Skip to content

Add ccache support and domain info extraction logic for sapphire tickets #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 10, 2025
Merged

Add ccache support and domain info extraction logic for sapphire tickets #5

merged 1 commit into from
Nov 10, 2025

Conversation

@Mercury0
Copy link

@Mercury0 Mercury0 commented Oct 31, 2025

Summary

Enhances ticketer.py to support sapphire ticket generation using an existing TGT from ccache, with automatic extraction of domain information from the ticket's PAC. This brings sapphire ticket generation in line with other Impacket tools' authentication patterns. Unlike golden tickets, sapphire tickets use legitimate PAC data from a real TGT (obtained via S4U2self+U2U) rather than offline generation.

Changes

  • New flags: Added -k and -no-pass flags to use existing Kerberos credentials from ccache (via KRB5CCNAME)
  • Auto-extraction: Automatically extracts domain name and domain SID from TGT PAC when krbtgt AES key is provided
  • AES-only support: Enables sapphire ticket generation with only the krbtgt AES key, eliminating the need for the NTLM hash in environments where RC4 is deprecated
  • Optional parameters: Made -domain and -domain-sid optional when these values can be derived from the TGT

Usage Example

Before:

ticketer.py -request -impersonate 'admin' \
  -domain 'corp.local' -domain-sid 'S-1-5-21-...' \
  -user 'lowpriv' -password 'Password123!' \
  -nthash <krbtgt_hash> -aesKey <krbtgt_aes> \
  -user-id '500' \
  'sapphire'
image

After (with ccache):

export KRB5CCNAME=$(pwd)/lowpriv.ccache
ticketer.py -request -impersonate 'admin' \
  -k -no-pass \
  -aesKey <krbtgt_aes> \
  -user-id '500' \
  'sapphire'
image

Domain, domain-sid, and username are automatically extracted from the TGT in the ccache.

Benefits

  1. Simplified workflow: Reduces required command-line arguments by leveraging existing credentials
  2. Consistency: Matches authentication patterns used in other Impacket tools (getST.py, secretsdump.py, etc.)
  3. Flexibility: Still supports traditional authentication methods while adding ccache support
  4. Better OPSEC: Can use existing tickets without re-authenticating with passwords

Testing

Tested with:

  • Sapphire ticket generation using ccache with AES256 encryption
  • Automatic domain/SID extraction from TGT PAC
  • Backward compatibility with existing command-line syntax

@Mercury0 Mercury0 requested a review from aconite33 October 31, 2025 21:29
@Mercury0 Mercury0 added the enhancement New feature or request label Oct 31, 2025
aconite33
aconite33 approved these changes Nov 10, 2025
View reviewed changes
Copy link

@aconite33 aconite33 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

@aconite33 aconite33 merged commit e3bbdba into master Nov 10, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aconite33 aconite33 aconite33 approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request Examples

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Mercury0 @aconite33