RustHound
Summary
Limitations
Not all SharpHound features have been implemented. Some exist in RustHound and not in SharpHound or BloodHound-Python. Please refer to the roadmap for more information.
Description
RustHound is a cross-platform BloodHound collector tool written in Rust, making it compatible with Linux, Windows, and macOS.
No AV detection and cross-compiled.
RustHound generates users, groups, computers, OUs, GPOs, containers, and domain JSON files that can be analyzed with BloodHound.
💡 If you can use SharpHound, use it. Use RustHound as a backup solution if SharpHound is detected by AV or if it not compatible with your OS.
How to compile it?
Using Makefile
You can use the make command to install RustHound or to compile it for Linux or Windows.
More command in the Makefile:
Using Dockerfile
Use RustHound with Docker to make sure to have all dependencies.
# Then
Using Cargo
You will need to install Rust on your system.
https://www.rust-lang.org/fr/tools/install
RustHound supports Kerberos and GSSAPI. Therefore, it requires Clang and its development libraries, as well as the Kerberos development libraries. On Debian and Ubuntu, this means clang-N, libclang-N-dev, and libkrb5-dev.
For example:
# Debian/Ubuntu
&&
Here is how to compile the "release" and "debug" versions using the cargo command.
# or debug version
The result can be found in the target/release or target/debug folder.
Below you can find the compilation methodology for each of the OS from Linux. If you need another compilation system, please consult the list in this link: https://doc.rust-lang.org/nightly/rustc/platform-support.html
Manually for Linux x86_64 static version
# Install rustup and Cargo for Linux
|
# Add Linux deps
# Static compilation for Linux
CFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';
The result can be found in the target/x86_64-unknown-linux-gnu/release folder.
Manually for Windows static version from Linux
# Install rustup and Cargo in Linux
|
# Add Windows deps
# Static compilation for Windows
RUSTFLAGS="-C target-feature=+crt-static"
The result can be found in the target/x86_64-pc-windows-gnu/release folder.
Manually for macOS static version from Linux
Amazing documentation: https://wapl.es/rust/2019/02/17/rust-cross-compile-linux-to-macos.html
# Install rustup and Cargo in Linux
|
# Add macOS tool chain
&&
# Cargo needs to be told to use the correct linker for the x86_64-apple-darwin target, so add the following to your project’s .cargo/config file:
||
||
||
# Static compilation for macOS
RUSTFLAGS="-C target-feature=+crt-static"
The result can be found in the target/x86_64-apple-darwin/release folder.
Optimize the binary size
💡 To obtain an optimized compilation of RustHound add the following compilation parameters at the end of the
Cargo.toml
file.
The size of the binary will be considerably minimized. Basic cargo compiler commands can be used.
More information here
How to build the documentation?
Usage
()
Demo
Examples are done on the GOADv2 implemented by mayfly:
Simple usage
# Linux with username:password
# Linux with username:password and ldapip
# Linux with username:password and ldaps
# Linux with username:password and ldaps and custom port
# Tips to redirect and append both standard output and standard error to a file > /tmp/rh_output 2>&1
# Windows with GSSAPI session
# Windows simple bind connection username:password (do not use single or double quotes with cmd.exe)
# Kerberos authentication (Linux)
# Kerberos authentication (Windows)
Module FQDN resolver
# Linux with username:password and FQDN resolver module
# Linux with username:password and ldaps and FQDN resolver module and TCP DNS request and custom name server
# Windows with GSSAPI session and FQDN resolver module
# Windows simple bind connection username:password and FQDN resolver module and TCP DNS request and custom name server (do not use single or double quotes with cmd.exe)
Module ADCS collector
Example using @ly4k BloodHound version.
# Linux with username:password and ADCS module for @ly4k BloodHound version
# Linux with username:password and ADCS module and dconly flag (will don't check webenrollment)
# Linux with username:password and ADCS module using "--old-bloodhound" argument for official @BloodHoundAd version
# Windows with GSSAPI session and ADCS module
# Windows with GSSAPI session and ADCS module and TCP DNS request and custom name server
# Windows simple bind connection username:password (do not use single or double quotes with cmd.exe)
You can find the custom queries used in the demo in the resource folder.
Use the following command to install it:
:rocket: Statistics
In order to make statistics on a DC with more LDAP objects, run the BadBlood on the domain controller ESSOS.local from GOAD. The DC should now have around 3500 objects. Below is the average time it takes to run the following tools:
Tool | Environment | Objects | Time | Command |
---|---|---|---|---|
SharpHound.exe | Windows | ~3500 | ~51.605s | Measure-Command { sharphound.exe -d essos.local --ldapusername 'khal.drogo' --ldappassword 'horse' --domaincontroller '192.168.56.12' -c All } |
BloodHound.py | Linux | ~3500 | ~9.657s | time python3 bloodhound.py -u khal.drogo -p horse -d essos.local -ns 192.168.56.12 --zip -c all |
RustHound.exe | Windows | ~3500 | ~5.315s | Measure-Command { rusthound.exe -d essos.local -u khal.drogo@essos.local -p horse -z } |
RustHound | Linux | ~3500 | ~3.166s | time rusthound -d essos.local -u khal.drogo@essos.local -p horse -z |
🚥 Roadmap
Authentification
- LDAP (389)
- LDAPS (636)
-
BIND
-
NTLM
-
Kerberos
- Prompt for password
Outputs
- users.json
- groups.json
- computers.json
- ous.json
- gpos.json
- containers.json
- domains.json
- cas.json
- templates.json
- args and function to zip JSON files --zip
Modules
- Retreive LAPS password if your user can read them automatic
- Resolve FQDN computers found to IP address --fqdn-resolver
- Retrieve certificates for ESC exploitation with Certipy --adcs
- Kerberos attack module (ASREPROASTING and KERBEROASTING) --attack-kerberos
- Retrieve datas from trusted domains --follow-trust (Currently working on it, got beta version of this module)
BloodHound v4.2
-
Parsing Features
- Users & Computers
-
HasSIDHistory
-
- Users
-
Properties
:sfupassword
-
- Users & Computers
-
DCERPC (dependencies)
- Computers
-
Sessions
-
- OUs & Domains
-
LocalAdmins
-
RemoteDesktopUsers
-
DcomUsers
-
PSRemoteUsers
-
- CAs
-
User Specified SAN
-
Request Disposition
-
- Computers
:link: Links
- Blog post: https://www.opencyber.com/rusthound-data-collector-for-bloodhound-written-in-rust/
- BloodHound.py: https://github.com/fox-it/BloodHound.py
- SharpHound: https://github.com/BloodHoundAD/SharpHound
- BloodHound: https://github.com/BloodHoundAD/BloodHound
- BloodHound docs: https://bloodhound.readthedocs.io/en/latest/index.html
- GOAD: https://github.com/Orange-Cyberdefense/GOAD
- ly4k BloodHound version: https://github.com/ly4k/BloodHound
- Certipy: https://github.com/ly4k/Certipy