Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ticketer.py] Sapphire tickets #1411

Merged
merged 8 commits into from
Oct 4, 2023

Conversation

ShutdownRepo
Copy link
Contributor

Sapphire tickets are similar to Diamond tickets in the way the ticket is not forged, but instead based on a legitimate one obtained after a request. The difference lays in how the PAC is modified. The Diamond ticket approach modifies the legitimate PAC to add some privileged groups (or replace it with a fully-forged one). In the Sapphire ticket approach, the PAC of another powerful user is obtained through an S4U2self+u2u trick. This PAC then replaces the one featured in the legitimate ticket. The resulting ticket is an assembly of legitimate elements, and follows a standard ticket request, which makes it then most difficult silver/golden ticket variant to detect. (thehacker.recipes)

Adding an -impersonate flag and S4U2self+u2u capabilities to operate what I call "the sapphire ticket" technique

@gabrielg5 gabrielg5 added the in review This issue or pull request is being analyzed label Jan 26, 2023
@anadrianmanrique anadrianmanrique self-assigned this Jun 22, 2023
@ShutdownRepo
Copy link
Contributor Author

@anadrianmanrique any news here?

@anadrianmanrique
Copy link
Contributor

Hello @ShutdownRepo , so sorry for the late response. I'm currently testing your PR. So far it's working great. Here some comments:

  • As -impersonate parameter makes ticketer.py to work in 'sapphire ticket mode', and given the fact that for this particular 'mode' some parameters are mandatory ( aesKey , nthash, user, others? ) and some others are not even taken into account ( groups, extra-sid, duration, others? ) a check for these preconditions should be made as soon as -impersonate gets detected ( maybe in the way that it's being done at L#1193 ).
  • I've been thinking whether this code should be in a separate example (sapphire_ticketer.py ? ) but I'm not sure this is a good idea at all.

Anyway, thanks for this great work, and also for keeping an eye on the issues reported in the context of this PR

@anadrianmanrique anadrianmanrique added medium Medium priority item and removed in review This issue or pull request is being analyzed labels Sep 14, 2023
@ShutdownRepo
Copy link
Contributor Author

Hey there 👋 no biggie

  • This mode (-request + -impersonate) requires the following args: domain, user, password (for TGT request), nthash and aesKey, domain-sid, and optionally user-id. I don't remember exactly why nthash and aesKey are needed, it could work with only if I remember correctly, but for the rest it's implemented as it should afaik. I just tested it and it seems all required are arguments are required at some point, so I should we're good to go on that part, you tell me
  • I'm not sure it'd be a good idea. Sapphire ticket joins the family of forged ticket (golden, silver, diamond) I think it makes sense to have this mode in ticketer.py directly. Also, a lot of the code is re-used and having a separate script would imply maintain two separate files that share a lot of code, which I don't think is efficient.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
medium Medium priority item
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants