Generate and Manage KeyCredentialLinks
keycred is CLI tool and library that implements the KeyCredentialLink
structures according to section
2.2.20
of the Active Directory Technical Specification (MS-ADTS). It also supports
several deviations from the specification that are encountered in practice.
The project also contains a tool to manipulate the msDS-KeyCredentialLink LDAP
attribute in order to register KeyCredentialLinks in Active Directory
environments.
- Supported authentication mechanism: Kerberos (password, NT hash, AES key, CCache, PKINIT), mTLS, NTLM (password or NT hash), SimpleBind (password).
- UnPAC-the-Hash: Retrieve the user's NT hash via PKINIT Kerberos authentication.
- Cross-platform compatible single binary
- Certificate otherName SAN extensions allows certificates to be used by
certipy authwithout specifying username and domain. - Backup and restore functionality, that is useful when a new KeyCredentialLink should be registered for a computer account where another KeyCredentialLink is already present.
- Both the library and the tool can generate KeyCredentialLinks that are
strictly compliant with the rules for validated writes
(https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f70afbcc-780e-4d91-850c-cfadce5bb15c)
that should be enforced when computer accounts modify their own
msDS-KeyCredentialLinkattribute.
The keycred CLI tool can be used to create and manage KeyCredentialLinks, and
certificate/key pairs:
$ ./keycred --help
Create and manage KeyCredentialLinks
Usage:
keycred [command]
Available Commands:
add Create certificate/key and register it in LDAP
add-raw Register a raw DN-Binary string in LDAP
list List KeyCredentialLinks of a single user or all users
remove Remove a single KeyCredentialLink of a user
clear Remove all KeyCredentialLinks of a user
auth Authenticate and retrieve the NT hash using PKINIT (requires --pfx)
burn Authenticate to obtain hash/ticket and clear KeyCredentialLink (requires --pfx)
backup Backup all KeyCredentialLinks of a user
restore Restore the KeyCredentialLinks from a backup file
register Register the key from an existing PFX file
parse Parse a KeyCredentialLink in DN-Binary form
help Help about any command
completion Generate the autocompletion script for the specified shell
Flags:
--aes-key string Kerberos AES key
--ccache string Kerberos CCache file name (defaults to $KRB5CCNAME, currently unset)
--dc string Domain controller
--debug Enable debug output
-h, --help help for keycred
-k, --kerberos Use Kerberos authentication
-H, --nt-hash string NT hash
-p, --password string Password
--pfx string Client certificate and private key in PFX format
--pfx-password string Password for PFX file
--scheme string Scheme (ldap or ldaps) (default "ldaps")
--simple-bind Authenticate with simple bind
--start-tls Negotiate StartTLS before authenticating on regular LDAP connection
-t, --target string Target user (default is the authenticating user)
--timeout duration LDAP connection timeout (default 5s)
-u, --user user@domain Username (user@domain, 'domain\user', 'domain/user' or 'user')
--verify Verify LDAP TLS certificate
Use "keycred [command] --help" for more information about a command.
Additionally, this repository also includes pfxtool, which can be used to work
with PFX files:
$ ./pfxtool --help
Convert certificates and keys from and to PFX files
Usage:
pfxtool [command]
Available Commands:
join Create a PFX file by joining a PEM encoded key and cert
split Split a PFX file into PEM encoded key and cert
decrypt Remove the password from a PFX file
encrypt Encrypt the PFX file with a password
inspect Inspect the contents of a PFX
create Create a certificate/key pair and save it as a PFX file
help Help about any command
completion Generate the autocompletion script for the specified shell
Flags:
-f, --force Overwrite existing output files
-h, --help help for pfxtool
-p, --password string PFX password
The keycred tool can be built as follows:
go build ./cmd/keycredThe PFX handling tool pfxtool can be built as follows:
go build ./cmd/pfxtool