RedTeamPentesting has introduced the keycred tool, presenting a formidable solution for efficiently managing KeyCredentialLinks within Active Directory (AD) environments. This command-line interface (CLI) tool and library aligns with the specifications provided by Microsoft through the Technical Specification (MS-ADTS) for Active Directory. Its significant capabilities are aimed at both penetration testers and system administrators, who can now leverage keycred for enhanced security management.
One of the distinctive features of the keycred tool lies in its comprehensive set of functionalities for manipulating the msDS-KeyCredentialLink LDAP attribute. With this tool at their disposal, users can register, list, and manage KeyCredentialLinks effectively. Keycred stands out due to several key features:
- Authentication Mechanisms: keycred supports various authentication methods, including Kerberos (via password, NT hash, AES key, CCache, and PKINIT), mTLS, NTLM (password or NT hash), and SimpleBind.
- UnPAC-the-Hash: This feature allows the retrieval of user NT hashes through PKINIT Kerberos authentication.
- Cross-Platform Compatibility: The tool is available as a single binary, which supports multiple operating systems seamlessly.
- Certificate Integration: Keycred enables the usage of certificates with otherName SAN extensions without needing to specify usernames or domains.
- Backup and Restore Capabilities: It simplifies the process of backing up and restoring KeyCredentialLinks, which is particularly beneficial when computer account attributes are altered.
- Strict Compliance: The tool generates KeyCredentialLinks compliant with validated write rules, ensuring secure modifications to msDS-KeyCredentialLink attributes.
The functionality of the keycred CLI extends to various commands. Users can add, list, remove, and back up KeyCredentialLinks as part of their security management strategies. This versatility allows penetration testers to simulate advanced attacks, including Shadow Credentials, whereby attackers can append alternate credentials such as certificates to target accounts, creating opportunities for account takeover if vulnerabilities exist.
Previous tools like pyWhisker have provided options for manipulating msDS-KeyCredentialLink, but keycred takes this role to the next level through its well-rounded feature set and commitment to compliance standards. This tool not only simplifies cross-platform use by providing everything needed as one executable but also enhances usability by integrating PFX file management directly, removing dependence on external utilities like OpenSSL or certutil.
This release is poised to be transformative for Active Directory penetration testing and administration. Both red teams and blue teams can benefit from this tool—red teams can employ it to identify vulnerabilities, and blue teams can use its insights for improved threat mitigation. With the reliance on Active Directory for identity management rising, keycred is certain to support organizations' security strategies effectively.
Meanwhile, addressing another significant aspect of security, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a severe security flaw affecting the Craft content management system (CMS) to its Known Exploited Vulnerabilities (KEV) catalog. This addition came after evidence showed the active exploitation of the vulnerability identified as CVE-2025-23209, which carries a CVSS score of 8.1. This flaw impacts Craft CMS versions 4 and 5, and was patched by project maintainers late December 2024 with updates available for versions 4.13.8 and 5.5.8.
The vulnerability is characterized as a code injection flaw, which allows for remote code execution. This is particularly alarming considering the affected versions contain compromised user security keys. CISA has advised all users of Craft CMS to urgently apply the fixes, especially Federal Civilian Executive Branch (FCEB) agencies, which are required to implement necessary updates by March 13, 2025.
Craft CMS provided guidelines for those unable to upgrade to patched versions, recommending the rotation of security keys and ensuring their privacy to help mitigate the risks associated with the vulnerability. It remains unclear how these user security keys were initially compromised and under what circumstances, raising questions about the operational security measures users must adopt.
Both pieces of news highlight the pressing need for active security measures against vulnerabilities. While the keycred tool offers advanced management capabilities aimed at fortifying identity management systems, the vulnerability highlighted by CISA serves as a stark reminder of the risks inherent to widely used software solutions. Consequently, organizations must prioritize their security practices to protect against potential breaches and maintain system integrity.