Pass-the-Hash (PtH)

📝 Overview

What it is: A technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password, instead of the plaintext password itself. Target Phase: Lateral Movement Operating System: Windows (SMB/NTLM)

⚙️ Core Concepts

Hash vs. Password: Windows stores passwords as hashes. During network authentication, the hash is what actually matters.
Single Sign-On (SSO): PtH exploits the way Windows handles authentication to provide a seamless user experience.
The “Crown Jewels”: Attackers typically target Domain Admin hashes to gain full control over the network.

💻 Common Tools

Impacket (psexec.py, wmiexec.py): The gold standard for executing PtH from a Linux/Kali machine.
Mimikatz: Used to extract hashes from memory (sekurlsa::logonpasswords) so they can be used for PtH.
Metasploit: Has built-in modules like exploit/windows/smb/psexec that accept hashes.

⚠️ Defensive Strategy

LAPS (Local Administrator Password Solution): Ensures every local admin has a unique, rotating password, preventing a single hash from working on every machine.
Privileged Access Workstations (PAW): Restricts where admins can log in, limiting the footprint of their hashes.
Restricted Admin Mode: Prevents hashes from being stored on remote machines during RDP sessions.

🏷️ Tags

PassTheHash PtH LateralMovement NTLM Impacket PsExec PenTestPlus CLItool attack attacks

Quartz 4

Explorer

Pass-the-Hash

Pass-the-Hash (PtH)

📝 Overview

⚙️ Core Concepts

💻 Common Tools

⚠️ Defensive Strategy

🏷️ Tags

Graph View

Table of Contents

Backlinks