What does "over" in "overpass-the-hash" mean?

Question

I have to translate this sentence: 'Suspected overpass-the-hash attack (Kerberos)' and I found this article about overpass-the-hash: https://blog.stealthbits.com/how-to-detect-overpass-the-hash-attacks/ There I found this sentence: 'Not only did we just pass-the-hash, we overpassed it!'. So I understand 'pass the hash' as to 'transfer the hash', right? But what does 'over' add? Excessive amount, a jump to another place?

Answer 1

The "over" in overpass-the-hash refers to taking the pass-the-hash technique one step further to acquire a valid Kerberos ticket.

Typically, with pass-the-hash you use a NT hash from a compromised user account for use to directly authenticate to remote services as that user, either by injecting into the memory of the current Windows user or providing the hash directly to client applications which accept it (e.g. CrackMapExec).

With overpass-the-hash you can leverage that NT hash twice over to now request a full Kerberos TGT or service ticket from the KDC on behalf of that compromised user. This technique also opens up the pass-the-ticket attack vector, where now that forged but valid (before expiration) TGT/ST can be exported and re-injected for future use and bypass communication with the KDC. Because they are closely linked, overpass-the-hash and pass-the-ticket are often used interchangeably.

I agree that many of the top search result blog posts do not clearly explain the unique mechanism of OPTH. For a more direct explanation, check out the "Abusing Kerberos" whitepaper by the Mimikatz developers. Also checkout detection exercise linked in the blog you referenced.