Pass-the-Hash
What is Pass-the-Hash?
Pass-the-HashA credential-reuse attack that authenticates to Windows systems using a stolen NTLM password hash instead of the cleartext password.
Pass-the-Hash (PtH) exploits the way NTLM authentication treats the password hash as the effective credential: any process holding the hash can authenticate without ever knowing the password. Attackers dump hashes from LSASS memory or the SAM database (commonly with Mimikatz or secretsdump) and then replay them against SMB, WMI, or remote management services to move laterally. MITRE ATT&CK tracks this as T1550.002 under Use Alternate Authentication Material. Defences include enabling Credential Guard, restricting local admin reuse with LAPS, enforcing tiered administration, disabling NTLM where possible, and monitoring LSASS access and anomalous logons.
● Examples
- 01
An operator dumps NTLM hashes with Mimikatz and uses them to authenticate to other servers via SMB.
- 02
Reusing a local administrator hash across an estate to pivot from a workstation to a file server.
● Frequently asked questions
What is Pass-the-Hash?
A credential-reuse attack that authenticates to Windows systems using a stolen NTLM password hash instead of the cleartext password. It belongs to the Attacks & Threats category of cybersecurity.
What does Pass-the-Hash mean?
A credential-reuse attack that authenticates to Windows systems using a stolen NTLM password hash instead of the cleartext password.
How does Pass-the-Hash work?
Pass-the-Hash (PtH) exploits the way NTLM authentication treats the password hash as the effective credential: any process holding the hash can authenticate without ever knowing the password. Attackers dump hashes from LSASS memory or the SAM database (commonly with Mimikatz or secretsdump) and then replay them against SMB, WMI, or remote management services to move laterally. MITRE ATT&CK tracks this as T1550.002 under Use Alternate Authentication Material. Defences include enabling Credential Guard, restricting local admin reuse with LAPS, enforcing tiered administration, disabling NTLM where possible, and monitoring LSASS access and anomalous logons.
How do you defend against Pass-the-Hash?
Defences for Pass-the-Hash typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Pass-the-Hash?
Common alternative names include: PtH.
● Related terms
- defense-ops№ 682
Mimikatz
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
- identity-access№ 584
Kerberos
A ticket-based network authentication protocol that uses symmetric cryptography and a trusted Key Distribution Center to enable secure single sign-on across services.
- defense-ops№ 606
Lateral Movement
The MITRE ATT&CK tactic (TA0008) covering techniques that let an attacker pivot from one compromised host to others across the environment.
- defense-ops№ 229
Credential Access
The MITRE ATT&CK tactic (TA0006) that covers techniques used to steal account names, passwords, tokens, and other secrets.
- identity-access№ 013
Active Directory
Microsoft's enterprise directory service for Windows networks, providing centralized authentication, authorization, and policy management for users, computers, and resources.
- attacks№ 791
Pass-the-Ticket
An Active Directory attack that reuses a stolen Kerberos ticket to impersonate a user or service without ever knowing the underlying password.
● See also
- № 107BloodHound
- № 746NTLM Relay Attack
- № 1057SMB Relay Attack
- № 620LLMNR Poisoning
- № 715NBT-NS Poisoning
- № 924Responder Attack