Credential Management

Adding Credentials

#

Interactive CLI

#

1
2
3
4
5
6

tantoc2[my-op]> creds add
Credential type (plaintext/hash/ticket/ssh_key/token/api_key/certificate): plaintext
Username: admin
Secret: ********
Domain (optional): CORP
Notes (optional): Found in config file

Web UI

#

Credentials page > “Add Credential” > fill the form > Create.

Listing Credentials

#

CLI:

1

tantoc2[my-op]> creds list

Web UI: Credentials page shows a searchable table with type, username, domain, and source.

Searching

#

Filter by type, username, domain, source host, or source module:

1
2
3

tantoc2[my-op]> creds search --cred-type plaintext
tantoc2[my-op]> creds search --domain CORP
tantoc2[my-op]> creds search --username admin

Web UI: Use the filter fields above the credentials table.

Exporting

#

1
2
3

tantoc2[my-op]> creds export --format json
tantoc2[my-op]> creds export --format csv
tantoc2[my-op]> creds export --format hashcat

API:

1
2
3

GET /api/v1/credentials/export?format=json
GET /api/v1/credentials/export?format=csv
GET /api/v1/credentials/export?format=hashcat

Auto-Extraction

#

When server-side modules return credential data (e.g., hash dump results), credentials are automatically extracted and stored with full provenance:

• Source agent — which agent the credential came from
• Source module — which module extracted it
• Timestamp — when it was extracted

Module authors implement this in parse_result() by returning ExtractedCredential objects. See Building Tools Modules for details on credential extraction.

Credential Types

#

Integration with Tools

#

Credentials stored in the store can be consumed by tools modules via --cred-id. The manager decrypts the credential and passes it to the module automatically. See Tools.

At-Rest Encryption

#

All credential secrets are encrypted in the engagement database using the engagement’s master key (derived from the passphrase via PBKDF2). See Security Model.