• pass-the-hash:
    • needs: NTLM hash
    • accepted by: NetNTLM authentication
    • achieves: command execution, noninteractive shell, etc (depends on the accepting service)
  • pass-the-ticket:
    • needs: TGT
    • accepted by: Kerberos authentication
    • achieves: TGS, authenticate against services, crack service password by Kerberoasting the obtained TGS
  • pass-the-key:
    • needs: NTLM hash-derived key (see sekurlsa::ekeys from Mimikatz) or just NTLM hash (if RC4 algorithm is accepted)
    • accepted by: Kerberos authentication
    • achieves: TGT, command execution
    • Pass-the-key attack is equivalent to overpass-the-hash if RC4 is accepted.
  • overpass-the-hash:
    • needs: NTLM hash
    • accepted by: Kerberos authentication
    • achieves: TGT
    • Overpass-the-hash is a specific case of pass-the-key (where NTLM hash alone is sufficient since RC4 is accepted)