RustHound: cross-platform BloodHound collector tool, written in Rust

by do son ·

Active Directory data collector

RustHound

RustHound is a cross-platform BloodHound collector tool, written in Rust. (Linux, Windows, MacOS)

No anti-virus detection and cross-compiled.

RustHound generates users, groups, computers, ous, gpos, containers, domains json files to analyze with the BloodHound application.

💡 If you can use SharpHound.exe, use it. Rusthound is a backup solution if SharpHound.exe is detected by AV or if SharpHound.exe isn’t executable from the system where you have access to.

🚀 Statistics

In order to make statistics on a DC with more LDAP objects, we run the BadBlood project on the domain controller ESSOS.local from GOAD. The DC has now around 3500 objects. An execution average time has been done and here is the output:

Tool Environment Objects Time Command line
SharpHound.exe Windows  ~3500 ~51.605s Measure-Command { sharphound.exe -d essos.local –ldapusername ‘khal.drogo’ –ldappassword ‘horse’ –domaincontroller ‘192.168.56.12’ -c All }
BloodHound.py Linux  ~3500 ~9.657s time python3 bloodhound.py -u khal.drogo -p horse -d essos.local -ns 192.168.56.12 –zip -c all
RustHound.exe Windows  ~3500 ~5.315s Measure-Command { rusthound.exe -d essos.local -u khal.drogo@essos.local -p horse -z }
RustHound Linux  ~3500 ~3.166s time rusthound -d essos.local -u khal.drogo@essos.local -p horse -z

Roadmap

Authentification

  •  ldap (389)
  •  ldaps (636)
  •  BIND
  •  NTLM
  •  GSSAPI for Windows ok but not tested for Linux

Outputs

  •  users.json
  •  groups.json
  •  computers.json
  •  ous.json
  •  gpos.json
  •  containers.json
  •  domains.json
  •  args and function to zip json files –zip

Modules

  • Retrieve LAPS passwords if your user can read them automatic
  •  Resolve FQDN computers found to IP address –fqdn-resolver
  •  Retrieve certificates for ESC exploitation with Certipy –enum-certificates
  •  Kerberos attack module (ASREPROASTING,KERBEROASTING) –attack-kerberos
  • Retrieve data from trusted domains –follow-trust (Currently working on it, got a beta version of this module)

Bloodhound v4.2

  • Parsing Features
    •  AllowedToDelegate
    •  AllowedToAct
    •  Properties:sidhistory not tested!
      •  HasSIDHistory
    •  Sessions
      •  List users with RPC
  • Users
    •  Properties : sfupassword
  • OUs & Domains
    •  GPOChanges
      •  LocalAdmins
      •  RemoteDesktopUsers
      •  DcomUsers
      •  PSRemoteUsers

Optimization

  •  Log level (info,debug,trace)
  •  Error management
  •  add_childobjects_members() ChildObject function in checker/bh_41.rs
  •  replace_guid_gplink() gplinks function in checker/bh_41.rs
  •  add_domain_sid() gplinks function in checker/bh_41.rs

Install & Use

Copyright (c) 2022 OPENCYBER

Tags: Active Directory data collectorRustHound