New Active Directory Pentesting Tool: KeyCredentialLink Management

The RedTeamPentesting company has introduced a new tool called keycred for managing and auditing KeyCredentialLink in Active Directory (AD) environments. This tool plays a crucial role in security testing of AD systems and identifying vulnerabilities. With keycred, system administrators and penetration testers can manage the msDS-KeyCredentialLink attribute, add and remove certificates, and perform other operations.

Key Features of keycred:

Authentication Methods:

• Kerberos (password, NT hash, AES key, CCache, PKINIT).
• mTLS (mutual TLS authentication).
• NTLM (via password or NT hash).
• SimpleBind authentication.

UnPAC-the-Hash:

• Allows extracting a user’s NT hash via PKINIT Kerberos authentication.

Cross-Platform Compatibility:

• Available as a single binary file, making it usable across multiple operating systems.

Certificate Management:

• Supports certificates with otherName SAN extensions, enabling authentication without specifying a username or domain.

Backup and Recovery:

• Backup and restore KeyCredentialLinks, which is useful when modifying computer account attributes.

Strict Compliance with Standards:

• keycred generates KeyCredentialLink in accordance with security standards for safely modifying the msDS-KeyCredentialLink attribute.

Supported Commands in keycred:

• Add – Generates certificates/keys and registers them in LDAP.
• List – Displays KeyCredentialLink for a specified or all users.
• Remove/Clear – Deletes one or all KeyCredentialLink entries of a user.
• Backup/Restore – Backs up existing KeyCredentialLink and restores them when needed.
• Authentication Tools – Extracts NT hashes via PKINIT (auth) or clears KeyCredentialLink after credential retrieval (burn).

Additional Tool: pfxtool

The keycred project includes a supporting tool called pfxtool, which allows users to:

• Create, split, encrypt, decrypt, and verify PFX files.
• This significantly simplifies certificate management.

How keycred Can Be Used for Attack Simulation

With keycred, penetration testers can identify AD vulnerabilities by simulating the following attack scenarios:

Shadow Credentials

• Attackers can add alternative credentials (certificates) to a target account.
• If the system is misconfigured, this could allow an attacker to take control of the account.

Privilege Escalation & Lateral Movement

• By adding KeyCredentialLink, attackers can escalate privileges within the domain and gain access to other systems.

Advantages of keycred

🔹 Comprehensive functionality – Compared to similar tools (e.g., pyWhisker), keycred offers broader capabilities.
🔹 Standard compliance – The tool strictly adheres to Microsoft’s Active Directory technical specifications.
🔹 Cross-platform compatibility – Provided as a single binary, making it easy to use across different operating systems.
🔹 Flexible certificate management – Allows direct certificate management without relying on external tools (such as OpenSSL).

Use Cases of keycred

✅ Penetration Testing – Identifying vulnerabilities in AD and simulating attacks.
✅ Incident Response – Detecting unauthorized modifications in the msDS-KeyCredentialLink attribute.
✅ System Administration – Securely managing KeyCredentialLink while complying with AD security standards.

Security Recommendations

🛡️ Regular System Audits – Periodically check the KeyCredentialLink attribute for suspicious modifications.
🔑 Strengthening Authentication – Use multi-factor authentication (MFA) and strong passwords.
📜 Certificate Management – Regularly update and securely store certificates.
🎓 Staff Training – Conduct cybersecurity awareness training for system administrators.
🚨 Eliminate Vulnerabilities – Immediately fix any weaknesses detected in KeyCredentialLink management.

keycred is a powerful tool for security auditing and management in Active Directory environments. Its extensive functionality and strict compliance with standards make it highly valuable for penetration testers and system administrators.

However, such tools require responsible use, as they could be exploited by malicious actors.

To protect critical systems like Active Directory, organizations should:
✅ Implement security auditing tools.
✅ Conduct regular security assessments.
✅ Educate employees about cybersecurity risks.

Only through such proactive measures can organizations effectively safeguard their infrastructure against cyber threats.