Skip to main content

R4t — Active Directory Red Team Framework

R4t is a comprehensive Active Directory (AD) exploitation and reconnaissance framework written in Go. It is designed to run from within an already-accessed environment, giving red team operators a single, integrated tool for enumerating, assessing, and exploiting AD environments. R4t is not a command-and-control (C2) framework. It is an operator-side tool — you run it from your attacking machine or a foothold box to interact with a target AD forest.
Rat

What R4t Does

R4t covers the full lifecycle of an AD engagement:
PhaseCapabilities
ReconnaissanceUsers, groups, computers, OUs, GPOs, trusts, domain controllers, DNS, ADIDNS
Vulnerability AssessmentADCS ESC1–ESC16, DCSync, LAPS exposure, Kerberoasting, AS-REP Roasting, shadow credentials, pre-Windows 2000 accounts, coercible hosts
ExploitationCertificate requests, Kerberos ticket manipulation, NT hash extraction, GPP password dumping, authentication coercion
Persistence & MovementCredential spraying, DACL modification, shadow credential injection, LAPS enumeration
ReportingBloodHound collection, structured database of findings, tabular output, file output

Command Overview

R4t is organized into top-level commands. Each command groups related operations:
CommandDescription
targetsManage target hosts
credsManage stored credentials
setConfigure persistent settings
ldapLDAP enumeration, modification, and vulnerability scanning
adcsAD Certificate Services analysis and exploitation
smbSMB signing checks and GPP extraction
sprayPassword spraying across multiple protocols
coerceAuthentication coercion attacks
krbKerberos ticket operations
bloodhoundBloodHound data collection
dnsDNS enumeration and zone transfers
adidnsADIDNS record manipulation
adwsActive Directory Web Services
rdpRDP operations
sshSSH operations
winrmWinRM operations
wmiWMI queries
mssqlMSSQL enumeration and exploitation
rpcRPC operations
nfsNFS enumeration
ftpFTP operations
ticketsKerberos ticket management
parseParse certificate and key files
portPort scanning and banner grabbing
arpARP host discovery
poisonNetwork poisoning
proxySOCKS5 proxy configuration
sccmSCCM enumeration
visualizeBloodHound graph visualization
installInstall binary and shell aliases
logsLog management
queryDatabase query and export
tftpTFTP operations
excludeWindows Defender exclusions

Global Flags

All commands inherit these persistent flags from the root command:

Authentication

FlagDescription
-u, --usernameUsername for authentication
-p, --passwordPassword
--hashNT hash (LM:NT or just NT)
--aesAES key for Kerberos
--ccachePath to Kerberos ccache file
--pfxPFX certificate file path
--certPEM certificate file path
--keyPEM private key file path
--anonymousUse anonymous/unauthenticated access
--credential-idUse a stored credential by ID

Connection

FlagDescription
-d, --domainActive Directory domain name
--ns, --nameserverDNS nameserver for resolution
--ldap-serverLDAP server address (overrides auto-discovery)
--ldapsUse LDAPS (implicit TLS, port 636)
--start-tlsUse StartTLS upgrade on LDAP connection
--insecureSkip TLS certificate verification
--timeoutConnection timeout in seconds
--jitterJitter delay between requests in seconds
--target-idUse a stored target by ID

Database

FlagDescription
--migrate-dbForce database migration on startup
--purge-dbDrop and re-migrate all database tables (prompts for confirmation)

Key Concepts

  • Targets — Hosts you are operating against. R4t stores them in a database and lets you set a default.
  • Credentials — Authentication material (passwords, hashes, certificates, ccache files). Stored securely and selected by ID or set as default.
  • Settings — Persistent configuration like domain, nameserver, proxy, and output options.
  • Database — A dual-store system (Badger KV + SQLite) that persists all findings, scan results, and configuration.

Further Reading