Skip to content

Conversation

@Mercury0
Copy link

Summary

Enhances ticketer.py to support sapphire ticket generation using an existing TGT from ccache, with automatic extraction of domain information from the ticket's PAC. This brings sapphire ticket generation in line with other Impacket tools' authentication patterns. Unlike golden tickets, sapphire tickets use legitimate PAC data from a real TGT (obtained via S4U2self+U2U) rather than offline generation.

Changes

  • New flags: Added -k and -no-pass flags to use existing Kerberos credentials from ccache (via KRB5CCNAME)
  • Auto-extraction: Automatically extracts domain name and domain SID from TGT PAC when krbtgt AES key is provided
  • AES-only support: Enables sapphire ticket generation with only the krbtgt AES key, eliminating the need for the NTLM hash in environments where RC4 is deprecated
  • Optional parameters: Made -domain and -domain-sid optional when these values can be derived from the TGT

Usage Example

Before:

ticketer.py -request -impersonate 'admin' \
  -domain 'corp.local' -domain-sid 'S-1-5-21-...' \
  -user 'lowpriv' -password 'Password123!' \
  -nthash <krbtgt_hash> -aesKey <krbtgt_aes> \
  -user-id '500' \
  'sapphire'
image

After (with ccache):

export KRB5CCNAME=$(pwd)/lowpriv.ccache
ticketer.py -request -impersonate 'admin' \
  -k -no-pass \
  -aesKey <krbtgt_aes> \
  -user-id '500' \
  'sapphire'
image

Domain, domain-sid, and username are automatically extracted from the TGT in the ccache.

Benefits

  1. Simplified workflow: Reduces required command-line arguments by leveraging existing credentials
  2. Consistency: Matches authentication patterns used in other Impacket tools (getST.py, secretsdump.py, etc.)
  3. Flexibility: Still supports traditional authentication methods while adding ccache support
  4. Better OPSEC: Can use existing tickets without re-authenticating with passwords

Testing

Tested with:

  • Sapphire ticket generation using ccache with AES256 encryption
  • Automatic domain/SID extraction from TGT PAC
  • Backward compatibility with existing command-line syntax

@Mercury0 Mercury0 requested a review from aconite33 October 31, 2025 21:29
@Mercury0 Mercury0 added the enhancement New feature or request label Oct 31, 2025
Copy link

@aconite33 aconite33 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

@aconite33 aconite33 merged commit e3bbdba into master Nov 10, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request Examples

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants