Credentials

R4t stores authentication credentials in its SQLite database. Multiple credential types are supported — passwords, NT hashes, Kerberos ccache files, PFX certificates, PEM certificate+key pairs, and AES keys. A single credential can be set as the active default for all commands.

The `creds` Command

r4t creds <subcommand> [flags]

Subcommands

`creds add`

Add a credential to the database.

# Password-based
r4t creds add --username jsmith --password 'P@ssword1' --domain corp.example.com

# NT hash (LM:NT or just NT)
r4t creds add --username jsmith --hash aad3b435b51404eeaad3b435b51404ee:e10adc3949ba59abbe56e057f20f883e --domain corp.example.com

# PFX certificate
r4t creds add --username jsmith --pfx /tmp/jsmith.pfx --pfx-password '' --domain corp.example.com

# PEM certificate + private key
r4t creds add --username jsmith --cert /tmp/jsmith.crt --key /tmp/jsmith.key --domain corp.example.com

# Kerberos ccache
r4t creds add --username jsmith --ccache /tmp/krb5cc_1000 --domain corp.example.com

# AES key
r4t creds add --username jsmith --aes <aes-key> --domain corp.example.com

# Machine account
r4t creds add --username DC01 --hostname DC01$ --hash <hash> --domain corp.example.com

# With notes
r4t creds add --username jsmith --password 'P@ssword1' --domain corp.example.com --notes "Found in GPP"

Flags for `creds add`

Flag	Description
`-u`, `--username`	Username or UPN
`-p`, `--password`	Cleartext password
`--hash`	NT hash (`LM:NT` or just `NT`)
`--pfx`	Path to PFX certificate file
`--pfx-password`	PFX passphrase
`--cert`	Path to PEM certificate
`--key`	Path to PEM private key
`--ccache`	Path to Kerberos ccache file
`--aes`	AES-128 or AES-256 key
`-d`, `--domain`	Domain the credential belongs to
`--hostname`	Machine account hostname (e.g., `DC01$`)
`--source`	How the credential was obtained
`--notes`	Operator notes

PFX files are copied into ~/.local/share/r4t/files/pfx/ and the stored path is updated to the local copy.

`creds list`

List all stored credentials.

r4t creds list

# Show full auth details (passwords, hashes)
r4t creds list --auth

Output includes: ID, username, domain, type (password/hash/cert/ccache/AES), source, and notes. Sensitive values (passwords, hashes) are redacted by default; use --auth to reveal them.

`creds set`

Set a credential as the active default. The active credential is stored in Badger (cfg:credentials) and used automatically by all commands.

r4t creds set 2

Takes the numeric ID from creds list.

`creds modify`

Modify an existing stored credential.

r4t creds modify 2 --username newname --domain newdomain.com --notes "Updated"

Flags for `creds modify`

Flag	Description
`-u`, `--username`	New username
`-d`, `--domain`	New domain
`--notes`	New notes

`creds remove`

Remove a credential from the database.

r4t creds remove 2

How Credentials Are Resolved

When a command needs to authenticate, R4t resolves credentials in this priority order:

Inline flags — --username, --password, --hash, --ccache, --pfx, --cert+--key, --aes, --anonymous
--credential-id flag — use a specific stored credential by ID
Active credential — the credential set via creds set (retrieved from Badger)
Anonymous — unauthenticated if no credential is available (where supported)

This means once you run r4t creds set 1, all subsequent commands authenticate with that credential automatically.

Credential Data Model

type Credential struct {
    ID          uint      // Auto-incremented primary key
    UserID      uint      // FK to users table (optional)
    Name        string    // Username or UPN
    Hostname    string    // Machine account hostname (e.g., DC01$)
    Password    string    // Cleartext password
    Hash        string    // NT hash
    PfxFile     string    // Path to stored PFX file
    PfxPassword string    // PFX passphrase
    CertFile    string    // Path to PEM certificate
    KeyFile     string    // Path to PEM private key
    CcacheFile  string    // Path to Kerberos ccache
    AesKey      string    // AES key
    Domain      string    // Associated domain
    TgtID       uint      // FK to TGTs table (optional)
    Source      string    // How obtained
    Notes       string    // Operator notes
    CreatedAt   time.Time
    UpdatedAt   time.Time
    DeletedAt   *time.Time // Soft delete
}

Supported Authentication Methods

Method	Required Fields	Use Case
Password	`name`, `password`, `domain`	Standard AD authentication
NT Hash	`name`, `hash`, `domain`	Pass-the-Hash (LDAP, SMB, etc.)
PFX Certificate	`name`, `pfx_file`, `pfx_password`, `domain`	PKINIT, Schannel
PEM Cert + Key	`name`, `cert_file`, `key_file`, `domain`	PKINIT, Schannel
Kerberos ccache	`name`, `ccache_file`, `domain`	Pass-the-Ticket
AES Key	`name`, `aes_key`, `domain`	Kerberos with AES key
Anonymous	—	Unauthenticated operations
Shadow (Key only)	`key_file`, `domain`	Shadow credential attacks

Using Credentials Inline

If you don’t want to store credentials, you can pass them inline on any command:

# Password
r4t ldap get users -u jsmith -p 'P@ssword1' -d corp.example.com

# Hash
r4t ldap get users -u jsmith --hash <ntlm-hash> -d corp.example.com

# ccache
r4t ldap get users --ccache /tmp/jsmith.ccache

# PFX
r4t adcs nt --pfx /tmp/jsmith.pfx

# AES key
r4t krb tgt --aes <aes-key> -u jsmith -d corp.example.com

# Anonymous
r4t ldap query --anonymous --filter "(objectClass=*)"

Kerberos Ticket Storage

Kerberos TGTs and TGSs obtained during a session can be stored in the database:

Table	Description
`tgts`	Ticket Granting Tickets
`tgss`	Ticket Granting Service tickets

These are linked to the credential record that was used to obtain them. Use r4t tickets to manage saved Kerberos tickets.

commands

Documentation Index

​Credentials

​The creds Command

​Subcommands

​creds add

​Flags for creds add

​creds list

​creds set

​creds modify

​Flags for creds modify

​creds remove

​How Credentials Are Resolved

​Credential Data Model

​Supported Authentication Methods

​Using Credentials Inline

​Kerberos Ticket Storage