Skip to content

Latest commit

 

History

History
374 lines (354 loc) · 20.6 KB

ROADMAP.md

File metadata and controls

374 lines (354 loc) · 20.6 KB

Roadmap

Limitations

Not all SharpHound features have been implemented. Some exist in rusthound-ce and not in SharpHound or BloodHound-Python. Please refer to the roadmap for more information.

Authentification

  • LDAP (389) ✅
  • LDAPS (636) ✅
  • BIND
  • NTLM 🔴
  • Kerberos
  • Prompt for password ✅

Outputs

  • users.json ✅
  • groups.json ✅
  • computers.json ✅
  • ous.json ✅
  • gpos.json ✅
  • containers.json ✅
  • domains.json ✅
  • aiacas.json ✅
  • rootcas.json ✅
  • enterprisecas.json ✅
  • certtemplates.json ✅
  • issuancepolicies.json ✅
  • ntauthstores.json ✅
  • all.zip ✅

Modules

  • Retreive LAPS password if your user can read them automatic
  • Retreive LAPSv2 password if your user can read them automatic 🔴
  • Resolve FQDN computers found to IP address --fqdn-resolver
  • Kerberos attack module (ASREPROASTING and KERBEROASTING) --attack-kerberos 🔴
  • Retrieve datas from trusted domains --follow-trust 🔴

List of attributes

  • BloodHound-CE version

    • All objects

      • Properties:isaclprotected ✅ (this value will replace IsACLProtected)
      • Aces:InheritanceHash 🔴

    • Domain

      • Properties:domain
      • Properties:name
      • Properties:distinguishedname
      • Properties:domainsid
      • Properties:highvalue
      • Properties:description
      • Properties:whencreated
      • Properties:expirepasswordsonsmartcardonlyaccounts
      • Properties:machineaccountquota
      • Properties:minpwdlength
      • Properties:pwdproperties
      • Properties:pwdhistorylength
      • Properties:lockoutthreshold
      • Properties:minpwdage
      • Properties:maxpwdage
      • Properties:lockoutduration
      • Properties:lockoutobservationwindow
      • Properties:functionallevel
      • Properties:dsheuristics 🔴
      • Properties:collected
      • GPOChanges:LocalAdmins 🔴 need RPC call src GPOLocalGroupProcessor.cs
      • GPOChanges:RemoteDesktopUsers 🔴 need RPC call
      • GPOChanges:DcomUsers 🔴 need RPC call
      • GPOChanges:PSRemoteUsers 🔴 need RPC call
      • GPOChanges:AffectedComputers
      • ChildObjects
      • Trusts:TargetDomainSid
      • Trusts:TargetDomainName
      • Trusts:IsTransitive
      • Trusts:SidFilteringEnabled
      • Trusts:TGTDelegationEnabled 🔴
      • Trusts:TrustAttributes
      • Trusts:TrustDirection
      • Trusts:TrustType
      • Links
      • Aces
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • ContainedBy

    • Computer

      • Properties:domain
      • Properties:name
      • Properties:distinguishedname
      • Properties:domainsid
      • Properties:highvalue
      • Properties:samaccountname
      • Properties:haslaps
      • Properties:description
      • Properties:whencreated
      • Properties:enabled
      • Properties:unconstraineddelegation
      • Properties:trustedtoauth
      • Properties:lastlogon
      • Properties:lastlogontimestamp
      • Properties:pwdlastset
      • Properties:serviceprincipalnames
      • Properties:operatingsystem
      • Properties:sidhistory
      • PrimaryGroupSID
      • AllowedToDelegate
      • AllowedToAct
      • HasSIDHistory 🔴
      • DumpSMSAPassword 🔴
      • Sessions 🔴 need RPC call
      • PrivilegedSessions 🔴 need RPC call
      • RegistrySessions 🔴 need RPC call
      • LocalGroups 🔴
      • UserRights 🔴 need LSAOpenPolicy
      • DCRegistryData 🔴 need RPC call and GetRegistryKeyData src Helper.cs
      • Status
      • IsDC
      • UnconstrainedDelegation
      • DomainSID
      • Aces
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • ContainedBy

    • User

      • Properties:domain
      • Properties:name
      • Properties:distinguishedname
      • Properties:domainsid
      • Properties:highvalue
      • Properties:samaccountname
      • Properties:description
      • Properties:whencreated
      • Properties:sensitive
      • Properties:dontreqpreauth
      • Properties:passwordnotreqd
      • Properties:unconstraineddelegation
      • Properties:pwdneverexpires
      • Properties:enabled
      • Properties:trustedtoauth
      • Properties:lastlogon
      • Properties:lastlogontimestamp
      • Properties:pwdlastset
      • Properties:serviceprincipalnames
      • Properties:hasspn
      • Properties:displayname
      • Properties:email
      • Properties:title
      • Properties:homedirectory
      • Properties:userpassword
      • Properties:unixpassword
      • Properties:unicodepassword
      • Properties:sfupassword 🔴
      • Properties:logonscript
      • Properties:useraccountcontrol 🔴
      • Properties:profilepath 🔴
      • Properties:admincount
      • Properties:supportedencryptiontypes
      • Properties:sidhistory 🔴
      • PrimaryGroupSID
      • AllowedToDelegate
      • HasSIDHistory 🔴
      • SPNTargets
      • DomainSID
      • Aces
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • ContainedBy

    • Group

      • Properties:domain
      • Properties:name
      • Properties:distinguishedname
      • Properties:domainsid
      • Properties:highvalue
      • Properties:samaccountname
      • Properties:description
      • Properties:whencreated
      • Properties:admincount
      • Members
      • Aces
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • ContainedBy

    • OU

      • Properties:domain
      • Properties:name
      • Properties:distinguishedname
      • Properties:domainsid
      • Properties:highvalue
      • Properties:samaccountname
      • Properties:description
      • Properties:whencreated
      • Properties:blocksinheritance
      • GPOChanges:LocalAdmins 🔴 need RPC call src GPOLocalGroupProcessor.cs
      • GPOChanges:RemoteDesktopUsers 🔴 need RPC call
      • GPOChanges:DcomUsers 🔴 need RPC call
      • GPOChanges:PSRemoteUsers 🔴 need RPC call
      • GPOChanges:AffectedComputers
      • Links
      • ChildObjects
      • Aces
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • ContainedBy

    • Gpo

      • Properties:domain
      • Properties:name
      • Properties:distinguishedname
      • Properties:domainsid
      • Properties:highvalue
      • Properties:samaccountname
      • Properties:description
      • Properties:whencreated
      • Properties:gpcpath
      • Aces
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • ContainedBy

    • Container

      • Properties:domain
      • Properties:name
      • Properties:distinguishedname
      • Properties:domainsid
      • Properties:highvalue
      • ChildObjects
      • Aces
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • ContainedBy

    • IssuancePolicies SharpHound/src/Runtime/ObjectProcessors.cs#IssuancePolicy

      • Properties:domain
      • Properties:name
      • Properties:distinguishedname
      • Properties:domainsid
      • Properties:description
      • Properties:isaclprotected
      • Properties:whencreated
      • Properties:displayname
      • Properties:certtemplateoid
      • GroupLink 🔴
      • Aces
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • ContainedBy 🔴

    • NtAuthStore

      • Properties:domain
      • Properties:name
      • Properties:distinguishedname
      • Properties:domainsid
      • Properties:description
      • Properties:whencreated
      • Properties:certthumbprints
      • Aces
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • ContainedBy

    • AIACA

      • Properties:domain
      • Properties:name
      • Properties:distinguishedname
      • Properties:domainsid
      • Properties:description
      • Properties:whencreated
      • Properties:crosscertificatepair 🔴 What value should be added to the output? (x509 cert)
      • Properties:hascrosscertificatepair
      • Properties:certthumbprint
      • Properties:certname
      • Properties:certchain
      • Properties:hasbasicconstraints
      • Properties:basicconstraintpathlength
      • Aces
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • ContainedBy

    • RootCA

      • Properties:domain
      • Properties:name
      • Properties:distinguishedname
      • Properties:domainsid
      • Properties:description
      • Properties:whencreated
      • Properties:certthumbprint
      • Properties:certname
      • Properties:certchain
      • Properties:hasbasicconstraints
      • Properties:basicconstraintpathlength
      • Aces
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • ContainedBy

    • EnterpriseCA

      • Properties:domain
      • Properties:name
      • Properties:distinguishedname
      • Properties:domainsid
      • Properties:description
      • Properties:whencreated
      • Properties:flags 🔴
      • Properties:caname
      • Properties:dnshostname
      • Properties:certthumbprint
      • Properties:certname
      • Properties:certchain
      • Properties:hasbasicconstraints
      • Properties:basicconstraintpathlength
      • Properties:unresolvedpublishedtemplates 🔴
      • Properties:casecuritycollected
      • Properties:enrollmentagentrestrictionscollected 🔴 linked to RCP for CARegistryData:EnrollmentAgentRestrictions
      • Properties:isuserspecifiessanenabledcollected 🔴 linked to RCP for CARegistryData:IsUserSpecifiesSanEnabled
      • Properties:roleseparationenabledcollected 🔴
      • HostingComputer
      • CARegistryData:CASecurity ⚠️ (collected directly from DACL to validate)
      • CARegistryData:EnrollmentAgentRestrictions 🔴 src ObjectProcessors.cs
      • CARegistryData:IsUserSpecifiesSanEnabled 🔴 src ObjectProcessors.cs
      • CARegistryData:RoleSeparationEnabled 🔴
      • EnabledCertTemplates
      • Aces
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • ContainedBy

    • CertTemplate

      • Properties:domain
      • Properties:name
      • Properties:distinguishedname
      • Properties:domainsid
      • Properties:description
      • Properties:whencreated
      • Properties:validityperiod
      • Properties:renewalperiod
      • Properties:schemaversion
      • Properties:displayname
      • Properties:oid
      • Properties:enrollmentflag
      • Properties:requiresmanagerapproval
      • Properties:nosecurityextension
      • Properties:certificatenameflag
      • Properties:enrolleesuppliessubject
      • Properties:subjectaltrequireupn
      • Properties:ekus
      • Properties:certificateapplicationpolicy
      • Properties:authorizedsignatures
      • Properties:applicationpolicies
      • Properties:issuancepolicies
      • Properties:effectiveekus
      • Properties:authenticationenabled
      • Aces
      • ObjectIdentifier
      • IsDeleted
      • IsACLProtected
      • ContainedBy