NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

add rusthound-ce integration

Open avocado-avery opened this issue 3 months ago • 1 comments

Description

This PR introduces RustHound-CE integration into NetExec’s LDAP module as an alternative to BloodHound collection. When the --rusthound flag is used, NetExec will automatically invoke the rusthound-ce binary, passing mapped LDAP credentials, domain, DC target, and collection parameters from the active NetExec session.

If the user specifies a .zip path with --rh-output, JSON data from RustHound-CE is automatically packaged into a ZIP archive at the requested destination. This change mirrors the existing BloodHound ingestion workflow while adding support for RustHound-CE’s enhanced enumeration and PKI collection capabilities.

Fixes/Implements: Enhancement to enable RustHound-CE support in NetExec Dependencies:

Requires RustHound-CE binary (cargo install rusthound-ce or download from https://github.com/C-Sto/RustHound-CE

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [ x] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [ ] Deprecation of feature or functionality
  • [ x] This change requires a documentation update
  • [ ] This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

Environment used for validation:

Host OS: Linux Mint 22.1

RustHound-CE: v2.4.0

Target: Windows Server 2019 domain controller (tombwatcher.htb)

Command tested:

Screenshots (if appropriate):

image

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

  • [x ] I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • [ ] I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
  • [ ] New and existing e2e tests pass locally with my changes
  • [ ] If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • [x ] I have performed a self-review of my own code
  • [ x] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

avocado-avery avatar Oct 12 '25 02:10 avocado-avery

Hi thanks for the PR!

However, i don't see the advantage to execute RustHound through NetExec over just executing the binary. Also, calling subprocess.run is usually not something we want to do because it can create a lot of headaches.

NeffIsBack avatar Oct 13 '25 15:10 NeffIsBack

I will close this for now

NeffIsBack avatar Nov 17 '25 11:11 NeffIsBack