Not all SharpHound features are implemented yet. Please refer to the roadmap for more information.
RustHound is a cross-platform BloodHound collector tool, written in Rust. (Linux,Windows,MacOS)
No anti-virus detection and cross-compiled.
RustHound generate users,groups,computers,ous,gpos,containers,domains json files to analyze it with BloodHound application.
💡 If you can use SharpHound.exe, use it. Rusthound is a backup solution if SharpHound.exe is detected by AV or if SharpHound.exe isn't executable from the system where you have access to.
USAGE:
rusthound [FLAGS] [OPTIONS] --domain <domain>
FLAGS:
--dns-tcp Use TCP instead of UDP for DNS queries
--fqdn-resolver [MODULE] Use fqdn-resolver module to get computers IP address
-h, --help Prints help information
--ldaps Prepare ldaps request. Like ldaps://G0H4N.LAB/
-v Sets the level of verbosity
-V, --version Prints version information
-z, --zip RustHound will compress the JSON files into a zip archive (doesn't work with Windows)
OPTIONS:
-d, --domain <domain> Domain name like: G0H4N.LAB
-f, --ldapfqdn <ldapfqdn> Domain Controler FQDN like: DC01.G0H4N.LAB
-i, --ldapip <ldapip> Domain Controller IP address
-p, --ldappassword <ldappassword> Ldap password to use
-P, --ldapport <ldapport> Ldap port, default is 389
-u, --ldapusername <ldapusername> Ldap username to use
-n, --name-server <name-server> Alternative IP address name server to use for queries
-o, --dirpath <path> Path where you would like to save json filesYou need to install rust in your system (Windows/Linux/MacOS).
https://www.rust-lang.org/fr/tools/install
RustHound support Kerberos/GSSAPI but this means that it needs Clang and its development libraries, as well as the Kerberos development libraries. On Debian/Ubuntu, that means clang-N, libclang-N-dev and libkrb5-dev.
For example:
#Debian/Ubuntu
apt-get -y install gcc libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mitHere is how to compile the "release" and "debug" versions from "cargo" command.
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
cargo build --release
#or debug version
cargo bThe result can be found in "target/release" or in "target/debug" folder.
Below you can find the compilation methodology for each of the OS from Linux. If you need another compilation system, please consult the list in this link : https://doc.rust-lang.org/nightly/rustc/platform-support.html
#Install rustup and cargo in Linux
curl https://sh.rustup.rs -sSf | sh
#Add Linux deps
rustup install stable-x86_64-unknown-linux-gnu
rustup target add x86_64-unknown-linux-gnu
#Static compilation for Linux
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
CFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnuThe result can be found in "target/x86_64-unknown-linux-gnu/release" folder.
#Install rustup and cargo in Linux
curl https://sh.rustup.rs -sSf | sh
#Add Windows deps
rustup install stable-x86_64-pc-windows-gnu
rustup target add x86_64-pc-windows-gnu
#Static compilation for Windows
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnuThe result can be found in "target/x86_64-pc-windows-gnu/release" folder.
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
cargo doc --open --no-depsExample are done on the GOADv2 implemented by mayfly:
# Linux with username:password
./rusthound -d north.sevenkingdoms.local -u 'jeor.mormont@north.sevenkingdoms.local' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north -z
# Linux with username:password and ldaps
./rusthound -d north.sevenkingdoms.local -ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north -z
# Linux with username:password and ldaps and custom port
./rusthound -d north.sevenkingdoms.local -ldaps -P 3636 -u 'jeor.mormont@north.sevenkingdoms.local' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north -z
# Linux with username:password and ldaps and fqdn resolver module
./rusthound -d north.sevenkingdoms.local -ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north --fqdn-resolver
# Linux with username:password and ldaps and fqdn resolver module and tcp dns request and custom name server
./rusthound -d north.sevenkingdoms.local -ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north --fqdn-resolver --tcp-dns --name-server 192.168.56.10 -z
# Tips to redirect and append both standard output and standard error to a file > /tmp/rh_output 2>&1
./rusthound -d north.sevenkingdoms.local -ldaps -u 'jeor.mormont@north.sevenkingdoms.local' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north --fqdn-resolver > /tmp/rh_output 2>&1
# Windows with GSSAPI session
rusthound.exe -d sevenkingdoms.local --ldapfqdn kingslanding
You can find the custom queries used in the demo, in the resource folder.
Use the following command to install it:
cp resources/customqueries.json ~/.config/bloodhound/customqueries.json- ldap (389)
- ldaps (636)
-
BIND -
NTLM -
GSSAPIfor Windows ok but not tested for Linux
- users.json
- groups.json
- computers.json
- ous.json
- gpos.json
- containers.json
- domains.json
- args and function to zip json files --zip
- Retreive LAPS password if your user can read them automatic
- Resolve FQDN computers found to IP address --fqdn-resolver
- Retrieve certificates for ESC exploitation with Certipy --enum-certificates
- Kerberos attack module (ASREPROASTING,KERBEROASTING) --attack-kerberos
- Retrieve datas from trusted domains --follow-trust (Currently working on it, got beta version of this module)
-
Parsing Features
-
Properties:sidhistorynot tested!-
HasSIDHistory
-
-
ChildOus -
Direct_Members -
GPlink -
haslaps -
AllowedToDelegate -
AllowedToAct -
Sessions- List users with RPC
-
DcomUsers -
RemoteDesktopUsers -
LocalAdmins -
PSRemoteUsers
-
-
ACL
- Add
ReadGMSAPasswordsupport
- Add
-
All
- Change json header like "users" to "data"
-
Properties:domainsid -
Properties:whencreated -
IsACLProtected -
IsDeleted
-
Users
- Add default
NT AUTHORITY:DOMAIN.LOCAL-S-1-5-20user -
Properties:unixpassword -
Properties:unicodepassword -
Properties:sfupassword -
Properties:trustedtoauth -
Properties:sidhistorynot tested!-
HasSIDHistory
-
-
Properties:samaccountname -
Properties:logonscript
- Add default
-
Domains
- Change
ChildOustoChildObjects- Add the
ObjectIdentifierandObjectTypefor allChildObjects
- Add the
-
Properties:highvalue -
GPOChanges-
LocalAdmins -
RemoteDesktopUsers -
DcomUsers -
PSRemoteUsers -
AffectedComputers
-
-
Trusts-
TargetDomainSid -
TargetDomainName -
IsTransitive -
SidFilteringEnabled -
TrustDirection -
TrustType
-
- Change
-
OUs
-
ChildObjects -
GPOChanges-
LocalAdmins -
RemoteDesktopUsers -
DcomUsers -
PSRemoteUsers -
AffectedComputers
-
-
-
Containers
- Make function to create containers.json
- Values
-
ChildObjects- Add the
ObjectIdentifierandObjectTypefor allChildObjects
- Add the
-
ObjectIdentifier -
IsDeleted -
IsACLProtected -
Aces -
Properties:domain -
Properties:domainsid -
Properties:name -
Properties:distinguishedname
-
-
Computers
-
Properties:samaccountname
-
- Log level (info,debug,trace)
- Error management (working on it)
- add_childobjects_members() ChildObject function in checker/bh_41.rs:217
- replace_guid_gplink() gplinks function in checker/bh_41.rs:302
- Blog post: https://www.opencyber.com/rusthound-data-collector-for-bloodhound-written-in-rust/
- BloodHound.py: https://github.com/fox-it/BloodHound.py
- SharpHound: https://github.com/BloodHoundAD/SharpHound
- BloodHound: https://github.com/BloodHoundAD/BloodHound
- BloodHound docs: https://bloodhound.readthedocs.io/en/latest/index.html
- GOADv2: https://github.com/Orange-Cyberdefense/GOAD