Overpass-the-Hash
Overpass-the-Hash (OtH) allows attackers to convert a user’s NTLM hash into a valid Kerberos TGT, enabling Kerberos-based lateral movement without triggering NTLM authentication. Tools like Mimikatz make this possible by injecting the hash into memory and launching a process (e.g., PowerShell) with valid Kerberos tickets. This method enables attackers to avoid NTLM and use Kerberos-compatible tools. The OtH attack works as follows:
The attacker gains administrator access on a machine where the target user has logged in interactively (e.g., via RDP or using RunAs).
The user’s NTLM hash is cached in memory on that machine and the attacker uses
mimikatzto extract it.The attacker injects a new process with a Kerberos TGT generated from that NTLM hash.
With the TGT, the attacker can authenticate to and interact with Kerberos-based services (e.g., CIFS, RDP, PsExec).
The OtH attack:
Bypasses NTLM restrictions and avoids triggering certain detections.
Enables tools like native PsExec, WinRM, or RDP to be used.
Exploits the trust model of Kerberos by impersonating a user with a valid TGT.
Is stealthier than traditional PtH since it doesn’t rely on direct NTLM auth over the network.
On our scenario, our target user (jen) has logged in interactivey and we have local administrator access on the target machine.
When we list the cached TGTs, we expect no tickets to be shown as no Kerberos-authenticated service is accessed so far.
If we now use a Kerberos-authenticated service, such as CIFS, a TGT for krbtgt/CORP.COM and TGS for cifs/files04 will be generated.
We have successfully converted the NTML hash into a TGT and we can now use any Kerberos-based authentication tool, such as PsExec. No hash or password needed—Kerberos ticket is used silently.
Last updated
Was this helpful?