Not all SharpHound features are implemented yet but some are existing in RustHound and do not in SharpHound or BloodHound-Python. Please refer to the roadmap for more information.
RustHound is a cross-platform BloodHound collector tool, written in Rust. (Linux,Windows,MacOS)
No anti-virus detection and cross-compiled.
RustHound generate users,groups,computers,ous,gpos,containers,domains json files to analyze it with BloodHound application.
💡 If you can use SharpHound.exe, use it. Rusthound is a backup solution if SharpHound.exe is detected by AV or if SharpHound.exe isn't executable from the system where you have access to.
USAGE:
rusthound [FLAGS] [OPTIONS] --domain <domain>
FLAGS:
--dns-tcp Use TCP instead of UDP for DNS queries
--fqdn-resolver [MODULE] Use fqdn-resolver module to get computers IP address
-h, --help Prints help information
--ldaps Prepare ldaps request. Like ldaps://G0H4N.LAB/
-v Sets the level of verbosity
-V, --version Prints version information
-z, --zip RustHound will compress the JSON files into a zip archive (doesn't work with Windows)
OPTIONS:
-d, --domain <domain> Domain name like: G0H4N.LAB
-f, --ldapfqdn <ldapfqdn> Domain Controler FQDN like: DC01.G0H4N.LAB
-i, --ldapip <ldapip> Domain Controller IP address
-p, --ldappassword <ldappassword> Ldap password to use
-P, --ldapport <ldapport> Ldap port, default is 389
-u, --ldapusername <ldapusername> Ldap username to use
-n, --name-server <name-server> Alternative IP address name server to use for queries
-o, --dirpath <path> Path where you would like to save json files
You can use make command to install Rusthound or to compile it for Linux or Windows.
make install
rusthount -h
More command in the Makefile:
make help
usage: make install
usage: make uninstall
usage: make debug
usage: make release
usage: make windows
Use RustHound with docker to make sure to have all dependencies.
docker build -t rusthound .
docker run rusthound -h
You need to install rust on your system (Windows/Linux/MacOS).
https://www.rust-lang.org/fr/tools/install
RustHound support Kerberos/GSSAPI but this means that it needs Clang and its development libraries, as well as the Kerberos development libraries. On Debian/Ubuntu, that means clang-N, libclang-N-dev and libkrb5-dev.
For example:
#Debian/Ubuntu
apt-get -y install gcc libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit
Here is how to compile the "release" and "debug" versions from "cargo" command.
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
cargo build --release
#or debug version
cargo b
The result can be found in "target/release" or in "target/debug" folder.
Below you can find the compilation methodology for each of the OS from Linux. If you need another compilation system, please consult the list in this link : https://doc.rust-lang.org/nightly/rustc/platform-support.html
#Install rustup and cargo in Linux
curl https://sh.rustup.rs -sSf | sh
#Add Linux deps
rustup install stable-x86_64-unknown-linux-gnu
rustup target add x86_64-unknown-linux-gnu
#Static compilation for Linux
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
CFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnu
The result can be found in "target/x86_64-unknown-linux-gnu/release" folder.
#Install rustup and cargo in Linux
curl https://sh.rustup.rs -sSf | sh
#Add Windows deps
rustup install stable-x86_64-pc-windows-gnu
rustup target add x86_64-pc-windows-gnu
#Static compilation for Windows
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnu
The result can be found in "target/x86_64-pc-windows-gnu/release" folder.
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
cargo doc --open --no-deps
Examples are done on the GOADv2 implemented by mayfly:
# Linux with username:password
./rusthound -d north.sevenkingdoms.local -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north -z
# Linux with username:password and ldaps
./rusthound -d north.sevenkingdoms.local -ldaps -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north -z
# Linux with username:password and ldaps and custom port
./rusthound -d north.sevenkingdoms.local -ldaps -P 3636 -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north -z
# Linux with username:password and ldaps and fqdn resolver module
./rusthound -d north.sevenkingdoms.local -ldaps -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north --fqdn-resolver
# Linux with username:password and ldaps and fqdn resolver module and tcp dns request and custom name server
./rusthound -d north.sevenkingdoms.local -ldaps -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north --fqdn-resolver --tcp-dns --name-server 192.168.56.10 -z
# Tips to redirect and append both standard output and standard error to a file > /tmp/rh_output 2>&1
./rusthound -d north.sevenkingdoms.local -ldaps -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo/rusthound_north --fqdn-resolver > /tmp/rh_output 2>&1
# Windows with GSSAPI session
rusthound.exe -d sevenkingdoms.local --ldapfqdn kingslanding
You can find the custom queries used in the demo, in the resource folder.
Use the following command to install it:
cp resources/customqueries.json ~/.config/bloodhound/customqueries.json
- ldap (389)
- ldaps (636)
-
BIND
-
NTLM
-
GSSAPI
for Windows ok but not tested for Linux
- users.json
- groups.json
- computers.json
- ous.json
- gpos.json
- containers.json
- domains.json
- args and function to zip json files --zip
- Retreive LAPS password if your user can read them automatic
- Resolve FQDN computers found to IP address --fqdn-resolver
- Retrieve certificates for ESC exploitation with Certipy --enum-certificates
- Kerberos attack module (ASREPROASTING,KERBEROASTING) --attack-kerberos
- Retrieve datas from trusted domains --follow-trust (Currently working on it, got beta version of this module)
-
Parsing Features
-
Properties:sidhistory
not tested!-
HasSIDHistory
-
-
ChildOus
-
Direct_Members
-
GPlink
-
haslaps
-
AllowedToDelegate
-
AllowedToAct
-
Sessions
- List users with RPC
-
DcomUsers
-
RemoteDesktopUsers
-
LocalAdmins
-
PSRemoteUsers
-
-
ACL
- Add
ReadGMSAPassword
support
- Add
-
All
- Change json header like "users" to "data"
-
Properties
:domainsid
-
Properties
:whencreated
-
IsDeleted
-
IsACLProtected
-
Users
- Add default
NT AUTHORITY
:DOMAIN.LOCAL-S-1-5-20
user -
Properties
:unixpassword
-
Properties
:unicodepassword
-
Properties
:sfupassword
-
Properties
:trustedtoauth
-
Properties:sidhistory
not tested!-
HasSIDHistory
-
-
Properties
:samaccountname
-
Properties
:logonscript
- Add default
-
Domains
- Change
ChildOus
toChildObjects
- Add the
ObjectIdentifier
andObjectType
for allChildObjects
- Add the
-
Properties
:highvalue
-
GPOChanges
-
LocalAdmins
-
RemoteDesktopUsers
-
DcomUsers
-
PSRemoteUsers
-
AffectedComputers
-
-
Trusts
-
TargetDomainSid
-
TargetDomainName
-
IsTransitive
-
SidFilteringEnabled
-
TrustDirection
-
TrustType
-
- Change
-
OUs
-
ChildObjects
-
GPOChanges
-
LocalAdmins
-
RemoteDesktopUsers
-
DcomUsers
-
PSRemoteUsers
-
AffectedComputers
-
-
-
Containers
- Make function to create containers.json
- Values
-
ChildObjects
- Add the
ObjectIdentifier
andObjectType
for allChildObjects
- Add the
-
ObjectIdentifier
-
IsDeleted
-
IsACLProtected
-
Aces
-
Properties
:domain
-
Properties
:domainsid
-
Properties
:name
-
Properties
:distinguishedname
-
-
Computers
-
Properties
:samaccountname
-
- Log level (info,debug,trace)
- Error management (working on it)
- add_childobjects_members() ChildObject function in checker/bh_41.rs:217
- replace_guid_gplink() gplinks function in checker/bh_41.rs:302
- Blog post: https://www.opencyber.com/rusthound-data-collector-for-bloodhound-written-in-rust/
- BloodHound.py: https://github.com/fox-it/BloodHound.py
- SharpHound: https://github.com/BloodHoundAD/SharpHound
- BloodHound: https://github.com/BloodHoundAD/BloodHound
- BloodHound docs: https://bloodhound.readthedocs.io/en/latest/index.html
- GOADv2: https://github.com/Orange-Cyberdefense/GOAD