Creates a Kerberos golden/silver tickets based on user options.
Install Impacket.
ticketer.py [-h] [-spn SPN] [-request] -domain DOMAIN -domain-sid DOMAIN_SID [-aesKey hex key] [-nthash NTHASH] [-keytab KEYTAB] [-groups GROUPS] [-user-id USER_ID] [-extra-sid EXTRA_SID] [-extra-pac] [-old-pac]
[-duration DURATION] [-ts] [-debug] [-user USER] [-password PASSWORD] [-hashes LMHASH:NTHASH] [-dc-ip ip address] [-impersonate IMPERSONATE]
target
Impacket v0.12.0.dev1+20240718.115833.4e0e3174 - Copyright 2023 Fortra
positional arguments:
target username for the newly created ticket
options:
-h, --help show this help message and exit
-spn SPN SPN (service/server) of the target service the silver ticket will be generated for. if omitted, golden ticket will be created
-request Requests ticket to domain and clones it changing only the supplied information. It requires specifying -user
-domain DOMAIN the fully qualified domain name (e.g. contoso.com)
-domain-sid DOMAIN_SID
Domain SID of the target domain the ticker will be generated for
-aesKey hex key AES key used for signing the ticket (128 or 256 bits)
-nthash NTHASH NT hash used for signing the ticket
-keytab KEYTAB Read keys for SPN from keytab file (silver ticket only)
-groups GROUPS comma separated list of groups user will belong to (default = 513, 512, 520, 518, 519)
-user-id USER_ID user id for the user the ticket will be created for (default = 500)
-extra-sid EXTRA_SID Comma separated list of ExtraSids to be included inside the ticket's PAC
-extra-pac Populate your ticket with extra PAC (UPN_DNS)
-old-pac Use the old PAC structure to create your ticket (exclude PAC_ATTRIBUTES_INFO and PAC_REQUESTOR
-duration DURATION Amount of hours till the ticket expires (default = 24*365*10)
-ts Adds timestamp to every logging output
-debug Turn DEBUG output ON
-impersonate IMPERSONATE
Sapphire ticket. target username that will be impersonated (through S4U2Self+U2U) for querying the ST and extracting the PAC, which will be included in the new ticket
authentication:
-user USER domain/username to be used if -request is chosen (it can be different from domain/username
-password PASSWORD password for domain/username
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-dc-ip ip address IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter
Examples:
./ticketer.py -nthash <krbtgt/service nthash> -domain-sid <your domain SID> -domain <your domain FQDN> baduser
will create and save a golden ticket for user 'baduser' that will be all encrypted/signed used RC4.
If you specify -aesKey instead of -ntHash everything will be encrypted using AES128 or AES256
(depending on the key specified). No traffic is generated against the KDC. Ticket will be saved as
baduser.ccache.
./ticketer.py -nthash <krbtgt/service nthash> -aesKey <krbtgt/service AES> -domain-sid <your domain SID> -domain <your domain FQDN> -request -user <a valid domain user> -password <valid domain user's password> baduser
will first authenticate against the KDC (using -user/-password) and get a TGT that will be used
as template for customization. Whatever encryption algorithms used on that ticket will be honored,
hence you might need to specify both -nthash and -aesKey data. Ticket will be generated for 'baduser'
and saved as baduser.ccache