Skip to main content
EtherReaper maintains a single unified credentials table. Credentials are automatically added by Responder monitoring, Kerberoast/AS-REP roast scans, and the domain info import pipeline. The credential store is the source for the Saved Credentials dropdowns in all authenticated scan modals.

GET /api/credentials

Returns all credentials from the database, ordered by discovery time (newest first). 
curl http://localhost:8000/api/credentials

Response

status
string
"success" on success.
credentials
array
Array of credential objects.
Example response: 
{
  "status": "success",
  "credentials": [
    {
      "id": 1,
      "username": "administrator",
      "password": "Password1!",
      "hash": null,
      "domain": "corp.local",
      "source": "netexec(SMB)",
      "hostname": "DC01",
      "ip": "10.10.10.1",
      "discovered_at": "2024-01-15T14:32:07"
    }
  ]
}

POST /api/credentials/add

Adds a single credential entry directly to the database. At least one of password or hash is required. 
curl -X POST http://localhost:8000/api/credentials/add \
  -H "Content-Type: application/json" \
  -d '{
    "username": "svc_sql",
    "password": "Summer2024!",
    "domain": "corp.local",
    "source": "manual"
  }'

Request Body

username
string
required
Account username. Cannot be empty.
password
string
Cleartext password. Required if hash is not provided.
hash
string
Password hash. Required if password is not provided.
domain
string
Active Directory domain.
source
string
Source label. Defaults to "manual".
hostname
string
Hostname of the source machine.
ip
string
IP address of the source machine.

Response

{ "status": "success" }

DELETE /api/credentials/

Deletes a single credential by its database ID. 
curl -X DELETE http://localhost:8000/api/credentials/42

Path Parameter

cred_id
integer
required
Integer ID of the credential to delete.

Response

{ "status": "success" }

POST /api/credentials/bulk-delete

Deletes multiple credentials by their IDs in a single operation. 
curl -X POST http://localhost:8000/api/credentials/bulk-delete \
  -H "Content-Type: application/json" \
  -d '{"ids": [1, 2, 3, 7, 12]}'

Request Body

ids
array
required
Array of integer credential IDs to delete.

Response

status
string
"success" on success.
deleted
integer
Number of records actually deleted.

POST /api/credentials/import/netexec

Scans all NetExec workspaces (~/.nxc/workspaces/) and imports any credentials netexec has stored to the EtherReaper credential database. Deduplicates against existing entries. This is the primary way to pull in credentials discovered during any netexec session. 
curl -X POST http://localhost:8000/api/credentials/import/netexec
No request body required.

Response

status
string
"success" on success.
imported
integer
Number of new credential records added.
message
string
Human-readable summary.

POST /api/credentials/import-lsa-secrets

Parses raw LSA secrets dump output (e.g. from secretsdump.py or netexec --lsa) and imports extracted credentials. Handles the common DOMAIN\user:NTLM_HASH and _SC_* service account formats. 
curl -X POST http://localhost:8000/api/credentials/import-lsa-secrets \
  -H "Content-Type: application/json" \
  -d '{"text": "[*] Dumping LSA Secrets\nDOMAIN\\svc_sql:$DCC2$10240#...#hash"}'

Request Body

text
string
required
Raw LSA secrets dump output as a string.

Response

status
string
"success" on success.
imported
integer
Number of credentials imported.

POST /api/credentials/import/file

Imports credentials from an uploaded text file. Supports two formats:
  • Secretsdump format: DOMAIN\user:RID:lmhash:nthash:::
  • Simple format: username:password or DOMAIN\user:password or user@domain:password
curl -X POST http://localhost:8000/api/credentials/import/file \
  -F "file=@/path/to/creds.txt"

Request

multipart/form-data file upload.
file
file
required
Text file containing credentials, one per line.

Response

status
string
"success" on success.
imported
integer
Number of credential records imported.

GET /api/credentials/responder

Returns only credentials captured by the Responder monitoring process (source "responder"). Ordered by discovery time, newest first. 
curl http://localhost:8000/api/credentials/responder

Response

status
string
"success" on success.
credentials
array
Array of credential objects (same schema as /api/credentials), all with source: "responder".

GET /api/credentials/kerberoast

Returns credentials with source = "kerberoast" — the Kerberos TGS hashes captured during Kerberoasting. These are in Hashcat/John format and ready for offline cracking. 
curl http://localhost:8000/api/credentials/kerberoast

Response

status
string
"success" on success.
hashes
array
Array of credential objects where hash contains the Kerberos TGS hash.

GET /api/credentials/asreproast

Returns credentials with source = "asreproast" — AS-REP hashes captured from accounts with Kerberos pre-authentication disabled. Ready for offline cracking with Hashcat mode 18200. 
curl http://localhost:8000/api/credentials/asreproast

Response

status
string
"success" on success.
hashes
array
Array of credential objects where hash contains the AS-REP hash.

Build docs developers (and LLMs) love

Get started for freeTalk to us