[ticketer.py] Sapphire tickets

[ShutdownRepo]

Sapphire tickets are similar to Diamond tickets in the way the ticket is not forged, but instead based on a legitimate one obtained after a request. The difference lays in how the PAC is modified. The Diamond ticket approach modifies the legitimate PAC to add some privileged groups (or replace it with a fully-forged one). In the Sapphire ticket approach, the PAC of another powerful user is obtained through an S4U2self+u2u trick. This PAC then replaces the one featured in the legitimate ticket. The resulting ticket is an assembly of legitimate elements, and follows a standard ticket request, which makes it then most difficult silver/golden ticket variant to detect. (thehacker.recipes)

Adding an -impersonate flag and S4U2self+u2u capabilities to operate what I call "the sapphire ticket" technique

[ShutdownRepo]

@anadrianmanrique any news here?

[anadrianmanrique]

Hello @ShutdownRepo , so sorry for the late response. I'm currently testing your PR. So far it's working great. Here some comments:

• As -impersonate parameter makes ticketer.py to work in 'sapphire ticket mode', and given the fact that for this particular 'mode' some parameters are mandatory ( aesKey , nthash, user, others? ) and some others are not even taken into account ( groups, extra-sid, duration, others? ) a check for these preconditions should be made as soon as -impersonate gets detected ( maybe in the way that it's being done at L#1193 ).
• I've been thinking whether this code should be in a separate example (sapphire_ticketer.py ? ) but I'm not sure this is a good idea at all.

Anyway, thanks for this great work, and also for keeping an eye on the issues reported in the context of this PR

[ShutdownRepo]

Hey there 👋 no biggie

• This mode (-request + -impersonate) requires the following args: domain, user, password (for TGT request), nthash and aesKey, domain-sid, and optionally user-id. I don't remember exactly why nthash and aesKey are needed, it could work with only if I remember correctly, but for the rest it's implemented as it should afaik. I just tested it and it seems all required are arguments are required at some point, so I should we're good to go on that part, you tell me
• I'm not sure it'd be a good idea. Sapphire ticket joins the family of forged ticket (golden, silver, diamond) I think it makes sense to have this mode in ticketer.py directly. Also, a lot of the code is re-used and having a separate script would imply maintain two separate files that share a lot of code, which I don't think is efficient.