{"id":26119270,"url":"https://github.com/redteampentesting/keycred","last_synced_at":"2025-04-10T03:49:53.623Z","repository":{"id":278403212,"uuid":"935411392","full_name":"RedTeamPentesting/keycred","owner":"RedTeamPentesting","description":"Generate and Manage KeyCredentialLinks","archived":false,"fork":false,"pushed_at":"2025-03-17T14:58:44.000Z","size":60,"stargazers_count":147,"open_issues_count":0,"forks_count":13,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-04-03T02:09:09.495Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RedTeamPentesting.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-19T12:00:16.000Z","updated_at":"2025-04-02T20:43:22.000Z","dependencies_parsed_at":null,"dependency_job_id":"b686397a-4ff1-4c7d-9358-07dd22efa3f4","html_url":"https://github.com/RedTeamPentesting/keycred","commit_stats":null,"previous_names":["redteampentesting/keycred"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RedTeamPentesting%2Fkeycred","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RedTeamPentesting%2Fkeycred/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RedTeamPentesting%2Fkeycred/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RedTeamPentesting%2Fkeycred/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RedTeamPentesting","download_url":"https://codeload.github.com/RedTeamPentesting/keycred/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248154998,"owners_count":21056542,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-10T12:25:51.572Z","updated_at":"2025-04-10T03:49:53.590Z","avatar_url":"https://github.com/RedTeamPentesting.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003ch1 align=\"center\"\u003e\u003cb\u003ekeycred\u003c/b\u003e\u003c/h1\u003e\n  \u003cp align=\"center\"\u003e\u003ci\u003eGenerate and Manage KeyCredentialLinks\u003c/i\u003e\u003c/p\u003e\n  \u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/RedTeamPentesting/keycred/releases/latest\"\u003e\u003cimg alt=\"Release\" src=\"https://img.shields.io/github/release/RedTeamPentesting/keycred.svg?style=for-the-badge\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://pkg.go.dev/github.com/RedTeamPentesting/keycred\"\u003e\u003cimg alt=\"Go Doc\" src=\"https://img.shields.io/badge/godoc-reference-blue.svg?style=for-the-badge\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/RedTeamPentesting/keycred/actions?workflow=Check\"\u003e\u003cimg alt=\"GitHub Action: Check\" src=\"https://img.shields.io/github/actions/workflow/status/RedTeamPentesting/keycred/check.yml?branch=main\u0026style=for-the-badge\"\u003e\u003c/a\u003e\n    \u003ca href=\"/LICENSE\"\u003e\u003cimg alt=\"Software License\" src=\"https://img.shields.io/badge/license-MIT-brightgreen.svg?style=for-the-badge\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://goreportcard.com/report/github.com/RedTeamPentesting/keycred\"\u003e\u003cimg alt=\"Go Report Card\" src=\"https://goreportcard.com/badge/github.com/RedTeamPentesting/keycred?style=for-the-badge\"\u003e\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/p\u003e\n\n---\n\n`keycred` is CLI tool and library that implements the KeyCredentialLink\nstructures according to [section\n2.2.20](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/de61eb56-b75f-4743-b8af-e9be154b47af)\nof the Active Directory Technical Specification (MS-ADTS). It also supports\nseveral deviations from the specification that are encountered in practice.\n\nThe project also contains a tool to manipulate the `msDS-KeyCredentialLink` LDAP\nattribute in order to register KeyCredentialLinks in Active Directory\nenvironments.\n\n## Features\n\n* Supported authentication mechanism: Kerberos (password, NT hash, AES key,\n  CCache, PKINIT), mTLS, NTLM (password or NT hash), SimpleBind (password).\n* UnPAC-the-Hash: Retrieve the user's NT hash via PKINIT Kerberos\n  authentication.\n* Cross-platform compatible single binary\n* Certificate otherName SAN extensions allows certificates to be used by\n  `certipy auth` without specifying username and domain.\n* Backup and restore functionality, that is useful when a new KeyCredentialLink\n  should be registered for a computer account where another KeyCredentialLink is\n  already present.\n* Both the library and the tool can generate KeyCredentialLinks that are\n  strictly compliant with the rules for validated writes\n  (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f70afbcc-780e-4d91-850c-cfadce5bb15c)\n  that **should** be enforced when computer accounts modify their own\n  `msDS-KeyCredentialLink` attribute.\n\n## Usage:\n\nThe `keycred` CLI tool can be used to create and manage KeyCredentialLinks, and\ncertificate/key pairs:\n\n```\n$ ./keycred --help\nCreate and manage KeyCredentialLinks\n\nUsage:\n  keycred [command]\n\nAvailable Commands:\n  add         Create certificate/key and register it in LDAP\n  add-raw     Register a raw DN-Binary string in LDAP\n  list        List KeyCredentialLinks of a single user or all users\n  remove      Remove a single KeyCredentialLink of a user\n  clear       Remove all KeyCredentialLinks of a user\n  auth        Authenticate and retrieve the NT hash using PKINIT (requires --pfx)\n  burn        Authenticate to obtain hash/ticket and clear KeyCredentialLink (requires --pfx)\n  backup      Backup all KeyCredentialLinks of a user\n  restore     Restore the KeyCredentialLinks from a backup file\n  register    Register the key from an existing PFX file\n  parse       Parse a KeyCredentialLink in DN-Binary form\n  help        Help about any command\n  completion  Generate the autocompletion script for the specified shell\n\nFlags:\n      --aes-key string        Kerberos AES key\n      --ccache string         Kerberos CCache file name (defaults to $KRB5CCNAME, currently unset)\n      --dc string             Domain controller\n      --debug                 Enable debug output\n  -h, --help                  help for keycred\n  -k, --kerberos              Use Kerberos authentication\n  -H, --nt-hash string        NT hash\n  -p, --password string       Password\n      --pfx string            Client certificate and private key in PFX format\n      --pfx-password string   Password for PFX file\n      --scheme string         Scheme (ldap or ldaps) (default \"ldaps\")\n      --simple-bind           Authenticate with simple bind\n      --start-tls             Negotiate StartTLS before authenticating on regular LDAP connection\n  -t, --target string         Target user (default is the authenticating user)\n      --timeout duration      LDAP connection timeout (default 5s)\n  -u, --user user@domain      Username (user@domain, 'domain\\user', 'domain/user' or 'user')\n      --verify                Verify LDAP TLS certificate\n\nUse \"keycred [command] --help\" for more information about a command.\n```\n\nAdditionally, this repository also includes `pfxtool`, which can be used to work\nwith PFX files:\n\n```\n$ ./pfxtool --help\nConvert certificates and keys from and to PFX files\n\nUsage:\n  pfxtool [command]\n\nAvailable Commands:\n  join        Create a PFX file by joining a PEM encoded key and cert\n  split       Split a PFX file into PEM encoded key and cert\n  decrypt     Remove the password from a PFX file\n  encrypt     Encrypt the PFX file with a password\n  inspect     Inspect the contents of a PFX\n  create      Create a certificate/key pair and save it as a PFX file\n  help        Help about any command\n  completion  Generate the autocompletion script for the specified shell\n\nFlags:\n  -f, --force             Overwrite existing output files\n  -h, --help              help for pfxtool\n  -p, --password string   PFX password\n```\n\n## Building\n\nThe `keycred` tool can be built as follows:\n\n```sh\ngo build ./cmd/keycred\n```\n\nThe PFX handling tool `pfxtool` can be built as follows:\n\n```sh\ngo build ./cmd/pfxtool\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredteampentesting%2Fkeycred","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fredteampentesting%2Fkeycred","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredteampentesting%2Fkeycred/lists"}