- pass-the-hash:
- needs: NTLM hash
- accepted by: NetNTLM authentication
- achieves: command execution, noninteractive shell, etc (depends on the accepting service)
- pass-the-ticket:
- needs: TGT
- accepted by: Kerberos authentication
- achieves: TGS, authenticate against services, crack service password by Kerberoasting the obtained TGS
- pass-the-key:
- needs: NTLM hash-derived key (see
sekurlsa::ekeys
from Mimikatz) or just NTLM hash (if RC4 algorithm is accepted)
- accepted by: Kerberos authentication
- achieves: TGT, command execution
- Pass-the-key attack is equivalent to overpass-the-hash if RC4 is accepted.
- overpass-the-hash:
- needs: NTLM hash
- accepted by: Kerberos authentication
- achieves: TGT
- Overpass-the-hash is a specific case of pass-the-key (where NTLM hash alone is sufficient since RC4 is accepted)