Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/NH-RED-TEAM/RustHound

Active Directory data ingestor for BloodHound Legacy written in Rust. πŸ¦€
https://github.com/NH-RED-TEAM/RustHound

active-directory adcs bloodhound blueteam collector cross-compiled cross-platform network pentest pentesting redteam rust sharphound windows

Last synced: 4 days ago
JSON representation

Active Directory data ingestor for BloodHound Legacy written in Rust. πŸ¦€

Awesome Lists containing this project

README 

        
> :warning: *This version is only compatible with [BloodHound Legacy 4.x](https://github.com/BloodHoundAD/BloodHound)*



> [BloodHound Community Edition (CE)](https://github.com/SpecterOps/BloodHound) version will be publish in [v2](https://github.com/NH-RED-TEAM/RustHound/tree/v2) branch.












  Crates.io

  GitHub

  Twitter Follow

  Twitter Follow

  


  Linux supported

  Windows supported

  macOS supported



  





# Summary



- [Limitation](#limitations)

- [Description](#description)

- [How to compile it?](#how-to-compile-it)

  - [Using Makefile](#using-makefile)

  - [Using Dockerfile](#using-dockerfile)

  - [Using Cargo](#using-cargo)

  - [Linux x86_64 static version](#manually-for-linux-x86_64-static-version)

  - [Windows static version from Linux](#manually-for-windows-static-version-from-linux)

  - [macOS static version from Linux](#manually-for-macos-static-version-from-linux)

  - [Optimize the binary size](#optimize-the-binary-size)



- [How to build documentation?](#how-to-build-documentation)

- [Usage](#usage)

- [Demo](#demo)

  - [Simple usage](#simple-usage)

  - [Module FQDN resolver](#module-fqdn-resolver)

  - [Module ADCS collector](#module-adcs-collector)

- [Statistics](#rocket-statistics)

- [Roadmap](#-roadmap)

- [Links](#link-links)



# Limitations



Not all SharpHound features have been implemented. Some exist in RustHound and not in SharpHound or BloodHound-Python. Please refer to the [roadmap](#-roadmap) for more information.



# Description



RustHound is a **cross-platform** BloodHound collector tool written in Rust, making it compatible with Linux, Windows, and macOS.



No AV detection and **cross-compiled**.



RustHound generates users, groups, computers, OUs, GPOs, containers, and domain JSON files that can be analyzed with BloodHound.



> πŸ’‘ If you can use SharpHound, use it.

> Use RustHound as a backup solution if SharpHound is detected by AV or if it not compatible with your OS.



# How to compile it?



## Using Makefile



You can use the **make** command to install RustHound or to compile it for Linux or Windows.



```bash

make install

rusthound -h

```



More command in the **Makefile**:



```bash

Default:

usage: make install

usage: make uninstall

usage: make debug

usage: make release



Static:

usage: make windows

usage: make windows_x64

usage: make windows_x86

usage: make linux_aarch64

usage: make linux_x86_64

usage: make linux_musl

usage: make macos

usage: make arm_musl

usage: make armv7



Without cli argument:

usage: make windows_noargs



Dependencies:

usage: make install_windows_deps

usage: make install_linux_musl_deps

usage: make install_macos_deps

```



## Using Dockerfile



Use RustHound with Docker to make sure to have all dependencies.



```bash

docker build --rm -t rusthound .



# Then

docker run --rm -v ./:/usr/src/rusthound rusthound windows

docker run --rm -v ./:/usr/src/rusthound rusthound linux_musl

docker run --rm -v ./:/usr/src/rusthound rusthound macos

```



## Using Cargo



You will need to install Rust on your system.



[https://www.rust-lang.org/fr/tools/install](https://www.rust-lang.org/fr/tools/install)



RustHound supports Kerberos and GSSAPI. Therefore, it requires Clang and its development libraries, as well as the Kerberos development libraries. On Debian and Ubuntu, this means **clang-N**, **libclang-N-dev**, and **libkrb5-dev**.



For example:

```bash

# Debian/Ubuntu

sudo apt-get -y update && sudo apt-get -y install gcc clang libclang-dev libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit musl-tools gcc-mingw-w64-x86-64

```



Here is how to compile the "release" and "debug" versions using the **cargo** command.



```bash

git clone https://github.com/OPENCYBER-FR/RustHound

cd RustHound

cargo build --release

# or debug version

cargo b

```



The result can be found in the target/release or target/debug folder.



Below you can find the compilation methodology for each of the OS from Linux.

If you need another compilation system, please consult the list in this link: [https://doc.rust-lang.org/nightly/rustc/platform-support.html](https://doc.rust-lang.org/nightly/rustc/platform-support.html)



## Manually for Linux x86_64 static version



```bash

# Install rustup and Cargo for Linux

curl https://sh.rustup.rs -sSf | sh



# Add Linux deps

rustup install stable-x86_64-unknown-linux-gnu

rustup target add x86_64-unknown-linux-gnu



# Static compilation for Linux

git clone https://github.com/OPENCYBER-FR/RustHound

cd RustHound

CFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnu

```



The result can be found in the target/x86_64-unknown-linux-gnu/release folder.



## Manually for Windows static version from Linux

```bash

# Install rustup and Cargo in Linux

curl https://sh.rustup.rs -sSf | sh



# Add Windows deps

rustup install stable-x86_64-pc-windows-gnu

rustup target add x86_64-pc-windows-gnu



# Static compilation for Windows

git clone https://github.com/OPENCYBER-FR/RustHound

cd RustHound

RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnu

```



The result can be found in the target/x86_64-pc-windows-gnu/release folder.



## Manually for macOS static version from Linux



Amazing documentation: [https://wapl.es/rust/2019/02/17/rust-cross-compile-linux-to-macos.html](https://wapl.es/rust/2019/02/17/rust-cross-compile-linux-to-macos.html)



```bash

# Install rustup and Cargo in Linux

curl https://sh.rustup.rs -sSf | sh



# Add macOS tool chain

sudo git clone https://github.com/tpoechtrager/osxcross /usr/local/bin/osxcross

sudo wget -P /usr/local/bin/osxcross/ -nc https://s3.dockerproject.org/darwin/v2/MacOSX10.10.sdk.tar.xz && sudo mv /usr/local/bin/osxcross/MacOSX10.10.sdk.tar.xz /usr/local/bin/osxcross/tarballs/

sudo UNATTENDED=yes OSX_VERSION_MIN=10.7 /usr/local/bin/osxcross/build.sh

sudo chmod 775 /usr/local/bin/osxcross/ -R

export PATH="/usr/local/bin/osxcross/target/bin:$PATH"



# Cargo needs to be told to use the correct linker for the x86_64-apple-darwin target, so add the following to your project’s .cargo/config file:

grep 'target.x86_64-apple-darwin' ~/.cargo/config || echo "[target.x86_64-apple-darwin]" >> ~/.cargo/config

grep 'linker = "x86_64-apple-darwin14-clang"' ~/.cargo/config || echo 'linker = "x86_64-apple-darwin14-clang"' >> ~/.cargo/config

grep 'ar = "x86_64-apple-darwin14-clang"' ~/.cargo/config || echo 'ar = "x86_64-apple-darwin14-clang"' >> ~/.cargo/config



# Static compilation for macOS

git clone https://github.com/OPENCYBER-FR/RustHound

cd RustHound

RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-apple-darwin --features nogssapi

```



The result can be found in the target/x86_64-apple-darwin/release folder.



## Optimize the binary size



> πŸ’‘ To obtain an optimized compilation of RustHound add the following compilation parameters at the end of the `Cargo.toml` file.



```bash

[profile.release]

opt-level = "z"

lto = true

strip = true

codegen-units = 1

panic = "abort"

```



The size of the binary will be considerably minimized.

Basic cargo compiler commands can be used.



```bash

make windows

```



More information [here](https://github.com/johnthagen/min-sized-rust)



# How to build the documentation?



```bash

git clone https://github.com/OPENCYBER-FR/RustHound

cd RustHound

cargo doc --open --no-deps

```



# Usage



```bash

Usage: rusthound [OPTIONS] --domain 



Options:

  -v...          Set the level of verbosity

  -h, --help     Print help information

  -V, --version  Print version information



REQUIRED VALUES:

  -d, --domain   Domain name like: DOMAIN.LOCAL



OPTIONAL VALUES:

  -u, --ldapusername   LDAP username, like: [email protected]

  -p, --ldappassword   LDAP password

  -f, --ldapfqdn           Domain Controler FQDN like: DC01.DOMAIN.LOCAL or just DC01

  -i, --ldapip               Domain Controller IP address like: 192.168.1.10

  -P, --ldapport           LDAP port [default: 389]

  -n, --name-server     Alternative IP address name server to use for DNS queries

  -o, --output               Output directory where you would like to save JSON files [default: ./]



OPTIONAL FLAGS:

      --ldaps           Force LDAPS using for request like: ldaps://DOMAIN.LOCAL/

      --dns-tcp         Use TCP instead of UDP for DNS queries

      --dc-only         Collects data only from the domain controller. Will not try to retrieve CA security/configuration or check for Web Enrollment

      --old-bloodhound  For ADCS only. Output result as BloodHound data for the original BloodHound version from @BloodHoundAD without PKI support

  -z, --zip             Compress the JSON files into a zip archive



OPTIONAL MODULES:

      --fqdn-resolver  Use fqdn-resolver module to get computers IP address

      --adcs           Use ADCS module to enumerate Certificate Templates, Certificate Authorities and other configurations.

                       (For the custom-built BloodHound version from @ly4k with PKI support)

```



# Demo



Examples are done on the [GOADv2](https://github.com/Orange-Cyberdefense/GOAD) implemented by [mayfly](https://twitter.com/M4yFly):



## Simple usage



```bash

# Linux with username:password

rusthound -d north.sevenkingdoms.local -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo -z



# Linux with username:password and ldapip

rusthound -d north.sevenkingdoms.local -i 192.168.56.11 -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo -z



# Linux with username:password and ldaps

rusthound -d north.sevenkingdoms.local --ldaps -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo -z 

# Linux with username:password and ldaps and custom port

rusthound -d north.sevenkingdoms.local --ldaps -P 3636 -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo -z 



# Tips to redirect and append both standard output and standard error to a file > /tmp/rh_output 2>&1

rusthound -d north.sevenkingdoms.local --ldaps -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo --fqdn-resolver > /tmp/rh_output 2>&1



# Windows with GSSAPI session

rusthound.exe -d sevenkingdoms.local --ldapfqdn kingslanding

# Windows simple bind connection username:password (do not use single or double quotes with cmd.exe)

rusthound.exe -d sevenkingdoms.local -u [email protected] -p _L0ngCl@w_ -o output -z



# Kerberos authentication (Linux)

export KRB5CCNAME="/tmp/jeor.mormont.ccache"

rusthound -d sevenkingdoms.local -f kingslanding -k -z

# Kerberos authentication (Windows)

rusthound.exe -d sevenkingdoms.local -f kingslanding -k -z

```








## Module FQDN resolver



```bash

# Linux with username:password and FQDN resolver module

rusthound -d essos.local -u '[email protected]' -p 'BurnThemAll!' -o /tmp/demo --fqdn-resolver -z

# Linux with username:password and ldaps and FQDN resolver module and TCP DNS request and custom name server

rusthound -d essos.local --ldaps -u '[email protected]' -p 'BurnThemAll!' -o /tmp/demo --fqdn-resolver --tcp-dns --name-server 192.168.56.12 -z



# Windows with GSSAPI session and FQDN resolver module

rusthound.exe -d essos.local -f meereen -o output --fqdn-resolver -z

# Windows simple bind connection username:password and FQDN resolver module and TCP DNS request and custom name server (do not use single or double quotes with cmd.exe)

rusthound.exe -d essos.local -u [email protected] -p BurnThemAll! -o output -z --fqdn-resolver --tcp-dns --name-server 192.168.56.12 

```








## Module ADCS collector



Example using [@ly4k BloodHound version](https://github.com/ly4k/BloodHound).



```bash

# Linux with username:password and ADCS module for @ly4k BloodHound version

rusthound -d essos.local -u '[email protected]' -p 'BurnThemAll!' -o /tmp/adcs --adcs -z

# Linux with username:password and ADCS module and dconly flag (will don't check webenrollment)

rusthound -d essos.local -u '[email protected]' -p 'BurnThemAll!' -o /tmp/adcs --adcs --dc-only -z



# Linux with username:password and ADCS module using "--old-bloodhound" argument for official @BloodHoundAd version

rusthound -d essos.local -u '[email protected]' -p 'BurnThemAll!' -o /tmp/adcs --adcs --old-bloodhound -z



# Windows with GSSAPI session and ADCS module

rusthound.exe -d essos.local -f meereen -o output -z --adcs

# Windows with GSSAPI session and ADCS module and TCP DNS request and custom name server

rusthound.exe -d essos.local --ldapfqdn meereen -o output -z --adcs --tcp-dns --name-server 192.168.56.12

# Windows simple bind connection username:password (do not use single or double quotes with cmd.exe)

rusthound.exe -d essos.local -u [email protected] -p BurnThemAll! -o output -z --adcs --dc-only

```








You can find the custom queries used in the demo in the resource folder.



Use the following command to install it:



```bash

cp resources/customqueries.json ~/.config/bloodhound/customqueries.json

```



# :rocket: Statistics



In order to make statistics on a DC with more LDAP objects, run the [BadBlood](https://github.com/davidprowe/BadBlood) on the domain controller ESSOS.local from [GOAD](https://github.com/Orange-Cyberdefense/GOAD). The DC should now have around 3500 objects. Below is the average time it takes to run the following tools:



| Tool              | Environment         | Objects | Time     | Command      |

| -------------------------- | ----------------- | ---------- | -------  | -------  |

| SharpHound.exe        | Windows  | ~3500   | ~51.605s | Measure-Command { sharphound.exe -d essos.local --ldapusername 'khal.drogo' --ldappassword 'horse' --domaincontroller '192.168.56.12' -c All } |

| BloodHound.py | Linux     | ~3500   | ~9.657s  | time python3 bloodhound.py -u khal.drogo -p horse -d essos.local -ns 192.168.56.12 --zip -c all |

| RustHound.exe         | Windows  | ~3500   | **~5.315s**  | Measure-Command { rusthound.exe -d essos.local -u [email protected] -p horse -z } | 

| RustHound         | Linux     | ~3500   | **~3.166s**  | time rusthound -d essos.local -u [email protected] -p horse -z  |



#  πŸš₯ Roadmap



## Authentification

  - [x] LDAP (389)

  - [x] LDAPS (636)

  - [x] `BIND`

  - [ ] `NTLM`

  - [x] `Kerberos`

  - [x] Prompt for password



## Outputs

  - [x] users.json

  - [x] groups.json

  - [x] computers.json

  - [x] ous.json

  - [x] gpos.json

  - [x] containers.json

  - [x] domains.json

  - [x] cas.json

  - [x] templates.json

  - [x] args and function to zip JSON files **--zip**



## Modules



- [x] Retreive LAPS password if your user can read them **automatic**

- [x] Resolve FQDN computers found to IP address **--fqdn-resolver**

- [x] Retrieve certificates for ESC exploitation with [Certipy](https://github.com/ly4k/Certipy) **--adcs**

- [ ] Kerberos attack module (ASREPROASTING and KERBEROASTING) **--attack-kerberos**

- [ ] Retrieve datas from trusted domains **--follow-trust** (Currently working on it, got beta version of this module)



## BloodHound v4.2



- Parsing Features

  - Users & Computers

    - [ ] `HasSIDHistory`

  - Users

    - [ ] `Properties` : `sfupassword`



- **DCERPC (dependencies)**

  - Computers

    - [ ] `Sessions`

  - OUs & Domains

    - [ ] `LocalAdmins`

    - [ ] `RemoteDesktopUsers`

    - [ ] `DcomUsers`

    - [ ] `PSRemoteUsers`

  - CAs

    - [ ] `User Specified SAN`

    - [ ] `Request Disposition`



# :link: Links



- Blog post: [https://www.opencyber.com/rusthound-data-collector-for-bloodhound-written-in-rust/](https://www.opencyber.com/rusthound-data-collector-for-bloodhound-written-in-rust/)

- BloodHound.py: [https://github.com/fox-it/BloodHound.py](https://github.com/fox-it/BloodHound.py)

- SharpHound:  [https://github.com/BloodHoundAD/SharpHound](https://github.com/BloodHoundAD/SharpHound)

- BloodHound: [https://github.com/BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound)

- BloodHound docs: [https://bloodhound.readthedocs.io/en/latest/index.html](https://bloodhound.readthedocs.io/en/latest/index.html)

- GOAD: [https://github.com/Orange-Cyberdefense/GOAD](https://github.com/Orange-Cyberdefense/GOAD)

- ly4k BloodHound version: [https://github.com/ly4k/BloodHound](https://github.com/ly4k/BloodHound)

- Certipy: [https://github.com/ly4k/Certipy](https://github.com/ly4k/Certipy)