RustHound data collector for BloodHound written in Rust

Author: Quentin TEXIER (g0h4n)

What is RustHound?

It is a tool to collect data from an Active Directory (LDAP). This tool is based on the “mother” product called SharpHound.
SharpHound is the official data collector developed in C# for the BloodHound. BloodHound allows graphing and correlating the information collected from the Active Directory.

BloodHound uses graph theory to trace Active Directory (AD) misconfigurations. It is helpful to an attacker to exploit an AD in many ways. BloodHound is mainly used to identify AD misconfigurations and can be used by both a redteam and a blueteam.

There are two known collectors (SharpHound and BloodHound-python), today we propose RustHound. As indicated by its name, it is written in Rust. This development language offers RustHound its pros such as the fact that it is cross-platform (Windows, Unix, macOS) and cross-compiled.

Why RustHound?

OPENCYBER’s pentest team has decided to develop a new data collector as the BloodHound tool for the following reasons:

  1. We have seen many real cases of “internal” penetration testing in which we have simulated the compromise of a Linux server from a client’s DMZ. From the compromised Linux server, we were unable to recover an outgoing connection and therefore unable to have a proxy socks or port forwarding access. In this type of scenario, the official tool “SharpHound.exe” cannot be used, as it is designed and developed for a Windows environment. An alternative is available, and called “BloodHound-python”. However, as it is based on the impacket library, it requires a lot of python packages installation to work properly. In our case, the use of “BloodHound-python” was impossible without python3 installed on the compromised servers and without the possibility of installing the necessary dependencies to it. Thus, RustHound finds its use by relying on the work of “SharpHound.exe” and “BloodHound-python”.

  2. We have also had some problems running “SharpHound.exe” during RedTeams sessions. After compromise of a Windows 10 workstation, we were unable to use “SharpHound.exe”. This is because it is automatically considered dangerous by all anti-virus software on the market. Its signature is known, as well as its behaviour. A SOC will easily be able to detect the use of the “SharpHound.exe” tool on an IS (Information System).

  3. Because one of my colleague loves Rust a lot and proposed me to develop it using this language!

The solutions

  1. This tool uses the Rust programming language, which allows it to be compiled for any platform – Linux, Windows, macOS – into a single binary. RustHound is therefore cross-platform and cross-compiled.

  2. RustHound also allows it to be undetected by anti-virus software, today Rusthound is not known by AV and can therefore be dropped and executed without raising any alarms. One of the advantages of RustHound project is that it has been designed not to have the same behaviour as “SharpHound.exe” on the network. By analysing the behaviour of “SharpHound.exe”, it was possible to modify the number of requests sent. Today, RustHound sends a single request adapted to the amount of data to be retrieved from the Active Directory. RustHound will then automatically split the query into X other queries to retrieve the entire contents of the Active Directory.

  3. I have accepted the challenge of learning to develop in Rust. Many thanks to him for helping me and for reviewing my code several times.

What are the pros of RustHound?

  1. Cross-platform (Windows, Unix, macOS) ;
  2. Cross-compiled (only one binary to drop in the target) ;
  3. Not detected “for now” ;
  4. Scalable ;
  5. Open-source.

What are the cons of RustHound?

  1. Not all SharpHound features are implemented yet. Please refer to the roadmap for more information.
  2. NTLM hash authentication is not yet supported by RustHound.
  3. Let me know what did I forget, to discuss about it.

Available modules in RustHound

  1. LAPS (Local Administrator Password Solution) password collector. This module extracts the local Administrator passwords by workstation in case of the user has the necessary rights to read them.
  2. FQDN Resolver. This module will automatically performs DNS resolution on collected computer objects to display their IP address. –fqdn-resolver

Module ideas

  1. Kerberos attacks (kerberoasting and asreproasting). –attack-kerberos

This module will be designed to automate the “kerberoasting” and “asreproasting” attacks. Let’s take, as an example, the asreproasting attack. When a user collected by RustHound has the argument “Do not require Kerberos Preauthentication”, Rusthound will automatically make the authentication request “KRB_AS_REQ” to the kerberos server in order to retrieve the response “KRB_AS_REP” which contains the encrypted “TGT”. This will be displayed in order to crack the hash offline.

2. Retrieve certificates for ESC exploitation with Certipy. –enum-certificates

This module will be designed to retrieve all the informations necessary for the exploitation (‘AD CS’ templates).

3. Retrieve datas from trusted domains –follow-trust

This module will be designed to retrieve all data from trusted domains. (I’m currently working on it and I got a ready beta version of this module)

How to build RustHound documentation?

You need to install Rust in your system (Windows/Linux/macOS).

https://www.rust-lang.org/fr/tools/install

#Run the following commands
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
cargo doc --open --no-deps

The last command will open your web browser with the documentation.

How to build the RustHound binary?

You need to install Rust in your system (Windows/Linux/macOS).

https://www.rust-lang.org/fr/tools/install

RustHound support Kerberos/GSSAPI but this means that it needs Clang and its development libraries, as well as the Kerberos development libraries. On Debian/Ubuntu, that means clang-Nlibclang-N-dev and libkrb5-dev. You need to install the following dependancies.

#Debian/Ubuntu
apt-get -y install gcc libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit

Here is how to compile the “release” and “debug” versions from “cargo”.

#Run the following commands
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
cargo build --release
#or debug version
cargo b

The result can be found in “target/release” or in “target/debug” folder .

The cross compilation methodology under Linux is described below. If you need another compilation system, please consult the list at : https://doc.rust-lang.org/nightly/rustc/platform-support.html

More examples are available on the github repository: https://github.com/OPENCYBER-FR/RustHound#how-to-compile-it

Example of usage

1. RustHound help ;

2. Using the “FQDN” modules and generating the .zip file containing all the json files necessary for BloodHound.

3. Using RustHound without module and without zip argument.

4. Using RustHound from Windows without password or username and to get LAPS passwords.

Feel free to use it and make your own opinion. There are still features to be improved and tested, the project is under development. Any contribution is welcome.

RustHound: https://github.com/OPENCYBER-FR/RustHound
BloodHound: https://github.com/BloodHoundAD/BloodHound
SharpHound: https://github.com/BloodHoundAD/SharpHound
BloodHound-python: https://github.com/fox-it/BloodHound.py
GOAD: https://github.com/Orange-Cyberdefense/GOAD