Pass the Hash
Pass the Hash is a lateral movement technique that uses a stolen NTLM password hash to authenticate as a user without knowing the plaintext password. This lesson explains why the attack works, what material is needed, where it fits in post-compromise movement, and how to explain the significance of NTLM hash reuse clearly in interviews, reports, and stakeholder conversations.
This lesson builds on
Theory
Why It Matters
Pass the Hash is one of the most fundamental lateral movement techniques in Active Directory environments because it exploits a core property of NTLM authentication: the hash is the credential.
Understanding Pass the Hash is essential because it connects credential extraction, authentication protocols, and lateral movement into a single coherent concept that interviewers expect you to explain clearly. It also illustrates why NTLM remains a persistent security concern — the attack does not exploit a bug or misconfiguration, but a fundamental design property of the protocol.
Preconditions
Pass the Hash requires two things: an NT hash of a user's password and a target system that accepts NTLM authentication. The hash is typically obtained from LSASS memory on a compromised host (using tools like Mimikatz), from the SAM database on a local machine, or from the NTDS.dit database on a domain controller.
The attacker needs administrative access on the compromised host to extract hashes from memory or local databases. The target system must accept NTLM authentication, which is the default in most AD environments because NTLM is enabled as a fallback alongside Kerberos. The technique works across the network — the attacker authenticates to remote services (SMB, WinRM, RPC) using the hash instead of a password.
Key Concepts
- The hash is the credential — NTLM authentication requires only the NT hash to compute a valid challenge-response; the plaintext password is never needed for network authentication, which is the fundamental property that makes Pass the Hash possible
- Hash extraction sources — LSASS process memory contains NT hashes for recently authenticated users; the SAM database contains local account hashes; NTDS.dit on domain controllers contains every domain account hash; each source requires different access levels
- Local administrator password reuse — the most common amplifier for Pass the Hash; when the same local administrator password is set across multiple hosts, extracting the hash from one host grants access to all of them
- SMB, WinRM, and RPC as targets — Pass the Hash works against any service that accepts NTLM authentication; SMB is the most common target (file shares, PsExec-style execution), but WinRM and RPC-based tools also accept NTLM hashes
- Overpass the Hash — a variant where the NT hash is used to request a Kerberos TGT instead of performing NTLM authentication directly; this produces Kerberos tickets and may evade NTLM-specific monitoring while achieving the same result
- No cracking required — unlike Kerberoasting or AS-REP Roasting where the attacker must crack a hash to obtain usable credentials, Pass the Hash uses the hash directly for authentication; the attack works immediately after hash extraction
Why It Works
NTLM authentication uses a challenge-response mechanism where the client proves knowledge of the password by computing a response using the NT hash. The server sends a challenge, the client computes a response from the challenge and the NT hash, and the domain controller verifies the response by performing the same computation with the stored hash. At no point does the protocol require the plaintext password — the NT hash alone is sufficient to compute valid responses to any challenge.
This means that an attacker who obtains the hash can authenticate to any NTLM-accepting service exactly as if they knew the password. The protocol cannot distinguish between a legitimate user computing the response from their password and an attacker computing it from a stolen hash, because both operations produce identical results.
What the Attacker Gains
Pass the Hash gives the attacker authenticated access to every system and service where the compromised account's credentials are accepted via NTLM. If the hash belongs to a local administrator account, the attacker gains administrative access to systems where that account has privileges — and because many organizations reuse local administrator passwords across hosts, a single hash can unlock access to dozens or hundreds of machines.
If the hash belongs to a domain user, the attacker gains that user's network access. If the hash belongs to a Domain Admin, the attacker effectively has full domain-level access to any system accepting NTLM authentication. The technique does not require cracking the password and produces immediate, authenticated access.
Where It Fits in the Attack Chain
Pass the Hash sits in the lateral movement phase, after the attacker has compromised at least one host and extracted credential material. The typical chain is: initial compromise → local privilege escalation → hash extraction from LSASS or SAM → Pass the Hash to adjacent systems.
Each newly accessed system provides additional hashes from its memory, which enables further movement. This creates a cascading effect where one compromised host leads to several more, each contributing additional credentials. Pass the Hash is often the primary mechanism by which an attacker moves from a single compromised workstation to servers, and eventually to domain controllers.
Tools & Examples
- Impacket psexec.py -hashes :NThash — authenticates to a remote system via SMB using a hash and opens a SYSTEM shell
- Impacket wmiexec.py -hashes :NThash — executes commands remotely via WMI using hash-based NTLM authentication
- CrackMapExec smb targets -u user -H NThash — tests hash-based authentication across multiple hosts to identify where the account has access
- Mimikatz sekurlsa::pth — injects an NT hash into a new process on Windows, enabling Pass the Hash from the attacker's current session
- Evil-WinRM -i target -u user -H NThash — authenticates to WinRM using a hash for remote PowerShell access
Defender's Perspective
- Deploy Local Administrator Password Solution (LAPS) to ensure every host has a unique, automatically rotated local administrator password. This eliminates the most common amplifier for Pass the Hash.
- Enable SMB signing on all systems. While SMB signing does not prevent Pass the Hash directly, it prevents NTLM relay attacks that are often used alongside hash-based lateral movement.
- Restrict NTLM authentication where possible. Group Policy settings can limit NTLM to specific servers or disable it for domain accounts, forcing Kerberos-only authentication.
- Implement Credential Guard on Windows 10+ and Server 2016+ to protect LSASS memory from hash extraction. Credential Guard isolates credential material in a virtualization-based security environment.
- Monitor for lateral movement indicators: authentication events from unexpected sources, PsExec-style service creation (Event ID 7045), and NTLM authentication where Kerberos would be expected.
Communication
How to Explain It in an Interview
Pass the Hash works because NTLM authentication verifies identity using only the NT hash — the plaintext password is never needed to compute a valid response to the server's challenge. An attacker extracts hashes from LSASS memory or the SAM database on a compromised host, then uses those hashes to authenticate to other systems over SMB, WinRM, or other NTLM-accepting services. The protocol cannot tell the difference between a legitimate user and an attacker with a stolen hash because the authentication computation is identical.
The impact is amplified when local administrator passwords are reused across hosts, because one hash grants access to every system with the same password. The attack does not require any cracking — the hash works immediately. This is why NTLM remains a persistent security concern: the design property that enables Pass the Hash is fundamental to how the protocol works, not a bug that can be patched.
How to Explain It to a Stakeholder
Pass the Hash is a technique where an attacker uses a stolen password fingerprint, rather than the actual password, to log into other systems on the network.
The risk is that once an attacker compromises a single computer and extracts these fingerprints from memory, they can move to every other system where those credentials are accepted — and if the same administrator password is used across multiple computers, one compromised machine can lead to dozens more. The attacker never needs to know the actual password. The fix involves ensuring every computer has a unique administrator password (using automated management tools), restricting the legacy authentication protocol that enables this technique, and protecting the memory where password fingerprints are stored.
How It Might Appear in a Report
Finding: Lateral Movement via Pass the Hash Using Reused Local Administrator Credentials. During the assessment, the operator compromised HOST-WS01 through a phishing payload and extracted the local administrator NT hash from LSASS memory. The same local administrator hash was valid on 47 of 52 workstations tested, indicating password reuse across the workstation fleet. The operator used the hash to authenticate to HOST-WS15 via SMB, where a cached Domain Admin credential was extracted from LSASS memory, resulting in full domain compromise.
Severity: Critical.
Recommendation: Deploy LAPS to enforce unique, automatically rotated local administrator passwords on every host. Enable Credential Guard on supported systems to protect LSASS memory. Restrict NTLM authentication via Group Policy where Kerberos is available.
Common Weak Answers
- Describing Pass the Hash as 'using a stolen password' without distinguishing between a hash and a plaintext password. The entire point is that the hash alone is sufficient — no cracking or password knowledge is required.
- Explaining the technique without connecting it to NTLM's challenge-response mechanism. Pass the Hash works because NTLM uses the hash, not the password, to compute authentication responses. Without this explanation, the 'why' is missing.
- Not mentioning local administrator password reuse as the primary amplifier. A single hash on one system is useful; the same hash working on 50 systems is a critical finding. The amplifier is what makes Pass the Hash devastating in practice.
- Confusing Pass the Hash with Pass the Ticket. Pass the Hash uses NTLM hashes; Pass the Ticket uses Kerberos tickets. They are different techniques targeting different authentication protocols.
- Claiming that patching or updating Windows eliminates Pass the Hash. The technique exploits a design property of NTLM, not a vulnerability. Mitigations exist (LAPS, Credential Guard, NTLM restriction) but the fundamental mechanism remains as long as NTLM is enabled.
Likely Follow-Up Questions
- Why does the NT hash work as a credential without knowing the password?
- Where do you obtain NT hashes during an engagement, and what access level do you need for each source?
- How does local administrator password reuse amplify the impact of Pass the Hash?
- What is the difference between Pass the Hash and Overpass the Hash?
- What defensive measures reduce the effectiveness of Pass the Hash, and why are they rarely fully deployed?
Study Kit
Quick Reference
Test Your Understanding
Reinforce Key Concepts
Further Reading
- MITRE ATT&CK T1550.002 — Pass the Hash
MITRE · Official MITRE ATT&CK reference for Pass the Hash, including procedure examples, detection guidance, and mitigations