Credential Types#
| Type | Description | Typical Secret Format |
|---|---|---|
plaintext | Password in cleartext | P@ssw0rd! |
hash | Password hash | aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117... (NT hash) |
ticket | Kerberos ticket | Base64-encoded .ccache or .kirbi content |
ssh_key | SSH private key | PEM-encoded private key |
token | Bearer or session token | eyJhbGc... |
api_key | API key | sk_live_... |
certificate | X.509 certificate | PEM or DER content |
Adding Credentials#
CLI (Recommended for Interactive Use)#
| |
Required fields: --type, --username, --secret
Optional fields: --domain, --notes
Tip: For SSH keys, pass the private key file contents as --secret. In bash:
| |
Web UI#
Credentials page > “Add Credential” > fill in the form > click “Create”.
The type dropdown is populated from the server, so it always reflects the supported types.
Listing Credentials#
| |
Output columns: ID (truncated), Type, Username, Domain, Source.
The source column shows which module extracted the credential (for auto-extracted credentials) or the operator username (for manually added ones).
Web UI: Credentials page — table with all credentials. Secrets are hidden by default. Click the eye icon to reveal (triggers a server request — the secret is decrypted and returned over TLS, never stored in the browser).
Searching and Filtering#
CLI#
| |
Multiple filters are applied with AND semantics.
Web UI#
The Credentials page has two filter controls:
- Text search: Searches across username, domain, source module, and notes
- Type dropdown: Filter by credential type
Both filters are applied simultaneously. A count indicator shows how many credentials match.
Exporting Credentials#
CLI#
| |
Output is printed to stdout. Redirect to a file:
| |
Or from outside the shell:
| |
Web UI#
Credentials page > export dropdown in the header. Select a format. The browser downloads the file directly.
Export Formats#
| Format | Contents | Use Case |
|---|---|---|
json | Full credential data including type, username, domain, source, notes | Archiving, cross-tool import |
csv | Spreadsheet-friendly tabular format | Reporting, quick review |
hashcat | username:hash lines (NT hashes only) | Pass the file directly to hashcat |
hash-type credentials. Plaintext and other types are excluded. Use json or csv to export everything.Auto-Extracted Credentials#
When a module returns credential data (e.g., a hash-dump module), the teamserver automatically parses the result and adds the credentials to the store with full provenance:
- Source agent — which agent the credential came from
- Source module — which module extracted it
- Timestamp — when it was extracted
These appear in creds list with the source set to the module name (e.g., hashdump) rather than an operator username.
Using Credentials with Tools#
Credentials stored in the store can be used directly by tools modules — no need to pass secrets on the command line.
Find the credential:
| |
Note the credential ID (first column in the output).
Set it in the tools shell:
| |
The teamserver decrypts the credential and passes it to the tool plugin automatically. The plaintext secret is never logged or exposed to the operator.
Web UI: In the Tools page, select a credential from the credential picker dropdown when configuring a tool operation.
Security Model#
All credential secrets are encrypted at rest using the engagement’s master key:
- The engagement passphrase (provided at creation) is processed through PBKDF2 to derive the master key
- Each credential’s secret is encrypted with AES-256-GCM using the master key
- The master key is never stored in the database — it is derived on demand from the passphrase
This means:
- Credential data at rest is unreadable without the engagement passphrase
- The passphrase is never stored — if you lose it, secrets cannot be recovered
- Even with full database access, an attacker cannot read credential secrets without the passphrase
When archiving: The archive file is encrypted with the same passphrase. Store archives and passphrases separately.
Credential Management by Role#
| Action | Admin | Operator | Spectator | Collector |
|---|---|---|---|---|
| View credential list (no secrets) | Yes | Yes | Yes | Yes |
| View credential secret | Yes | Yes | Yes | Yes |
| Add credential | Yes | Yes | No | No |
| Delete credential | Yes | Yes | No | No |
| Export credentials | Yes | Yes | No | No |
| Search / filter | Yes | Yes | Yes | Yes |
Spectators and collectors can view the credential list and reveal secrets. They cannot add, delete, or export credentials.
Quick Reference#
| Task | Command |
|---|---|
| List all credentials | creds list |
| Add a credential | creds add --type X --username X --secret X |
| Search by type | creds search --type hash |
| Search by username | creds search --username alice |
| Search by domain | creds search --domain CORP |
| Export JSON | creds export --format json |
| Export CSV | creds export --format csv |
| Export for Hashcat | creds export --format hashcat |
Common Mistakes#
Wrong type for SSH keys — Use --type ssh_key, not --type plaintext. The tools module uses the type to determine the authentication method.
Hashcat export is empty — Only hash-type credentials appear in hashcat format. Check your credentials have type hash and not plaintext.
Forgot the credential ID — Run creds search --username <name> to find it. IDs are UUIDs — tab completion in the tools shell will also suggest them after set cred .
Lost the engagement passphrase — Credential secrets cannot be recovered without it. Write it down somewhere secure at engagement creation.
Related Pages#
- Tools (Agentless Operations) — using credentials with SSH and other tools
- Engagement Workflow — where credential collection fits
- Security Model — cryptographic details