it with BloodHound application.

💡 If you can use SharpHound.exe, use it. Rusthound is a backup solution if SharpHound.exe is detected by AV or if SharpHound.exe isn't executable from the system where you have access to.

How to compile it?

Using Makefile

You can use make command to install Rusthound or to compile it for Linux or Windows.

bash make install rusthount -h

More command in the Makefile:

bash make help usage: make install usage: make uninstall usage: make debug usage: make release usage: make windows usage: make linux_musl

Using Dockerfile

Use RustHound with docker to make sure to have all dependencies.

bash docker build -t rusthound . docker run rusthound -h

Using Cargo

You need to install rust on your system (Windows/Linux/MacOS).

https://www.rust-lang.org/fr/tools/install

RustHound support Kerberos/GSSAPI but this means that it needs Clang and its development libraries, as well as the Kerberos development libraries. On Debian/Ubuntu, that means clang-N, libclang-N-dev and libkrb5-dev.

For example: ```bash

Debian/Ubuntu

apt-get -y install gcc libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit ```

Here is how to compile the "release" and "debug" versions from "cargo" command.

```bash git clone https://github.com/OPENCYBER-FR/RustHound cd RustHound cargo build --release

or debug version

cargo b ```

The result can be found in "target/release" or in "target/debug" folder.

Below you can find the compilation methodology for each of the OS from Linux. If you need another compilation system, please consult the list in this link : https://doc.rust-lang.org/nightly/rustc/platform-support.html

Manually for Linux x86_64 static version

```bash

Install rustup and cargo in Linux

curl https://sh.rustup.rs -sSf | sh

Add Linux deps

rustup install stable-x8664-unknown-linux-gnu rustup target add x8664-unknown-linux-gnu

Static compilation for Linux

git clone https://github.com/OPENCYBER-FR/RustHound cd RustHound CFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnu ```

The result can be found in "target/x86_64-unknown-linux-gnu/release" folder.

Manually for Windows static version from Linux

```bash

Install rustup and cargo in Linux

curl https://sh.rustup.rs -sSf | sh

Add Windows deps

rustup install stable-x8664-pc-windows-gnu rustup target add x8664-pc-windows-gnu

Static compilation for Windows

git clone https://github.com/OPENCYBER-FR/RustHound cd RustHound RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnu ```

The result can be found in "target/x86_64-pc-windows-gnu/release" folder.

How to build the documentation?

bash git clone https://github.com/OPENCYBER-FR/RustHound cd RustHound cargo doc --open --no-deps

Usage

```bash USAGE: rusthound [FLAGS] [OPTIONS] --domain

FLAGS: --adcs [MODULE] Use ADCS module to enumerate Certificate Templates, Certificate Authorities and other configurations. (For the custom-built BloodHound version from @ly4k with PKI support) --dc-only Collects data only from the domain controller. Will not try to retrieve CA security/configuration or check for Web Enrollment. --dns-tcp Use TCP instead of UDP for DNS queries --fqdn-resolver [MODULE] Use fqdn-resolver module to get computers IP address -h, --help Prints help information --ldaps Prepare ldaps request. Like ldaps://G0H4N.LAB/ --old-bloodhound For ADCS only. Output result as BloodHound data for the original BloodHound version from @BloodHoundAD without PKI support. -v Sets the level of verbosity -V, --version Prints version information -z, --zip RustHound will compress the JSON files into a zip archive

OPTIONS: -d, --domain Domain name like: G0H4N.LAB -f, --ldapfqdn Domain Controler FQDN like: DC01.G0H4N.LAB -i, --ldapip Domain Controller IP address -p, --ldappassword Ldap password to use -P, --ldapport Ldap port, default is 389 -u, --ldapusername Ldap username to use -n, --name-server Alternative IP address name server to use for queries -o, --dirpath Path where you would like to save json files ```

Demo

Examples are done on the GOADv2 implemented by mayfly:

Simple usage

```bash

Linux with username:password

rusthound -d north.sevenkingdoms.local -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo -z

Linux with username:password and ldapip

rusthound -d north.sevenkingdoms.local -i 192.168.56.11 -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo -z

Linux with username:password and ldaps

rusthound -d north.sevenkingdoms.local --ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo -z

Linux with username:password and ldaps and custom port

rusthound -d north.sevenkingdoms.local --ldaps -P 3636 -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo -z

Tips to redirect and append both standard output and standard error to a file > /tmp/rh_output 2>&1

rusthound -d north.sevenkingdoms.local --ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo --fqdn-resolver > /tmp/rh_output 2>&1

Windows with GSSAPI session

rusthound.exe -d sevenkingdoms.local --ldapfqdn kingslanding

Windows simple bind connection username:password (don't use simple quote or double quote with cmd.exe)

rusthound.exe -d sevenkingdoms.local -u jeor.mormont@north.sevenkingdoms.local -p L0ngCl@w -o output -z ```

Module FQDN resolver

```bash

Linux with username:password and FQDN resolver module

rusthound -d essos.local -u 'daenerys.targaryen@essos.local' -p 'BurnThemAll!' -o /tmp/demo --fqdn-resolver -z

Linux with username:password and ldaps and FQDN resolver module and TCP DNS request and custom name server

rusthound -d essos.local --ldaps -u 'daenerys.targaryen@essos.local' -p 'BurnThemAll!' -o /tmp/demo --fqdn-resolver --tcp-dns --name-server 192.168.56.12 -z

Windows with GSSAPI session and FQDN resolver module

rusthound.exe -d essos.local -f meereen -o output --fqdn-resolver -z

Windows simple bind connection username:password and FQDN resolver module and TCP DNS request and custom name server (don't use simple quote or double quote with cmd.exe)

rusthound.exe -d essos.local -u daenerys.targaryen@essos.local -p BurnThemAll! -o output -z --fqdn-resolver --tcp-dns --name-server 192.168.56.12 ```

Module ADCS collector

Example is done with the @ly4k BloodHound version.

```bash

Linux with username:password and ADCS module for @ly4k BloodHound version

rusthound -d essos.local -u 'daenerys.targaryen@essos.local' -p 'BurnThemAll!' -o /tmp/adcs --adcs -z

Linux with username:password and ADCS module and dconly flag (will don't check webenrollment)

rusthound -d essos.local -u 'daenerys.targaryen@essos.local' -p 'BurnThemAll!' -o /tmp/adcs --adcs --dc-only -z

Linux with username:password and ADCS module using "--old-bloodhound" argument for official @BloodHoundAd version

rusthound -d essos.local -u 'daenerys.targaryen@essos.local' -p 'BurnThemAll!' -o /tmp/adcs --adcs --old-bloodhound -z

Windows with GSSAPI session and ADCS module

rusthound.exe -d essos.local -f meereen -o output -z --adcs

Windows with GSSAPI session and ADCS module and TCP DNS request and custom name server

rusthound.exe -d essos.local --ldapfqdn meereen -o output -z --adcs --tcp-dns --name-server 192.168.56.12

Windows simple bind connection username:password (don't use simple quote or double quote with cmd.exe)

rusthound.exe -d essos.local -u daenerys.targaryen@essos.local -p BurnThemAll! -o output -z --adcs --dc-only ```

You can find the custom queries used in the demo, in the resource folder.

Use the following command to install it:

bash cp resources/customqueries.json ~/.config/bloodhound/customqueries.json

:rocket: Statistics

In order to make statistics on a DC with more LDAP objects, we run the BadBlood project on the domain controller ESSOS.local from GOAD. The DC has now around 3500 objects. An execution average time has been done and here are the output:

| Tool | Environment | Objects | Time | Command line | | -------------------------- | ----------------- | ---------- | ------- | ------- | | SharpHound.exe | Windows | ~3500 | ~51.605s | Measure-Command { sharphound.exe -d essos.local --ldapusername 'khal.drogo' --ldappassword 'horse' --domaincontroller '192.168.56.12' -c All } | | BloodHound.py | Linux | ~3500 | ~9.657s | time python3 bloodhound.py -u khal.drogo -p horse -d essos.local -ns 192.168.56.12 --zip -c all | | RustHound.exe | Windows | ~3500 | ~5.315s | Measure-Command { rusthound.exe -d essos.local -u khal.drogo@essos.local -p horse -z } | | RustHound | Linux | ~3500 | ~3.166s | time rusthound -d essos.local -u khal.drogo@essos.local -p horse -z |

🚥 Roadmap

Authentification

[x] ldap (389)
[x] ldaps (636)
[x] BIND
[ ] NTLM
[x] GSSAPI for Windows ok but not tested for Linux

Outputs

[x] users.json
[x] groups.json
[x] computers.json
[x] ous.json
[x] gpos.json
[x] containers.json
[x] domains.json
[x] cas.json
[x] templates.json
[x] args and function to zip json files --zip

Modules

[x] Retreive LAPS password if your user can read them automatic
[x] Resolve FQDN computers found to IP address --fqdn-resolver
[x] Retrieve certificates for ESC exploitation with Certipy --adcs
[ ] Kerberos attack module (ASREPROASTING,KERBEROASTING) --attack-kerberos
[ ] Retrieve datas from trusted domains --follow-trust (Currently working on it, got beta version of this module)

Bloodhound v4.2

Parsing Features
- Users & Computers
- [ ] HasSIDHistory
- Users
- [ ] Properties : sfupassword
DCERPC (dependencies)
- Computers
- [ ] Sessions
- OUs & Domains
- [ ] LocalAdmins
- [ ] RemoteDesktopUsers
- [ ] DcomUsers
- [ ] PSRemoteUsers
- CAs
- [ ] User Specified SAN
- [ ] Request Disposition

:link: Links

Blog post: https://www.opencyber.com/rusthound-data-collector-for-bloodhound-written-in-rust/
BloodHound.py: https://github.com/fox-it/BloodHound.py
SharpHound: https://github.com/BloodHoundAD/SharpHound
BloodHound: https://github.com/BloodHoundAD/BloodHound
BloodHound docs: https://bloodhound.readthedocs.io/en/latest/index.html
GOAD: https://github.com/Orange-Cyberdefense/GOAD
ly4k BloodHound version: https://github.com/ly4k/BloodHound
Certipy: https://github.com/ly4k/Certipy