TTechniqueActiveDirectory
Pass the Hash is a lateral movement technique that uses a stolen NTLM password hash to authenticate as a user without knowing the plaintext password. This lesson explains why the attack works, what material is needed, where it fits in post-compromise movement, and how to explain the significance of NTLM hash reuse clearly in interviews, reports, and stakeholder conversations.
Pass the Hash is one of the most fundamental lateral movement techniques in Active Directory environments because it exploits a core property of NTLM authentication: the hash is the credential.
Understanding Pass the Hash is essential because it connects credential extraction, authentication protocols, and lateral movement into a single coherent concept that interviewers expect you to explain clearly. It also illustrates why NTLM remains a persistent security concern — the attack does not exploit a bug or misconfiguration, but a fundamental design property of the protocol.
Pass the Hash requires two things: an NT hash of a user's password and a target system that accepts NTLM authentication. The hash is typically obtained from LSASS memory on a compromised host (using tools like Mimikatz), from the SAM database on a local machine, or from the NTDS.dit database on a domain controller.
The attacker needs administrative access on the compromised host to extract hashes from memory or local databases. The target system must accept NTLM authentication, which is the default in most AD environments because NTLM is enabled as a fallback alongside Kerberos. The technique works across the network — the attacker authenticates to remote services (SMB, WinRM, RPC) using the hash instead of a password.
MITRE · Official MITRE ATT&CK reference for Pass the Hash, including procedure examples, detection guidance, and mitigations
NTLM authentication uses a challenge-response mechanism where the client proves knowledge of the password by computing a response using the NT hash. The server sends a challenge, the client computes a response from the challenge and the NT hash, and the domain controller verifies the response by performing the same computation with the stored hash. At no point does the protocol require the plaintext password — the NT hash alone is sufficient to compute valid responses to any challenge.
This means that an attacker who obtains the hash can authenticate to any NTLM-accepting service exactly as if they knew the password. The protocol cannot distinguish between a legitimate user computing the response from their password and an attacker computing it from a stolen hash, because both operations produce identical results.
Pass the Hash gives the attacker authenticated access to every system and service where the compromised account's credentials are accepted via NTLM. If the hash belongs to a local administrator account, the attacker gains administrative access to systems where that account has privileges — and because many organizations reuse local administrator passwords across hosts, a single hash can unlock access to dozens or hundreds of machines.
If the hash belongs to a domain user, the attacker gains that user's network access. If the hash belongs to a Domain Admin, the attacker effectively has full domain-level access to any system accepting NTLM authentication. The technique does not require cracking the password and produces immediate, authenticated access.
Pass the Hash sits in the lateral movement phase, after the attacker has compromised at least one host and extracted credential material. The typical chain is: initial compromise → local privilege escalation → hash extraction from LSASS or SAM → Pass the Hash to adjacent systems.
Each newly accessed system provides additional hashes from its memory, which enables further movement. This creates a cascading effect where one compromised host leads to several more, each contributing additional credentials. Pass the Hash is often the primary mechanism by which an attacker moves from a single compromised workstation to servers, and eventually to domain controllers.
Pass the Hash works because NTLM authentication verifies identity using only the NT hash — the plaintext password is never needed to compute a valid response to the server's challenge. An attacker extracts hashes from LSASS memory or the SAM database on a compromised host, then uses those hashes to authenticate to other systems over SMB, WinRM, or other NTLM-accepting services. The protocol cannot tell the difference between a legitimate user and an attacker with a stolen hash because the authentication computation is identical.
The impact is amplified when local administrator passwords are reused across hosts, because one hash grants access to every system with the same password. The attack does not require any cracking — the hash works immediately. This is why NTLM remains a persistent security concern: the design property that enables Pass the Hash is fundamental to how the protocol works, not a bug that can be patched.
Pass the Hash is a technique where an attacker uses a stolen password fingerprint, rather than the actual password, to log into other systems on the network.
The risk is that once an attacker compromises a single computer and extracts these fingerprints from memory, they can move to every other system where those credentials are accepted — and if the same administrator password is used across multiple computers, one compromised machine can lead to dozens more. The attacker never needs to know the actual password. The fix involves ensuring every computer has a unique administrator password (using automated management tools), restricting the legacy authentication protocol that enables this technique, and protecting the memory where password fingerprints are stored.
Finding: Lateral Movement via Pass the Hash Using Reused Local Administrator Credentials. During the assessment, the operator compromised HOST-WS01 through a phishing payload and extracted the local administrator NT hash from LSASS memory. The same local administrator hash was valid on 47 of 52 workstations tested, indicating password reuse across the workstation fleet. The operator used the hash to authenticate to HOST-WS15 via SMB, where a cached Domain Admin credential was extracted from LSASS memory, resulting in full domain compromise.
Severity: Critical.
Recommendation: Deploy LAPS to enforce unique, automatically rotated local administrator passwords on every host. Enable Credential Guard on supported systems to protect LSASS memory. Restrict NTLM authentication via Group Policy where Kerberos is available.