ExplainTheHack
← Back to Pass the Hash

Pass the Hash Brief

What It Is

Pass the Hash uses a stolen NT hash to authenticate via NTLM without knowing the plaintext password. The protocol computes authentication responses from the hash, not the password, so the two are indistinguishable. No cracking required — the hash works immediately.

Preconditions

An NT hash (from LSASS memory, SAM database, or NTDS.dit) and a target system that accepts NTLM authentication (the default in most AD environments). The attacker needs admin access on a compromised host to extract hashes.

Attacker Gain

Authenticated access to every system where the compromised account's credentials are accepted via NTLM. Amplified by local admin password reuse: one hash from one host can unlock dozens or hundreds of machines with the same password.

Key Concepts

  • Hash is the credential — NTLM uses the NT hash, not the password, for challenge-response computation
  • Hash sources — LSASS (recently authenticated users), SAM (local accounts), NTDS.dit (all domain accounts)
  • Password reuse amplifier — same local admin password across hosts = one hash unlocks all of them
  • Overpass the Hash — uses the hash to request a Kerberos TGT; may evade NTLM-specific monitoring
  • Not a bug — exploits a design property of NTLM, not a patchable vulnerability

Stakeholder Explanation

An attacker who compromises one computer extracts a password fingerprint from memory. If the same admin password is used across machines, that fingerprint unlocks every one of them without knowing the actual password. The fix is unique passwords per host (LAPS), restricting the legacy protocol, and protecting credential memory.

Report Phrasing

Finding: Lateral Movement via Pass the Hash Using Reused Local Administrator Credentials. The operator extracted the local administrator NT hash from [source host]. The hash was valid on [N] of [N] hosts tested, indicating password reuse. [Specific escalation path]. Severity: Critical. Recommendation: Deploy LAPS for unique local admin passwords. Enable Credential Guard. Restrict NTLM via Group Policy.

Common Pitfalls

  • Calling it 'using a stolen password' — the point is that the hash alone suffices; no cracking or password knowledge needed
  • Not connecting PtH to NTLM's challenge-response mechanism — the 'why' is missing without this
  • Not mentioning password reuse as the primary amplifier — one hash on one host is useful; the same hash on 50 is critical
  • Confusing Pass the Hash (NTLM hashes) with Pass the Ticket (Kerberos tickets)