Not all SharpHound features have been implemented. Some exist in RustHound and not in SharpHound or BloodHound-Python. Please refer to the roadmap for more information.
RustHound is a cross-platform BloodHound collector tool written in Rust, making it compatible with Linux, Windows, and macOS.
No AV detection and cross-compiled.
RustHound generates users, groups, computers, OUs, GPOs, containers, and domain JSON files that can be analyzed with BloodHound.
💡 If you can use SharpHound, use it. Use RustHound as a backup solution if SharpHound is detected by AV or if it not compatible with your OS.
You can use the make command to install RustHound or to compile it for Linux or Windows.
bash
make install
rusthound -h
More command in the Makefile:
```bash Default: usage: make install usage: make uninstall usage: make debug usage: make release
Static: usage: make windows usage: make linux_musl usage: make macos
Dependencies: usage: make installwindowsdeps usage: make installlinuxmusldeps usage: make installmacos_deps ```
Use RustHound with Docker to make sure to have all dependencies.
bash
docker build -t rusthound .
docker run rusthound -h
You will need to install Rust on your system.
https://www.rust-lang.org/fr/tools/install
RustHound supports Kerberos and GSSAPI. Therefore, it requires Clang and its development libraries, as well as the Kerberos development libraries. On Debian and Ubuntu, this means clang-N, libclang-N-dev, and libkrb5-dev.
For example: ```bash
sudo apt-get -y update && sudo apt-get -y install gcc libclang-dev clang libclang-dev libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit musl-tools gcc-mingw-w64-x86-64 ```
Here is how to compile the "release" and "debug" versions using the cargo command.
```bash git clone https://github.com/OPENCYBER-FR/RustHound cd RustHound cargo build --release
cargo b ```
The result can be found in the target/release or target/debug folder.
Below you can find the compilation methodology for each of the OS from Linux. If you need another compilation system, please consult the list in this link: https://doc.rust-lang.org/nightly/rustc/platform-support.html
```bash
curl https://sh.rustup.rs -sSf | sh
rustup install stable-x8664-unknown-linux-gnu rustup target add x8664-unknown-linux-gnu
git clone https://github.com/OPENCYBER-FR/RustHound cd RustHound CFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnu ```
The result can be found in the target/x86_64-unknown-linux-gnu/release folder.
```bash
curl https://sh.rustup.rs -sSf | sh
rustup install stable-x8664-pc-windows-gnu rustup target add x8664-pc-windows-gnu
git clone https://github.com/OPENCYBER-FR/RustHound cd RustHound RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnu ```
The result can be found in the target/x86_64-pc-windows-gnu/release folder.
Amazing documentation: https://wapl.es/rust/2019/02/17/rust-cross-compile-linux-to-macos.html
```bash
curl https://sh.rustup.rs -sSf | sh
sudo git clone https://github.com/tpoechtrager/osxcross /usr/local/bin/osxcross sudo wget -P /usr/local/bin/osxcross/ -nc https://s3.dockerproject.org/darwin/v2/MacOSX10.10.sdk.tar.xz && sudo mv /usr/local/bin/osxcross/MacOSX10.10.sdk.tar.xz /usr/local/bin/osxcross/tarballs/ sudo UNATTENDED=yes OSXVERSIONMIN=10.7 /usr/local/bin/osxcross/build.sh sudo chmod 775 /usr/local/bin/osxcross/ -R export PATH="/usr/local/bin/osxcross/target/bin:$PATH"
grep 'target.x8664-apple-darwin' ~/.cargo/config || echo "[target.x8664-apple-darwin]" >> ~/.cargo/config grep 'linker = "x8664-apple-darwin14-clang"' ~/.cargo/config || echo 'linker = "x8664-apple-darwin14-clang"' >> ~/.cargo/config grep 'ar = "x8664-apple-darwin14-clang"' ~/.cargo/config || echo 'ar = "x8664-apple-darwin14-clang"' >> ~/.cargo/config
git clone https://github.com/OPENCYBER-FR/RustHound cd RustHound
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-apple-darwin ```
The result can be found in the target/x86_64-apple-darwin/release folder.
bash
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
cargo doc --open --no-deps
```bash
Usage: rusthound [OPTIONS] --domain
Options: -v... Set the level of verbosity -h, --help Print help information -V, --version Print version information
REQUIRED VALUES:
-d, --domain
OPTIONAL VALUES:
-u, --ldapusername
OPTIONAL FLAGS: --ldaps Force LDAPS using for request like: ldaps://DOMAIN.LOCAL/ --dns-tcp Use TCP instead of UDP for DNS queries --dc-only Collects data only from the domain controller. Will not try to retrieve CA security/configuration or check for Web Enrollment --old-bloodhound For ADCS only. Output result as BloodHound data for the original BloodHound version from @BloodHoundAD without PKI support -z, --zip Compress the JSON files into a zip archive
OPTIONAL MODULES: --fqdn-resolver Use fqdn-resolver module to get computers IP address --adcs Use ADCS module to enumerate Certificate Templates, Certificate Authorities and other configurations. (For the custom-built BloodHound version from @ly4k with PKI support) ```
Examples are done on the GOADv2 implemented by mayfly:
```bash
rusthound -d north.sevenkingdoms.local -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo -z
rusthound -d north.sevenkingdoms.local -i 192.168.56.11 -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo -z
rusthound -d north.sevenkingdoms.local --ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo -z
rusthound -d north.sevenkingdoms.local --ldaps -P 3636 -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo -z
rusthound -d north.sevenkingdoms.local --ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p 'L0ngCl@w' -o /tmp/demo --fqdn-resolver > /tmp/rh_output 2>&1
rusthound.exe -d sevenkingdoms.local --ldapfqdn kingslanding
rusthound.exe -d sevenkingdoms.local -u jeor.mormont@north.sevenkingdoms.local -p L0ngCl@w -o output -z ```
```bash
rusthound -d essos.local -u 'daenerys.targaryen@essos.local' -p 'BurnThemAll!' -o /tmp/demo --fqdn-resolver -z
rusthound -d essos.local --ldaps -u 'daenerys.targaryen@essos.local' -p 'BurnThemAll!' -o /tmp/demo --fqdn-resolver --tcp-dns --name-server 192.168.56.12 -z
rusthound.exe -d essos.local -f meereen -o output --fqdn-resolver -z
rusthound.exe -d essos.local -u daenerys.targaryen@essos.local -p BurnThemAll! -o output -z --fqdn-resolver --tcp-dns --name-server 192.168.56.12 ```
Example using @ly4k BloodHound version.
```bash
rusthound -d essos.local -u 'daenerys.targaryen@essos.local' -p 'BurnThemAll!' -o /tmp/adcs --adcs -z
rusthound -d essos.local -u 'daenerys.targaryen@essos.local' -p 'BurnThemAll!' -o /tmp/adcs --adcs --dc-only -z
rusthound -d essos.local -u 'daenerys.targaryen@essos.local' -p 'BurnThemAll!' -o /tmp/adcs --adcs --old-bloodhound -z
rusthound.exe -d essos.local -f meereen -o output -z --adcs
rusthound.exe -d essos.local --ldapfqdn meereen -o output -z --adcs --tcp-dns --name-server 192.168.56.12
rusthound.exe -d essos.local -u daenerys.targaryen@essos.local -p BurnThemAll! -o output -z --adcs --dc-only ```
You can find the custom queries used in the demo in the resource folder.
Use the following command to install it:
bash
cp resources/customqueries.json ~/.config/bloodhound/customqueries.json
In order to make statistics on a DC with more LDAP objects, run the BadBlood on the domain controller ESSOS.local from GOAD. The DC should now have around 3500 objects. Below is the average time it takes to run the following tools:
| Tool | Environment | Objects | Time | Command |
| -------------------------- | ----------------- | ---------- | ------- | ------- |
| SharpHound.exe | Windows | ~3500 | ~51.605s | Measure-Command { sharphound.exe -d essos.local --ldapusername 'khal.drogo' --ldappassword 'horse' --domaincontroller '192.168.56.12' -c All } |
| BloodHound.py | Linux
| ~3500 | ~9.657s | time python3 bloodhound.py -u khal.drogo -p horse -d essos.local -ns 192.168.56.12 --zip -c all |
| RustHound.exe | Windows
| ~3500 | ~5.315s | Measure-Command { rusthound.exe -d essos.local -u khal.drogo@essos.local -p horse -z } |
| RustHound | Linux
| ~3500 | ~3.166s | time rusthound -d essos.local -u khal.drogo@essos.local -p horse -z |
BIND
NTLM
GSSAPI
for Windows ok, but not tested on LinuxParsing Features
HasSIDHistory
Properties
: sfupassword
DCERPC (dependencies)
Sessions
LocalAdmins
RemoteDesktopUsers
DcomUsers
PSRemoteUsers
User Specified SAN
Request Disposition