rusthound 1.0.1

Active Directory data collector for Bloodhound written in rust.
Documentation

RustHound

Summary

Limitations

Not all SharpHound features are implemented yet. Please refer to the roadmap for more information.

Description

RustHound is a cross-platform BloodHound collector tool, written in Rust. (Linux,Windows,MacOS)

No anti-virus detection and cross-compiled.

RustHound generate users,groups,computers,ous,gpos,containers,domains json files to analyze it with BloodHound application.

💡 If you can use SharpHound.exe, use it. Rusthound is a backup solution if SharpHound.exe is detected by AV or if SharpHound.exe isn't executable from the system where you have access to.

Usage

USAGE:
    rusthound [FLAGS] [OPTIONS] --domain <domain>

FLAGS:
        --dns-tcp          Use TCP instead of UDP for DNS queries
        --fqdn-resolver    [MODULE] Use fqdn-resolver module to get computers IP address
    -h, --help             Prints help information
        --ldaps            Prepare ldaps request. Like ldaps://G0H4N.LAB/
    -v                     Sets the level of verbosity
    -V, --version          Prints version information
    -z, --zip              RustHound will compress the JSON files into a zip archive (doesn't work with Windows)

OPTIONS:
    -d, --domain <domain>                Domain name like: G0H4N.LAB
    -f, --ldapfqdn <ldapfqdn>            Domain Controler FQDN like: DC01.G0H4N.LAB
    -i, --ldapip <ldapip>                Domain Controller IP address
    -p, --ldappassword <ldappassword>    Ldap password to use
    -P, --ldapport <ldapport>            Ldap port, default is 389
    -u, --ldapusername <ldapusername>    Ldap username to use
    -n, --name-server <name-server>      Alternative IP address name server to use for queries
    -o, --dirpath <path>                 Path where you would like to save json files

How to compile it?

You need to install rust in your system (Windows/Linux/MacOS).

https://www.rust-lang.org/fr/tools/install

RustHound support Kerberos/GSSAPI but this means that it needs Clang and its development libraries, as well as the Kerberos development libraries. On Debian/Ubuntu, that means clang-N, libclang-N-dev and libkrb5-dev.

For example:

#Debian/Ubuntu
apt-get -y install gcc libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit

Here is how to compile the "release" and "debug" versions from "cargo" command.

git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
cargo build --release
#or debug version
cargo b

The result can be found in "target/release" or in "target/debug" folder.

Below you can find the compilation methodology for each of the OS from Linux. If you need another compilation system, please consult the list in this link : https://doc.rust-lang.org/nightly/rustc/platform-support.html

Linux x86_64 static version

#Install rustup and cargo in Linux
curl https://sh.rustup.rs -sSf | sh

#Add Linux deps
rustup install stable-x86_64-unknown-linux-gnu
rustup target add x86_64-unknown-linux-gnu

#Static compilation for Linux
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
CFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnu

The result can be found in "target/x86_64-unknown-linux-gnu/release" folder.

Windows static version from Linux

#Install rustup and cargo in Linux
curl https://sh.rustup.rs -sSf | sh

#Add Windows deps
rustup install stable-x86_64-pc-windows-gnu
rustup target add x86_64-pc-windows-gnu

#Static compilation for Windows
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnu

The result can be found in "target/x86_64-pc-windows-gnu/release" folder.

How to build documentation?

git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
cargo doc --open --no-deps

Demo

Example are done on the GOADv2 implemented by mayfly:

# Linux with username:password
./rusthound -d north.sevenkingdoms.local -u 'jeor.mormont@north.sevenkingdoms.local' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north -z

# Linux with username:password and ldaps
./rusthound -d north.sevenkingdoms.local -ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north -z 
# Linux with username:password and ldaps and custom port
./rusthound -d north.sevenkingdoms.local -ldaps -P 3636 -u 'jeor.mormont@north.sevenkingdoms.local' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north -z 

# Linux with username:password and ldaps and fqdn resolver module
./rusthound -d north.sevenkingdoms.local -ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north --fqdn-resolver 
# Linux with username:password and ldaps and fqdn resolver module and tcp dns request and custom name server
./rusthound -d north.sevenkingdoms.local -ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north --fqdn-resolver --tcp-dns --name-server 192.168.56.10 -z

# Tips to redirect and append both standard output and standard error to a file > /tmp/rh_output 2>&1
./rusthound -d north.sevenkingdoms.local -ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north --fqdn-resolver > /tmp/rh_output 2>&1


# Windows with GSSAPI session
rusthound.exe -d sevenkingdoms.local --ldapfqdn kingslanding

You can find the custom queries used in the demo, in the resource folder.

Use the following command to install it:

cp resources/customqueries.json ~/.config/bloodhound/customqueries.json

🚥 Roadmap

Authentification

  • ldap (389)
  • ldaps (636)
  • BIND
  • NTLM
  • GSSAPI for Windows ok but not tested for Linux

Outputs

  • users.json
  • groups.json
  • computers.json
  • ous.json
  • gpos.json
  • containers.json
  • domains.json
  • args and function to zip json files --zip

Modules

  • Retreive LAPS password if your user can read them automatic
  • Resolve FQDN computers found to IP address --fqdn-resolver
  • Retrieve certificates for ESC exploitation with Certipy --enum-certificates
  • Kerberos attack module (ASREPROASTING,KERBEROASTING) --attack-kerberos
  • Retrieve datas from trusted domains --follow-trust (Currently working on it, got beta version of this module)

Bloodhound v4.2

  • Parsing Features

    • Properties:sidhistory not tested!
      • HasSIDHistory
    • ChildOus
    • Direct_Members
    • GPlink
    • haslaps
    • AllowedToDelegate
    • AllowedToAct
    • Sessions
      • List users with RPC
      • DcomUsers
      • RemoteDesktopUsers
      • LocalAdmins
      • PSRemoteUsers

  • ACL

    • Add ReadGMSAPassword support

  • All

    • Change json header like "users" to "data"
    • Properties : domainsid
    • Properties : whencreated
    • IsACLProtected
    • IsDeleted

  • Users

    • Add default NT AUTHORITY : DOMAIN.LOCAL-S-1-5-20 user
    • Properties : unixpassword
    • Properties : unicodepassword
    • Properties : sfupassword
    • Properties : trustedtoauth
    • Properties:sidhistory not tested!
      • HasSIDHistory
    • Properties : samaccountname
    • Properties : logonscript

  • Domains

    • Change ChildOus to ChildObjects
      • Add the ObjectIdentifier and ObjectType for all ChildObjects
    • Properties : highvalue
    • GPOChanges
      • LocalAdmins
      • RemoteDesktopUsers
      • DcomUsers
      • PSRemoteUsers
      • AffectedComputers
    • Trusts
      • TargetDomainSid
      • TargetDomainName
      • IsTransitive
      • SidFilteringEnabled
      • TrustDirection
      • TrustType

  • OUs

    • ChildObjects
    • GPOChanges
      • LocalAdmins
      • RemoteDesktopUsers
      • DcomUsers
      • PSRemoteUsers
      • AffectedComputers

  • Containers

    • Make function to create containers.json
    • Values
      • ChildObjects
        • Add the ObjectIdentifier and ObjectType for all ChildObjects
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • Aces
      • Properties : domain
      • Properties : domainsid
      • Properties : name
      • Properties : distinguishedname

  • Computers

    • Properties : samaccountname

Optimization

  • Log level (info,debug,trace)
  • Error management (working on it)
  • add_childobjects_members() ChildObject function in checker/bh_41.rs:217
  • replace_guid_gplink() gplinks function in checker/bh_41.rs:302

:link: Links