What is Pass-the-Hash?

Pass-the-Hash is a lateral movement technique where attackers use stolen NTLM password hashes to authenticate to systems without knowing the actual password.

What is a Pass-the-Hash attack?

Pass-the-Hash (PtH) is a credential theft technique where attackers capture NTLM password hashes from compromised systems and use them directly for authentication without needing to crack the plaintext password. Windows NTLM authentication accepts the hash itself as proof of identity, enabling lateral movement across the network.

How do attackers obtain password hashes?

Attackers extract NTLM hashes from LSASS process memory using tools like Mimikatz, from SAM database files, through NTLM relay attacks, from cached credentials on compromised systems, or through volume shadow copy access. Any system where a privileged user has authenticated may contain harvestable credential hashes in memory.

How does Pass-the-Hash enable lateral movement?

Once an attacker has an NTLM hash, they can authenticate to any system that accepts NTLM authentication with that account's privileges. Using tools like Mimikatz, PsExec, or CrackMapExec, they move laterally across the network, accessing file shares, remote desktops, and administrative interfaces without ever knowing the user's actual password.

What is the difference between Pass-the-Hash and Pass-the-Ticket?

Pass-the-Hash uses stolen NTLM hashes for authentication. Pass-the-Ticket uses stolen Kerberos tickets (TGT or TGS) for authentication. PtH works with NTLM protocol while PtT works with Kerberos. Both achieve lateral movement through credential material reuse but target different authentication protocols.

How do you defend against Pass-the-Hash?

Defenses include disabling NTLM where possible in favor of Kerberos, implementing Credential Guard on Windows 10+, using Protected Users group for privileged accounts, enforcing local admin password randomization through LAPS, restricting privileged account logons to authorized systems, and implementing network segmentation.

What is Windows Credential Guard?

Windows Credential Guard uses virtualization-based security to isolate LSASS process secrets in a hardware-protected container that even kernel-level malware cannot access. This prevents tools like Mimikatz from extracting NTLM hashes and Kerberos tickets from memory on protected systems, significantly mitigating Pass-the-Hash attacks.

How do you detect Pass-the-Hash attacks?

Detection involves monitoring for NTLM authentication events where the source host does not match expected logon patterns, alerting on lateral movement using administrative credentials, analyzing authentication logs for pass-the-hash tool signatures, implementing honeypot accounts to detect credential reuse, and using EDR tools that monitor LSASS access.

What role does Pass-the-Hash play in penetration testing?

Pass-the-Hash is a core lateral movement technique in penetration testing and red team operations. After compromising an initial system, testers harvest credential hashes and attempt lateral movement to demonstrate the blast radius of a single compromise, validate network segmentation, and test credential hygiene across the environment.