Skip to content
Cybersecurity

Pass-the-Hash

Pass-the-Hash (PtH) is an attack technique that uses a stolen password hash (instead of plaintext password) for authentication. In Windows environments, NTLM hashes can be used directly for authentication without knowing the actual password.

What is Pass-the-Hash?

Pass-the-Hash Definition

Pass-the-Hash (PtH) is an attack technique that exploits the NTLM authentication protocol in Windows. An attacker who has obtained a password hash (e.g., via Mimikatz) can use this hash directly for authentication without needing to know or crack the actual password.

How Does NTLM Authentication Work?

  1. User enters password
  2. System generates NTLM hash
  3. Hash is used for challenge-response
  4. Server verifies response

The key: The hash itself is the authentication secret.

Pass-the-Hash Attack

  1. Access: Attacker gains access to system (e.g., phishing)
  2. Hash extraction: Mimikatz, secretsdump from memory/SAM
  3. Pass-the-Hash: Using hash to authenticate to other systems
  4. Lateral movement: Access to SMB, WMI, RDP

PtH Tools

  • Mimikatz: sekurlsa::pth
  • Impacket: psexec.py, wmiexec.py
  • CrackMapExec: SMB lateral movement
  • Metasploit: PtH modules

Why Is PtH Possible?

  • NTLM design: Hash = authentication secret
  • Hash caching: Hashes stored in memory
  • Reusability: Same hash works everywhere
  • Backward compatibility: NTLM still widely used

Pass-the-Hash Detection

Indicators:

  • NTLM authentication from unusual sources
  • Lateral movement patterns
  • Type 3 logons (network) from interactive sessions
  • Anomalous SMB activity

Detection tools:

  • EDR with PtH detection
  • Windows event log analysis (4624, 4625)
  • Network traffic monitoring

Pass-the-Hash Mitigation

Technical:

  • Credential Guard: Hash protection in VSM
  • Protected Users group: No NTLM caching
  • Disable NTLM: Where possible (Kerberos only)
  • LAPS: Unique local admin passwords
  • Tiering model: Admin account separation

Architectural:

  • Network segmentation
  • Privileged Access Workstations (PAW)
  • Just-in-Time administration

PtH vs Pass-the-Ticket

AspectPass-the-HashPass-the-Ticket
ProtocolNTLMKerberos
SecretNTLM hashTGT/TGS ticket
ScopeSingle domainCan be cross-domain
MitigationCredential GuardTime-limited tickets

Pass-the-Hash is one of the fundamental lateral movement techniques in Windows environments, requiring defense-in-depth approach.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist