Skip to main content

Database

R4t uses a dual-storage system: a Badger KV store for fast configuration and session state, and a SQLite relational database for persistent findings, credentials, and enumeration results.

Storage Locations

StoreDefault Path
SQLite~/.local/share/r4t/db/r4t.sqlite
Badger~/.local/share/r4t/db/ (directory)
Local DB mode: Run r4t set --local-db true to create r4t.sqlite in the current working directory instead. Useful for per-engagement database isolation.

Badger KV Store

Badger is an embedded key-value store used for fast access to global configuration and the current session state.

Characteristics

  • Encrypted with AES-256 using a hardware-derived ID as the key
  • ZSTD compression enabled
  • Daily encryption key rotation
  • Keeps only 1 version of each key (no history)
  • 10 GB index cache, 512 MB memtable size

Keys Stored in Badger

Key ConstantPurpose
cfg:domainDefault AD domain
cfg:nameserverDNS nameserver
cfg:debugDebug mode flag
cfg:interfaceNetwork interface for operations
cfg:teeEnable output tee to file
cfg:color_schemeTerminal color scheme name
cfg:local_dbWhether SQLite is in local or global path
cfg:credentialsActive credential (JSON-serialized)
cfg:targetActive target (JSON-serialized)
cfg:proxySOCKS5 proxy configuration
cfg:first_runFirst-run initialization flag
These values are read at startup and populated into the global App struct. Changes made via r4t set are immediately persisted to Badger.

SQLite Database

SQLite is the primary long-term store for all findings, targets, credentials, and enumeration data. It is accessed via GORM with a pure-Go SQLite driver.

Schema Management

  • AutoMigrate runs on every startup — safe and additive only (never drops columns or tables)
  • Composite unique indexes are created with IF NOT EXISTS to avoid duplicate enforcement errors
  • --migrate-db forces an explicit migration pass
  • --purge-db drops all tables and remigrates from scratch (requires interactive confirmation — destructive)

Tables

The schema contains 60+ tables organized by functional area.

Domain & Forest

TableDescription
domainsAD domain records (name, SID, FQDN, functional level)
pass_policiesDomain and fine-grained password policies
domain_controllersEnumerated domain controllers
trustsInter-domain and inter-forest trust relationships

AD Objects

TableDescription
usersUser accounts
computersComputer accounts
groupsSecurity and distribution groups
service_accountsService account tracking
ou_sOrganizational Units
delegationsKerberos delegation configurations

Credentials & Sessions

TableDescription
credentialsStored authentication credentials (multi-type)
usersLinked user records
tgtsKerberos Ticket Granting Tickets
tgssKerberos Ticket Granting Service tickets
logonsLogon event records
asrep_hashesAS-REP roastable hashes
kerberoast_hashesKerberoastable service account hashes

Vulnerabilities

TableDescription
pre2ksPre-Windows 2000 compatible access accounts
nopacsAccounts with no PAC (NOPAC vulnerability)
zero_logonsZeroLogon-vulnerable domain controllers
shadow_credentialsShadow credential injection results
dc_syncsAccounts with DCSync-capable permissions
print_nightmaresPrintNightmare-vulnerable hosts
smb_ghostsSMBGhost-vulnerable hosts
eternal_bluesEternalBlue-vulnerable hosts
coercablesHosts vulnerable to authentication coercion

ADCS (Active Directory Certificate Services)

TableDescription
certificate_authoritiesEnumerated CAs
certificate_templatesCertificate templates with all attributes
adcs_vulnerabilitiesDetected ESC vulnerabilities (ESC1–ESC16)

Group Policy

TableDescription
gposGroup Policy Objects
gp_link_entriesGPO links to containers
dacl_modificationsDACL modifications performed

Networking & Protocols

TableDescription
dns_recordsADIDNS records
smb_serversSMB service metadata per host
smb_sharesEnumerated SMB shares
rpc_permissionsRPC endpoint access rights
rpc_sessionsRPC session tracking

Operations

TableDescription
targetsStored target hosts
spraysPassword spray operation records

Payload System (future)

TableDescription
templatesPayload templates
payloadsGenerated payloads
buildsBuild records
artifactsBuild artifacts
transformationsPayload transformations
capabilitiesCapability definitions

Credential Model (Full Schema)

The credentials table stores all supported authentication types in a single unified model:
ColumnTypeDescription
iduintPrimary key
user_iduintFK to users table
namestringUsername or UPN
hostnamestringMachine account hostname (e.g., DC$)
passwordstringCleartext password
hashstringNT hash
pfx_filestringPath to stored PFX file
pfx_passwordstringPFX passphrase
cert_filestringPath to PEM certificate
key_filestringPath to PEM private key
ccache_filestringPath to Kerberos ccache
aes_keystringAES-128 or AES-256 key
domainstringAssociated domain
tgt_iduintFK to tgts
sourcestringHow the credential was obtained
notesstringOperator notes

Target Model (Full Schema)

ColumnTypeDescription
iduintPrimary key
ipstringIPv4 address
dns_hostnamestringDNS hostname
notesstringOperator notes

Direct Database Queries

The dbquery command lets you run raw SQL against the SQLite database: 
r4t dbquery "SELECT id, name, password, hash FROM credentials"
r4t dbquery "SELECT ip, dns_hostname FROM targets"
r4t dbquery "SELECT * FROM adcs_vulnerabilities WHERE esc_type = 'ESC1'"
r4t dbquery "SELECT name, member_of FROM users WHERE enabled = 1 ORDER BY name"
Results are printed as a table to stdout.