💥 Over Pass the Hash

🧠 What’s the Deal?

This essentially converts an NTLM hash into Kerberos tickets, allowing access to services that don’t accept raw NTLM authentication

Normal Pass-the-Hash (PtH) → You directly authenticate to a remote service (SMB, WMI, RDP) using an NTLM hash, without knowing the plaintext password.

Over-Pass-the-Hash (Pass-the-Key) → Instead of directly authenticating with the NTLM hash, you use the NTLM hash to request a Kerberos TGT (Ticket Granting Ticket) from the Key Distribution Center (KDC).

🎯 How it works ?

Attacker obtains the NTLM hash of a user.
Uses the hash to derive the user’s NTLM key.
Crafts a Kerberos AS-REQ to the domain controller (KDC), proving knowledge of the NTLM key.
The KDC issues a TGT for that user.
Attacker now has a Kerberos ticket that can be used for lateral movement via Kerberos-authenticated services (SMB, LDAP, MSSQL, HTTP, etc.).

🧰 Gear Up (Prereqs)

Don’t go in empty-handed. What do you need beforehand?

Access to target or vulnerable endpoint
Specific app version or config
Recon data (subdomain, login page, etc.)
Tools (e.g., Burp, nmap, ffuf, etc.)

🚀 Launch Sequence (How-To)

Here’s how the magic happens — step by step.

# Example flow:
Identify the injection point
Craft payload: ' OR '1'='1
Send request and observe results

🧠 What’s the Deal?​

🎯 How it works ?​

🧰 Gear Up (Prereqs)​

🚀 Launch Sequence (How-To)​

🧠 What’s the Deal?

🎯 How it works ?

🧰 Gear Up (Prereqs)

🚀 Launch Sequence (How-To)