Documentation Index
Fetch the complete documentation index at: https://wiki.krkn.tech/llms.txt
Use this file to discover all available pages before exploring further.
query
Query and export data from the R4t SQLite database. Supports table-based queries with column filtering, WHERE clauses, and export to multiple file formats.
Note: The CLI command is r4t query (not r4t query).
Usage
Flags
| Flag | Short | Type | Description |
|---|
--list | — | bool | List all available tables and their columns |
--table | -t | string | Table to query |
--columns | -c | string | Comma-delimited list of columns to display |
--query | -q | string | WHERE clause (e.g., "sam LIKE '%admin%'") |
--not-null | -n | string | Comma-delimited columns that must be non-null/non-empty |
--limit | -L | int | Max number of results (default: 100, use 0 for no limit) |
--raw | -r | string | Raw SQL query to execute |
--out | -o | string | Output file (extension controls format) |
--max-width | — | uint32 | Max column width in table output (default: 50) |
The output format is determined by the file extension given to --out:
| Extension | Format |
|---|
.json | JSON array |
.yaml | YAML |
.xml | XML |
.csv | CSV with header row |
.txt | Plain text table |
.grep | Grep-friendly key=value lines |
--out is not specified, results are printed as a table to stdout.
Examples
# List all tables and their columns
r4t query --list
# Query all credential records
r4t query --table credentials
# Show only specific columns
r4t query --table users --columns sam,dn,enabled,last_logon
# Filter with a WHERE clause
r4t query --table users --query "sam LIKE '%admin%'"
# Filter for non-null passwords
r4t query --table credentials --not-null password
# Combine filters
r4t query --table credentials --not-null password,hash --limit 20
# Export to JSON
r4t query --table adcs_vulnerabilities --out vulns.json
# Export credentials to CSV
r4t query --table credentials --columns sam,domain,password,hash --out creds.csv
# Raw SQL query
r4t query --raw "SELECT sam, dn FROM users WHERE enabled = 1 AND admin_count = 1"
# Raw SQL with export
r4t query --raw "SELECT * FROM adcs_vulnerabilities WHERE esc_type = 'ESC1'" --out esc1.csv
# No row limit
r4t query --table users --limit 0 --out all-users.csv
Available Tables
Run r4t query --list for the current schema. Key tables include:
| Table | Contents |
|---|
credentials | Stored credentials (passwords, hashes, certs) |
targets | Stored target hosts |
users | Enumerated AD users |
computers | Enumerated AD computers |
groups | Enumerated AD groups |
domains | Domain information |
domain_controllers | Enumerated DCs |
adcs_vulnerabilities | ADCS ESC findings |
certificate_authorities | Enumerated CAs |
certificate_templates | Certificate templates |
kerberoast_hashes | Kerberoastable TGS hashes |
asrep_hashes | AS-REP roastable hashes |
coercables | Coercible hosts |
sprays | Spray operation records |
smb_shares | Enumerated SMB shares |
dns_records | ADIDNS records |
gpos | Group Policy Objects |
trusts | Domain trust relationships |
