Overpass-the-Hash is a credential misuse technique that bridges Pass-the-Hash and Pass-the-Ticket attacks. It allows attackers to leverage an NTLM hash to request a Kerberos Ticket-Granting Ticket (TGT) from the Key Distribution Center (KDC) in an Active Directory environment, effectively converting NTLM credentials into Kerberos credentials without needing the plaintext password.

MITRE ATT&CK ID: T1550.002

1- Understanding the Attack

• Credential Source:

  NTLM hashes obtained from compromised systems (e.g., via memory dumping or tools like Mimikatz).

• Authentication Mechanism:

  Uses the NTLM hash to request a Kerberos TGT from the KDC, leveraging the compatibility between NTLM and Kerberos protocols in Windows environments.

• Result:

  Once a TGT is obtained, the attacker can request Service Tickets (STs) to access network resources without the need for the actual password.

2- Steps of an Overpass-the-Hash Attack

a. Initial Access and Hash Extraction

• Objective:

  Gain access to a target system and extract NTLM hashes.

• Example Tool:

  Mimikatz

  Example Command:

  mimikatz # sekurlsa::logonpasswords
  

  Output Example:

  Username : admin
  NTLM     : 5d41402abc4b2a76b9719d911017c592
  

b. Converting NTLM Hash to a Kerberos Ticket

• Process:

  Inject the extracted NTLM hash into the Kerberos authentication process to request a TGT.

• Tool and Example Command:

  Mimikatz

  mimikatz # sekurlsa::pth /user:admin /domain:example.com /ntlm:5d41402abc4b2a76b9719d911017c592
  

  • This command uses the NTLM hash to request and inject a TGT into the current session.

c. Verifying and Using the Kerberos Ticket

• Verification:

  Check for the injected ticket using:

  mimikatz # kerberos::list
  

• Utilization:

  With the valid TGT, the attacker can now obtain Service Tickets and access domain resources (e.g., network shares, databases) to move laterally or escalate privileges.

3- Key Tools