nh-red-team / rusthound Goto Github PK

View Code? Open in Web Editor NEW

889.0 12.0 85.0 12.66 MB

Active Directory data collector for BloodHound written in Rust. 🦀

License: MIT License

Rust 98.77% Dockerfile 0.05% Makefile 1.18%

active-directory bloodhound collector cross-platform pentesting rust network windows cross-compiled blueteam

rusthound's Introduction

⚠️ This version is only compatible with BloodHound Legacy 4.x

BloodHound Community Edition (CE) version will be publish in v2 branch.

Summary

Limitation
Description
How to compile it?
How to build documentation?
Usage
Demo
Statistics
Roadmap
Links

Limitations

Not all SharpHound features have been implemented. Some exist in RustHound and not in SharpHound or BloodHound-Python. Please refer to the roadmap for more information.

Description

RustHound is a cross-platform BloodHound collector tool written in Rust, making it compatible with Linux, Windows, and macOS.

No AV detection and cross-compiled.

RustHound generates users, groups, computers, OUs, GPOs, containers, and domain JSON files that can be analyzed with BloodHound.

💡 If you can use SharpHound, use it. Use RustHound as a backup solution if SharpHound is detected by AV or if it not compatible with your OS.

How to compile it?

Using Makefile

You can use the make command to install RustHound or to compile it for Linux or Windows.

make install
rusthound -h

More command in the Makefile:

Default:
usage: make install
usage: make uninstall
usage: make debug
usage: make release

Static:
usage: make windows
usage: make windows_x64
usage: make windows_x86
usage: make linux_aarch64
usage: make linux_x86_64
usage: make linux_musl
usage: make macos
usage: make arm_musl
usage: make armv7

Without cli argument:
usage: make windows_noargs

Dependencies:
usage: make install_windows_deps
usage: make install_linux_musl_deps
usage: make install_macos_deps

Using Dockerfile

Use RustHound with Docker to make sure to have all dependencies.

docker build --rm -t rusthound .

# Then
docker run --rm -v ./:/usr/src/rusthound rusthound windows
docker run --rm -v ./:/usr/src/rusthound rusthound linux_musl
docker run --rm -v ./:/usr/src/rusthound rusthound macos

Using Cargo

You will need to install Rust on your system.

https://www.rust-lang.org/fr/tools/install

RustHound supports Kerberos and GSSAPI. Therefore, it requires Clang and its development libraries, as well as the Kerberos development libraries. On Debian and Ubuntu, this means clang-N, libclang-N-dev, and libkrb5-dev.

For example:

# Debian/Ubuntu
sudo apt-get -y update && sudo apt-get -y install gcc clang libclang-dev libgssapi-krb5-2 libkrb5-dev libsasl2-modules-gssapi-mit musl-tools gcc-mingw-w64-x86-64

Here is how to compile the "release" and "debug" versions using the cargo command.

git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
cargo build --release
# or debug version
cargo b

The result can be found in the target/release or target/debug folder.

Below you can find the compilation methodology for each of the OS from Linux. If you need another compilation system, please consult the list in this link: https://doc.rust-lang.org/nightly/rustc/platform-support.html

Manually for Linux x86_64 static version

# Install rustup and Cargo for Linux
curl https://sh.rustup.rs -sSf | sh

# Add Linux deps
rustup install stable-x86_64-unknown-linux-gnu
rustup target add x86_64-unknown-linux-gnu

# Static compilation for Linux
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
CFLAGS="-lrt";LDFLAGS="-lrt";RUSTFLAGS='-C target-feature=+crt-static';cargo build --release --target x86_64-unknown-linux-gnu

The result can be found in the target/x86_64-unknown-linux-gnu/release folder.

Manually for Windows static version from Linux

# Install rustup and Cargo in Linux
curl https://sh.rustup.rs -sSf | sh

# Add Windows deps
rustup install stable-x86_64-pc-windows-gnu
rustup target add x86_64-pc-windows-gnu

# Static compilation for Windows
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-pc-windows-gnu

The result can be found in the target/x86_64-pc-windows-gnu/release folder.

Manually for macOS static version from Linux

Amazing documentation: https://wapl.es/rust/2019/02/17/rust-cross-compile-linux-to-macos.html

# Install rustup and Cargo in Linux
curl https://sh.rustup.rs -sSf | sh

# Add macOS tool chain
sudo git clone https://github.com/tpoechtrager/osxcross /usr/local/bin/osxcross
sudo wget -P /usr/local/bin/osxcross/ -nc https://s3.dockerproject.org/darwin/v2/MacOSX10.10.sdk.tar.xz && sudo mv /usr/local/bin/osxcross/MacOSX10.10.sdk.tar.xz /usr/local/bin/osxcross/tarballs/
sudo UNATTENDED=yes OSX_VERSION_MIN=10.7 /usr/local/bin/osxcross/build.sh
sudo chmod 775 /usr/local/bin/osxcross/ -R
export PATH="/usr/local/bin/osxcross/target/bin:$PATH"

# Cargo needs to be told to use the correct linker for the x86_64-apple-darwin target, so add the following to your project’s .cargo/config file:
grep 'target.x86_64-apple-darwin' ~/.cargo/config || echo "[target.x86_64-apple-darwin]" >> ~/.cargo/config
grep 'linker = "x86_64-apple-darwin14-clang"' ~/.cargo/config || echo 'linker = "x86_64-apple-darwin14-clang"' >> ~/.cargo/config
grep 'ar = "x86_64-apple-darwin14-clang"' ~/.cargo/config || echo 'ar = "x86_64-apple-darwin14-clang"' >> ~/.cargo/config

# Static compilation for macOS
git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target x86_64-apple-darwin --features nogssapi

The result can be found in the target/x86_64-apple-darwin/release folder.

Optimize the binary size

💡 To obtain an optimized compilation of RustHound add the following compilation parameters at the end of the Cargo.toml file.

[profile.release]
opt-level = "z"
lto = true
strip = true
codegen-units = 1
panic = "abort"

The size of the binary will be considerably minimized. Basic cargo compiler commands can be used.

make windows

More information here

How to build the documentation?

git clone https://github.com/OPENCYBER-FR/RustHound
cd RustHound
cargo doc --open --no-deps

Usage

Usage: rusthound [OPTIONS] --domain <domain>

Options:
  -v...          Set the level of verbosity
  -h, --help     Print help information
  -V, --version  Print version information

REQUIRED VALUES:
  -d, --domain <domain>  Domain name like: DOMAIN.LOCAL

OPTIONAL VALUES:
  -u, --ldapusername <ldapusername>  LDAP username, like: [email protected]
  -p, --ldappassword <ldappassword>  LDAP password
  -f, --ldapfqdn <ldapfqdn>          Domain Controler FQDN like: DC01.DOMAIN.LOCAL or just DC01
  -i, --ldapip <ldapip>              Domain Controller IP address like: 192.168.1.10
  -P, --ldapport <ldapport>          LDAP port [default: 389]
  -n, --name-server <name-server>    Alternative IP address name server to use for DNS queries
  -o, --output <output>              Output directory where you would like to save JSON files [default: ./]

OPTIONAL FLAGS:
      --ldaps           Force LDAPS using for request like: ldaps://DOMAIN.LOCAL/
      --dns-tcp         Use TCP instead of UDP for DNS queries
      --dc-only         Collects data only from the domain controller. Will not try to retrieve CA security/configuration or check for Web Enrollment
      --old-bloodhound  For ADCS only. Output result as BloodHound data for the original BloodHound version from @BloodHoundAD without PKI support
  -z, --zip             Compress the JSON files into a zip archive

OPTIONAL MODULES:
      --fqdn-resolver  Use fqdn-resolver module to get computers IP address
      --adcs           Use ADCS module to enumerate Certificate Templates, Certificate Authorities and other configurations.
                       (For the custom-built BloodHound version from @ly4k with PKI support)

Demo

Examples are done on the GOADv2 implemented by mayfly:

Simple usage

# Linux with username:password
rusthound -d north.sevenkingdoms.local -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo -z

# Linux with username:password and ldapip
rusthound -d north.sevenkingdoms.local -i 192.168.56.11 -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo -z

# Linux with username:password and ldaps
rusthound -d north.sevenkingdoms.local --ldaps -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo -z 
# Linux with username:password and ldaps and custom port
rusthound -d north.sevenkingdoms.local --ldaps -P 3636 -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo -z 

# Tips to redirect and append both standard output and standard error to a file > /tmp/rh_output 2>&1
rusthound -d north.sevenkingdoms.local --ldaps -u '[email protected]' -p '_L0ngCl@w_' -o /tmp/demo --fqdn-resolver > /tmp/rh_output 2>&1

# Windows with GSSAPI session
rusthound.exe -d sevenkingdoms.local --ldapfqdn kingslanding
# Windows simple bind connection username:password (do not use single or double quotes with cmd.exe)
rusthound.exe -d sevenkingdoms.local -u [email protected] -p _L0ngCl@w_ -o output -z

# Kerberos authentication (Linux)
export KRB5CCNAME="/tmp/jeor.mormont.ccache"
rusthound -d sevenkingdoms.local -f kingslanding -k -z
# Kerberos authentication (Windows)
rusthound.exe -d sevenkingdoms.local -f kingslanding -k -z

Module FQDN resolver

# Linux with username:password and FQDN resolver module
rusthound -d essos.local -u '[email protected]' -p 'BurnThemAll!' -o /tmp/demo --fqdn-resolver -z
# Linux with username:password and ldaps and FQDN resolver module and TCP DNS request and custom name server
rusthound -d essos.local --ldaps -u '[email protected]' -p 'BurnThemAll!' -o /tmp/demo --fqdn-resolver --tcp-dns --name-server 192.168.56.12 -z

# Windows with GSSAPI session and FQDN resolver module
rusthound.exe -d essos.local -f meereen -o output --fqdn-resolver -z
# Windows simple bind connection username:password and FQDN resolver module and TCP DNS request and custom name server (do not use single or double quotes with cmd.exe)
rusthound.exe -d essos.local -u [email protected] -p BurnThemAll! -o output -z --fqdn-resolver --tcp-dns --name-server 192.168.56.12

Module ADCS collector

Example using @ly4k BloodHound version.

# Linux with username:password and ADCS module for @ly4k BloodHound version
rusthound -d essos.local -u '[email protected]' -p 'BurnThemAll!' -o /tmp/adcs --adcs -z
# Linux with username:password and ADCS module and dconly flag (will don't check webenrollment)
rusthound -d essos.local -u '[email protected]' -p 'BurnThemAll!' -o /tmp/adcs --adcs --dc-only -z

# Linux with username:password and ADCS module using "--old-bloodhound" argument for official @BloodHoundAd version
rusthound -d essos.local -u '[email protected]' -p 'BurnThemAll!' -o /tmp/adcs --adcs --old-bloodhound -z

# Windows with GSSAPI session and ADCS module
rusthound.exe -d essos.local -f meereen -o output -z --adcs
# Windows with GSSAPI session and ADCS module and TCP DNS request and custom name server
rusthound.exe -d essos.local --ldapfqdn meereen -o output -z --adcs --tcp-dns --name-server 192.168.56.12
# Windows simple bind connection username:password (do not use single or double quotes with cmd.exe)
rusthound.exe -d essos.local -u [email protected] -p BurnThemAll! -o output -z --adcs --dc-only

You can find the custom queries used in the demo in the resource folder.

Use the following command to install it:

cp resources/customqueries.json ~/.config/bloodhound/customqueries.json

🚀 Statistics

In order to make statistics on a DC with more LDAP objects, run the BadBlood on the domain controller ESSOS.local from GOAD. The DC should now have around 3500 objects. Below is the average time it takes to run the following tools:

Tool	Environment	Objects	Time	Command
SharpHound.exe	Windows	~3500	~51.605s	Measure-Command { sharphound.exe -d essos.local --ldapusername 'khal.drogo' --ldappassword 'horse' --domaincontroller '192.168.56.12' -c All }
BloodHound.py	Linux	~3500	~9.657s	time python3 bloodhound.py -u khal.drogo -p horse -d essos.local -ns 192.168.56.12 --zip -c all
RustHound.exe	Windows	~3500	~5.315s	Measure-Command { rusthound.exe -d essos.local -u [email protected] -p horse -z }
RustHound	Linux	~3500	~3.166s	time rusthound -d essos.local -u [email protected] -p horse -z

🚥 Roadmap

Authentification

Outputs

Modules

Retreive LAPS password if your user can read them automatic
Resolve FQDN computers found to IP address --fqdn-resolver
Retrieve certificates for ESC exploitation with Certipy --adcs
Kerberos attack module (ASREPROASTING and KERBEROASTING) --attack-kerberos
Retrieve datas from trusted domains --follow-trust (Currently working on it, got beta version of this module)

BloodHound v4.2

Parsing Features
- Users & Computers
  - HasSIDHistory
- Users
  - Properties : sfupassword
DCERPC (dependencies)
- Computers
  - Sessions
- OUs & Domains
  - LocalAdmins
  - RemoteDesktopUsers
  - DcomUsers
  - PSRemoteUsers
- CAs
  - User Specified SAN
  - Request Disposition

🔗 Links

Blog post: https://www.opencyber.com/rusthound-data-collector-for-bloodhound-written-in-rust/
BloodHound.py: https://github.com/fox-it/BloodHound.py
SharpHound: https://github.com/BloodHoundAD/SharpHound
BloodHound: https://github.com/BloodHoundAD/BloodHound
BloodHound docs: https://bloodhound.readthedocs.io/en/latest/index.html
GOAD: https://github.com/Orange-Cyberdefense/GOAD
ly4k BloodHound version: https://github.com/ly4k/BloodHound
Certipy: https://github.com/ly4k/Certipy

rusthound's People

Stargazers

Watchers

Forkers

0x5e6 cmndcntrlcyber xtenex jmpoep x-tfrk cybergoatpsyops 5m7x barney0 bsdbandit jrandomsage th3xace sunandm startagain2016 ladyleet1337 croat79 aidasdir pshlyundin pirenga ed1964manu enomothem askyeye 0xrobert hdys0vn sleepysysadmin tobey123 exabyt3 muteb cmjlove1 kidmam hartl3y94 chanpu9 leebaird ph0enixd0wn420 dragonsashes 1337g micky1warrior shimon03 gbe druil0or farrimwildaxe m8r1us curtishoughton ongyuann 0gr3n1nj4 bandar-a op0ssum bcp-infosec-repo drakevonduck zha0 soumikhasan696 dannymas mcsche mbaroudi zpaav shantanu561993 kaydaskalakis xh3n1 lukasreschke straysheep-dev mireksol ridter crisprss 5p34r offbios mastermind321 res10re ronin-dojo evilc0d3rh4ck3r 3453-315h princeleonal fajdak muelli ares-92310 killvxk f3rn0s wuen1 onefistgit nack0c offsoc nikaiw brother-x86 blaisebits

rusthound's Issues

Autodetect current domain just as SharpHound does

With SharpHound, I just need to run the executable and it determines the domain of the current user automatically.
If RustHound did the same, I would need to think less and probably make fewer mistakes.
I haven't found a discussion about auto-detecting the domain, so I thought it is appropriate to ask for it here.

Spelling mistake

Hi.
I think there is a spelling mistake in SRC/JSON/parser/bh_41.rs lines 406 and 589
It's causing the following:

The misspelt word is "samaccoutname". You have missed out the 'n' between the 'u' and the 't'. It should read, "samaccountname".
I think I'm supposed to do a "pull request" but, I'm new to this GitHub stuff and have got a clue how. Apologies

Hanging When Retrieving LDAP Objects

Hi,
When running RustHound against a large domain, RustHound eventually hangs at "LDAP objects received: xxxxx". The TCP/389 connection is still open (observed via tcpdump) but it appears the DC stops sending data (for an unknown reason) and just sends ACKs. In the following code block, it appears RustHound just continues to wait indefinitely. Perhaps a timeout could be set and RustHound can resend the request if it hasn't received a response by the timeout?

// Wait and get next values
let pb = ProgressBar::new(1);
let mut count = 0;	
while let Some(entry) = search.next().await? {
	let entry = SearchEntry::construct(entry);
	//trace!("{:?}", &entry);
	// Manage progress bar
	count += 1;
	progress_bar(pb.to_owned(),"LDAP objects retreived".to_string(),count,"#".to_string());	
	// Push all result in rs vec()
	rs.push(entry);
}
pb.finish_and_clear();

Missing ACE

Some ACEs were missing on one of my labs.
The padding was not taken into consideration on the ACE datas part.
And found ACE with null SID like DOMAIN-S-0-0

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/628ebb1d-c509-4ea0-a10f-77ef97ca4586

struct ACE {
    uint8   AceType;
    uint8   AceFlags;
    uint16  AceSize;
    char    Data[AceSize - 4];
};

I found my error which was about the size of the data retrieved by RustHound for an ACE.

I changed completely the code of secdesc.rs to fixed the error and to use the new version of nom7 as suricata does to parse the network packet data.

LDAP ConnectionRefused

Sorry, I got a problem: "LDAP ConnectionRefused", How can I solve it

Installation "Failed to Download Rustls v0.20.6"

In attempting to install RustHound, hit an error and stated that it "failed to download rustls v0.20.6"

error: failed to download `rustls v0.20.6`

Caused by:
  unable to get packages from source

Caused by:
  failed to parse manifest at `**/registry/src/github.com-1ecc6299db9ec823/rustls-0.20.6/Cargo.toml`

Caused by:
  feature `resolver` is required

  consider adding `cargo-features = ["resolver"]` to the manifest

Steps to reproduce

Grab the latest from GitHub via git clone <>
cd <>
cargo build --release as discussed in URL

Current version(s):

Cargo 1.46.0

Please let me know if there is anything I can do to help with this error or if you need more information. Thank you!

[FeatureRequest] Dumps GPO content

GPO contains many information like priviledges, ACE, password management, ...
It's important to parse at least GptTmpl.inf present in multiple SMB folders in \\CORP.lo\SYSVOL\.
Here an example of GptTmpl.inf, it indicate that domain users are allowed to RDP, that GPO was on the root OU. I was not able to view the usal path in Bloodhound.

[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 60
MinimumPasswordLength = 14
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 3
ResetLockoutCount = 60
LockoutDuration = -1
ForceLogoffWhenHourExpire = 1
NewAdministratorName = "xAdmin"
NewGuestName = "xGuest"
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
EnableGuestAccount = 0
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Keys]
"MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
[Service General Setting]
"WerSvc",2,""
"SCPolicySvc",4,""
"MpsSvc",2,""
"wlidsvc",4,""
"WinRM",2,""
"wuauserv",2,""
[File Security]
"%AllUsersProfile%\Microsoft\Crypto\RSA\MachineKeys",0,"D:PAR(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0X1200A9;;;S-1-5-20)"
[Group Membership]
S-1-5-32-544__Memberof = 
S-1-5-32-544__Members = *S-1-5-21-1645522239-1214440339-682003330-513
[Privilege Rights]
SeTcbPrivilege =
SeCreateTokenPrivilege =
SeDebugPrivilege = *S-1-5-32-544
SeTrustedCredManAccessPrivilege =
SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555,*S-1-5-21-1645522239-1214440339-682003330-513
SeBackupPrivilege = *S-1-5-32-544
SeSystemtimePrivilege = *S-1-5-32-544,*S-1-5-19
SeCreatePagefilePrivilege = *S-1-5-32-544
SeCreateGlobalPrivilege = *S-1-5-32-544,*S-1-5-19,*S-1-5-20,*S-1-5-6
SeCreatePermanentPrivilege =
SeCreateSymbolicLinkPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-544
SeAuditPrivilege = *S-1-5-19,*S-1-5-20
SeIncreaseWorkingSetPrivilege = *S-1-5-19,*S-1-5-32-544
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
SeLoadDriverPrivilege = *S-1-5-32-544
SeLockMemoryPrivilege =
SeBatchLogonRight = *S-1-5-32-544
SeSecurityPrivilege = *S-1-5-32-544
SeRelabelPrivilege =
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeManageVolumePrivilege = *S-1-5-32-544
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20
SeRestorePrivilege = *S-1-5-32-544
SeShutdownPrivilege = *S-1-5-32-544
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeNetworkLogonRight = *S-1-5-32-544,*S-1-5-11
SeDenyNetworkLogonRight = Enterprise Admins,Domain Admins,DenyNetworkAccess
SeDenyBatchLogonRight = *S-1-5-32-546,Enterprise Admins,Domain Admins
SeDenyServiceLogonRight = Enterprise Admins,Domain Admins
SeDenyInteractiveLogonRight = *S-1-5-32-546,Enterprise Admins,Domain Admins
SeDenyRemoteInteractiveLogonRight = *S-1-5-113,*S-1-5-32-546,Enterprise Admins,Domain Admins
SeEnableDelegationPrivilege =
SeChangeNotifyPrivilege = *S-1-5-32-544,*S-1-5-11,*S-1-5-19,*S-1-5-20
SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544
SeInteractiveLogonRight = *S-1-5-32-544
[Registry Values]
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs=4,900
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,"0"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon=1,"0"
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,4
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes=4,2147483640
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0
MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection=4,2
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,537395200
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,537395200
MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SmbServerNameHardeningLevel=4,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,5
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Perflib,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,System\CurrentControlSet\Services\Eventlog,System\CurrentControlSet\Services\Sysmonlog
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares=7,
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,
MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\TcpMaxDataRetransmissions=4,3
MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting=4,2
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions=4,3
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery=4,0
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime=4,300000
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect=4,0
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting=4,2
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt=4,3
MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel=4,90
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod=1,"5"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"0"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0

All the parts are interesting, but this part is very, very interesting:

[Group Membership]
S-1-5-32-544__Memberof = 
S-1-5-32-544__Members = *S-1-5-21-1645522239-1214440339-682003330-513
[Privilege Rights]
...
SeNetworkLogonRight = *S-1-5-32-544,*S-1-5-11
SeRemoteInteractiveLogonRight=...
SeBackupPrivilege=...
SeBatchLogonRight=...
SeNetworkLogonRight=...
SeInteractiveLogonRight = *S-1-5-32-544,*S-1-5-21-1645522239-1214440339-682003330-513
SeDenyNetworkLogonRight = Enterprise Admins,Domain Admins,DenyNetworkAccess
SeDenyBatchLogonRight = *S-1-5-32-546,Enterprise Admins,Domain Admins
SeDenyServiceLogonRight = Enterprise Admins,Domain Admins
SeDenyInteractiveLogonRight = *S-1-5-32-546,Enterprise Admins,Domain Admins
SeDenyRemoteInteractiveLogonRight = *S-1-5-113,*S-1-5-32-546,Enterprise Admins,Domain Admins
...

This part means that where the GPO apply, all domain admins are not allowed to auth but Domain Users (S-1-5-21-1645522239-1214440339-682003330-513) are local admin and are allowed to auth.

There is also a part based on a file Group.xml for a full GPO analysis

RustHound and Bloodhound.py doesn't implement GPO analysis, this would be a very valuable contribution.

Some documentation :

[FeatureRequest] Option to dumps all ldap attributes from root ldap

From a pentest I have found that a owned user was able to read an LAPS entry (new one msLAPS-Password) but not LAPS Legacy.
But Rusthound like Bloodhound doesn't dump all attributes and associated ACE, so this path was not visible, I was blind...

The targeted user also had unusual ACLs in non-standard LDAP paths linked to SCCM in CN=Services,CN=Configuration.

Feature:

Add an option to dump all attributes wite ACE --dump-ldap-fields=all
Add a feature to dump only custom fields --dump-ldap-fields=default,msLAPS-Password,msLAPS-EncryptedPassword,msLAPS-EncryptedDSRMPassword
Add a feature to recursively dump all objects in an LDAP path --dump-ldap-path-recurssiv=CN=Services,CN=Configuration

Failed to authenticate - invalidCredentials

Hello,

I'm currently testing RustHound on the Resolute Box from Hack the Box and I ran into an error and I don't get why it's happening.

CME Result:

[Feb 12, 2023 - 17:35:10 (CET)] exegol-htb-resolute /workspace # cme smb $TARGET
SMB         10.129.217.23   445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)

BloodHound.py:

[Feb 12, 2023 - 17:50:09 (CET)] exegol-htb-resolute /workspace # bloodhound.py -d megabank.local -u 'ryan' -p 'password' -ns 10.129.217.23
INFO: Found AD domain: megabank.local
INFO: Connecting to LDAP server: Resolute.megabank.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Found 28 users
INFO: Connecting to LDAP server: Resolute.megabank.local
INFO: Found 54 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: MS02.megabank.local
INFO: Querying computer: Resolute.megabank.local
INFO: Done in 00M 03S

RustHound:

[Feb 12, 2023 - 17:50:36 (CET)] exegol-htb-resolute /workspace # rusthound -d megabank.local -u 'ryan' -p 'password' -n 10.129.217.23 -i 10.129.217.23
---------------------------------------------------
Initializing RustHound at 17:50:56 on 02/12/23
Powered by g0h4n from OpenCyber
---------------------------------------------------

[2023-02-12T16:50:56Z INFO  rusthound] Verbosity level: Info
[2023-02-12T16:50:56Z ERROR rusthound::ldap] Failed to authenticate to MEGABANK.LOCAL Active Directory. Reason: LDAP operation result: rc=49 (invalidCredentials), dn: "", text: "80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839"

What am I missing ?

Unique issue with too many LDAP objects - [BUG]

Hey there, love the idea of this tool!

I've run into an issue, which might not be as common enough to warrant a true fix, but when running in a domain with 100's of thousands of LDAP objects, the process ends up dying around averagely around 410k objects retrieved

[2022-12-29T16:21:17Z INFO  rusthound::ldap] Starting data collection...
LDAP objects retreived: 405944#                                                                                                                                           
56821 killed     target/release/rusthound -d xxx.com -u 'xxxxx' -p  --adcs -```

[2022-12-29T18:24:42Z INFO  rusthound::ldap] Starting data collection...
⢀ LDAP objects retreived: 56783#                                                                                                               
.  LDAP objects retreived: 57480#                                                                                                               
⠐ LDAP objects retreived: 429216#                                                                                                              
Killed
$

Let me know if you'd like any other data points!

Aces missing from Users.json?? - version 2 (BloodhoundCE)

Hi,
It's probably me but ...,

When I use Rusthound from the v2-branch, there seems to be numerous 'missing' Aces in the users.json when I compare the results to those captured using rusthound from the main-branch version??

For example, there is a user account that has “Write all properties” access that applies to “Descendant User objects” set on the domain object.

With data collected using the main-branch Rusthound, all users in that domain have an Ace that referenced the said user account as having “IsInherited: true”, “GenericWrite” (correct). Whereas, data collected using the v2-branch Rusthound failed to record this on any user account?

Then, when I took a random user from data collected using the main-branch version, there were 68 Aces recorded. Data for the same user, collected at the same time using the v2-branch version only recorded 52.

Obviously the specific numbers are relative to the domain but the fact there was a large discrepancy worried me a little

Progress bar feauture

Please add a progress bar as in SharpHound. That would be awesome. Today I tried to use a rusthound on domain and I waited for a couple of mins without any indication. So I checked wireshark for ldap requests that how I understood that something's happening.

Json Files Incomplete or Unreadable by Bloodhound

Json files processed post-collection appear to be incompatible with bloodhound and also unprocessable by JQ utility.

lockfile

Could you provide the dependency lockfile so we could build it with cargo build --release --locked?

The lockfile is highly important so the build is reproducible.

Issues with time v0.3.30 and latest rustc

Issue

When running cargo build --release

   Compiling time v0.3.30
   Compiling num-bigint v0.4.4
   Compiling percent-encoding v2.3.1
   Compiling async-trait v0.1.74
error[E0282]: type annotations needed for `Box<_>`
  --> /root/.cargo/registry/src/index.crates.io-6f17d22bba15001f/time-0.3.30/src/format_description/parse/mod.rs:83:9
   |
83 |     let items = format_items
   |         ^^^^^
...
86 |     Ok(items.into())
   |              ---- type must be known at this point
   |
help: consider giving `items` an explicit type, where the placeholders `_` are specified
   |
83 |     let items: Box<_> = format_items
   |              ++++++++

   Compiling form_urlencoded v1.2.1
   Compiling idna v0.5.0
   Compiling rand_core v0.6.4
For more information about this error, try `rustc --explain E0282`.
error: could not compile `time` (lib) due to 1 previous error
warning: build failed, waiting for other jobs to finish...

Temporary fix

As seen in https://users.rust-lang.org/t/time-crate-compilation-error/111789/4

cargo update -p time

then

cargo build --release

Fix

Probably update the time package in Cargo.lock
Below is the diff produced by the temp fix

diff --git a/Cargo.lock b/Cargo.lock
index 52956e1..882ff2c 100644
--- a/Cargo.lock
+++ b/Cargo.lock
+++ b/Cargo.lock
@@ -984,6 +984,12 @@ dependencies = [
  "num-traits",
 ]

+[[package]]
+name = "num-conv"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
+
 [[package]]
 name = "num-integer"
 version = "0.1.45"
@@ -1624,12 +1630,13 @@ dependencies = [

 [[package]]
 name = "time"
-version = "0.3.30"
+version = "0.3.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "zip"
version = "0.6.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "760394e246e4c28189f19d488c058bf16f564016aefac5d32bb1f3b51d5e9261"
dependencies = [
 "byteorder",
 "crc32fast",

System

stable-aarch64-unknown-linux-gnu
rustc 1.80.0 (051478957 2024-07-21)

Crashing when parsing group

Love this tool
Any idea why it would crash multiple times when parsing groups?

[FeatureRequest] Dumps SMB ACL

During an audit, I discovered:

a GPO folder writable by "Domain Users" located at \\corp.lo\SYSVOL\corp.lo\Policies\{00D0CA88-64A5-4765-A9C5-7CA0D8C27265}\
a script in \\corp.lo\SYSVOL\corp.lo\scripts\xxxxx.vbs writable also by "Domain Users"

It would be a good idea to collect the ACLs of SMB shares. Especially those linked to domain controllers.

However, this idea implies the addition of new objects not referenced by Bloodhound. In my lab, I got around the problem by hand, creating GPOs like for certificates.

I have done this trick via smbclient.py (impacket) and ugly insert directly in neo4j

But ideally I imagine somethings like:

(:Computer{"samaccountname":"MACHINE$"}) -[:Contains]-> (:GPO{"type":"Share", "name":"SYSVOL"}) -[:Contains]-> (:GPO{"type":"folder", "name":"xxxxx","objectid":"42-GUID"}) -[:Contains]-> (:GPO{"type":"file", "name":"toto.vbs", objectid:"42-42-42-42"})

(:Group{"samaccountname":"Everyone"})-[:GenericWrite]->(:GPO{"type":"folder", "name":"xxxxx", objectid:"42-GUID"})

(:Group{"samaccountname":"Everyone"})-[:GenericWrite]->(:GPO{"type":"file", "name":"toto.vbs", objectid:"42-GUID"})

[FeatureRequest] BloodHound-CE support

Hi NH-RED-TEAM,

I just wanted to open a feature request to support bloodhound-ce/5.0. Rusthound has been working great on Linux but automating the collection means we need to use bloodhound-ce, right now there are some missing fields/details and it does not work well in -CE.

Out of memory

Is it possible to have the option to write file to disk? If the domain is too big it'll run out of memory and kill the process before it finishes.