The credential manager.
The credential manager is a system for storing, sorting and retrieving all the credentials you come across in a pentest. The core is an SQLite database and an API providing the management functionality to the Neet components. User access to the credential store is via the accounts tool, which can be used to access all of the management functionality. For a quick start, the accounts usage information is shown below. A more comprehensive description of the credential manager will follow at some point when I have time to write it!
Accounts is a command-line interface to the Neet credential manager,
which is used by Neet to store and retrieve credentials found during
pentests.
You can use this command-line tool to manually manage credentials you
find or are given during a pentest, and to interact with those that Neet
finds. It allows you to add, search, modify and delete credentials, as
well as import and export them in various useful formats.
Examples of use cases are listed at the end of this help.
Usage: accounts [options]
Use with no arguments will assume the behaviour of the -l (--list)
option, listing all stored credentials in CSV format.
-f (--file): use the specified file instead of the default, which is
$HOME/.credentialManager. You can alternatively set the CREDSTORE
environment variable, which should contain the full absolute path
to the database file you wish to use.
-t (--type): specify the type of credential you are adding or listing.
Guidance on the use of this field is provided below. This field is
always stored and searched in lower case.
-d (--domain): specify the realm or domain of the credential you are
adding or listing. This can also be used to specify SIDs or other
authentication zones depending on the type of system. This is a
case-sensitive field.
-u (--user): specify the account name of the credential you are adding
or listing. If the username is supplied in user@domain or DOMAIN\USER
format, both the "user" and "domain" fields are populated correctly.
This also applies to specification of usernames and domains whilst
searching. This is a case-sensitive field.
-p (--pass): specify the password of the credential you are adding or
listing. This is a case-sensitive field.
-s (--system): specify the system name or IP address for the credential
you are adding or listing. This field is always stored and searched
in UPPER case.
-g (--tag): provide a tag for your credential. For example, WCE can have
"hist01", "current" and "used" for each credential. The pwdump
import makes use of tags to store this data and you can use it to select
data too. Tags are always stored and searched in lower case.
-r (--rid): specify the RID or numeric identifier of the credential you are
adding or listing. This is a case-sensitive field to facilitate storage
of database SIDs if you so wish.
-P (--privilege): provide a privilege indicator for your credential. For
example, you could mark certain accounts as "high" or "low",
"locked" or whatever you want. This field is always stored in lower
case.
-x (--delete): delete the credential with the specified ID
-m (--modify): modify the credential with the specified ID. You can
update the existing data for the credential by specifying any of the
-u -p -P -t -g -d -s -c or -r parameters, exactly as though you were
adding a new credential.
-l (--list): list stored credentials. You can optionally filter results
by specifying -t -d -u -p -s -g -r -c and/or -P to list credentials
matching those fields only. You can use the percent (%) symbol as a
wildcard character when matching particular fields. The output of -l can
be formatted using --output, below.
-o (--output): A string representing the fields that are required when
listing the credentials:
i = credential ID (internal reference only, but required for deleting)
t = credential type
r = RID or system numeric user ID
u = username
p = password
d = domain/realm
s = system name
c = comment
g = tag
P = privilege
The --output parameter is optional - without it, -l will list all the
available fields.
-i (--import): import a set of credentials from STDIN. This option requires
an argument which specifies the type of list being provided. The
following values can be supplied:
f[tupdscgrP] = This signifies a CSV format import, with the input file
having only the specified fields are in the order listed, as per the
--output option. Use this to import general password lists in CSV
format. If you don't have all parameters in the CSV file (perhaps
you just have a list of passwords), then you can specify other
parameters on the command line as though you were manually adding
a credential. These parameters will be applied to every credential
imported in this way. The delimiter is a comma, although you can
change this with the -D option.
pwdump = The input is in pwdump format.
native = The credentials are being provided by the output of this program
in export mode: "accounts -e" or "accounts --export".
It is important that no --output filters are applied to the export,
although the search filters can of course have been used to restrict
the number of fields which were exported.
This feature is useful for transferring credentials between credential
manager databases.
-D (--delimiter): specify the delimiter for the output (or import). The
default delimiter is a comma.
-e (--export): provide the output in machine-readable format, ready to be
imported to another credential manager file by accounts.
-L (--long): provide the output in a long format
-q (--quotes): quote each output field. Nice for preserving integrity, not
so nice for quick shell scripts.
-h (--help): print this help
Strings representing credential types (values for 't'):
gen: Generic username/password pair.
smb: Windows/Samba/RDP. This is the assumed type if no
other type is specified.
mssql: Microsoft SQL
mysql: MySQL
ora: Oracle Database
pgrs: PostGres
vnc:
vncenc: Encrypted VNC passwords
ssh:
tnet: Telnet
snmp:
hsrp:
vrrp:
web: Web application
ntlm: Windows LM/NTLM Hashes (as dumped from the SAM)
mscache: MS Cache
mscache2: MS Cache2
md5: MD5 hash
md5s: Salted MD5 hash
sha1: SHA hash
sha1s: Salted SHA hash
sha256: SHA256 hash
sha256s: Salted SHA256 hash
des: DES Unix password
You are free to make up your own 'type' identifiers, but bear in mind that the
Neet modules can only make use of those of which they are aware, and that you may
need to remember them when searching through your credential store.
You don't have to add all possible fields when adding credentials. You MUST put in
either a password or username, but that is the only entry that is required to create
a new credential record.
Bear in mind that the more fields you add, the more selective you can be afterwards
when you're searching through hundreds or thousands of credentials. However, it is
possible to add further information to a credential later on, using the --modify
option.
EXAMPLES
========
0. View all credentials in the store, in shell-script-friendly CSV format
accounts
1. Add a credential for a Windows domain. Note the use of quotes around shell metacharacters:
accounts -t smb -u superman -p 'sup3rS3kr!t' -d root -s ukrootdomdc01 -c 'Domain Admin!'
2. Add some infrastructure passwords
accounts -t hsrp -p bobbydazzler -s gateway03 -c "Found this using tcpdump"
accounts -t snmp -p bobbydazzler -s ukrouter01 -c "Same as HSRP string!"
3. Add an Oracle database credential for the oratest SID
accounts -t ora -u dbsnmp -p cirCus -d oratest -s DBSRV04 -c "Got a really good brute-forcer"
4. List all passwords regardless of which types of systems they were found on. This
may include duplicate entries.
accounts -l -o p
5. List all Windows domains, usernames and passwords in that order. Make the output
exclamation-point delimited with quotes around the data values.
accounts -l -t smb -o dup -q -D\!
6. List all data on SNMP strings
accounts -l -t snmp
7. List all passwords on accounts with the username Administrator:
accounts -l -u Administrator -o p
8. Find that pesky Windows entry with the "ihatepentesters" password and delete it
accounts -x $(accounts -l -t smb -p ihatepentesters -o i)
9. Delete all NTLM credentials we have from system XAVIER
for id in `accounts -l -t ntlm -o i -s XAVIER`; do accounts -x $id; done
10. You found a sticky note with "Password: ahoauuf23r" on it. Record it.
accounts -p ahoauuf23r
or better still:
accounts -p ahoauuf23r -c "Post-it note on Andrew's desk"
11. List all accounts in the uberoot Windows domain, with just usernames and passwords,
in that order.
accounts -l -d uberoot -o up
12. List all accounts in the credential store. Print the output in spreadsheet-friendly
CSV format.
accounts -lq
13. List all website accounts. Make the output in URL- and POST-friendly format.
accounts -L -t web -o up -D\&
14. Change the type of credential 52 to telnet.
accounts -m 52 -t telnet
15. Change the password of credential 8 to Password04 and add a comment.
accounts --modify 8 -p Password04 -c "Changed the password myself"
16. Import a pwdump file.
cat pwdump.txt | accounts -i pwdump -c "From the XAVIER file server"
or
cat pwdump.txt | accounts -i pwdump -s XAVIER
or
cat pwdump.txt | accounts -i pwdump -c "From the XAVIER file server" -s XAVIER
17. Import a pwdump file for the GLOBAL domain
cat pwdump.txt | accounts -i pwdump -d GLOBAL -s DC01
18. Import a simple CSV file of usernames and passwords for the corpdom domain.
cat accounts.csv | accounts -i fup -d corpdom
19. Import a CSV file of usernames, passwords and SIDs for the Oracle database server
cat accounts.csv | accounts -i fupd -t ora -s DBSRV012UK
20. Import credentials from a different credential store.
accounts -e -f ~/work/.credentialStore | accounts -i all -f ~/myMergedCredentialStore
21. Import just Windows credentials from a different credential store.
accounts -e -f ~/work/.credentialStore -t smb | accounts -i all -f ~/myMergedCredentialStore
22. Generate a file that can be passed to medusa's -C option:
accounts -l -t type -o sup -D: > medusaImport.txt