This chapter covers pass-the-hash (PtH) and pass-the-ticket (PtT) attacks, two of the most dangerous credential theft techniques used by attackers to move laterally within a network. For SY0-701, these fall under Objective 2.4: 'Given a scenario, analyze indicators of malicious activity.' Understanding how these attacks work, how to detect them, and how to prevent them is critical for the exam. This chapter will dive deep into the mechanics, tools, and defenses associated with PtH and PtT.
Jump to a section
Imagine a hotel where each guest receives a key card that opens their room door and also the fitness center. The key card contains a hash of the guest's PIN, not the PIN itself. An attacker, Mallory, manages to steal the key card data from the front desk computer. She doesn't know the PIN, but she can copy the hash from the card and write it onto a blank card. Now Mallory can use her cloned card to open the guest's room and the fitness center, even though she never knew the PIN. The hotel's authentication system only checks that the hash matches what's stored, not that Mallory knows the PIN. This is pass-the-hash: the attacker captures the credential hash (the key card data) and reuses it to authenticate without knowing the plaintext password. In Windows, the Local Security Authority Subsystem Service (LSASS) stores password hashes in memory. An attacker who gains administrative privileges can dump these hashes using tools like Mimikatz and then use them to access other systems via NTLM authentication. The defense is to use Kerberos instead of NTLM where possible, enforce credential guard, and limit administrative privileges to reduce the attack surface.
What Are Pass-the-Hash and Pass-the-Ticket?
Pass-the-hash (PtH) and pass-the-ticket (PtT) are lateral movement techniques that allow an attacker to authenticate to remote systems using captured credential material without knowing the plaintext password. These attacks exploit weaknesses in authentication protocols, specifically NTLM for PtH and Kerberos for PtT.
Pass-the-Hash (PtH): The attacker captures the NTLM hash of a user's password (often from the SAM database or LSASS memory) and uses it to authenticate via NTLM. Since NTLM uses a challenge-response mechanism based on the hash, the attacker can respond to challenges without the plaintext password.
Pass-the-Ticket (PtT): The attacker captures a Kerberos ticket-granting ticket (TGT) or service ticket from memory and uses it to request service tickets or access resources as that user. Kerberos tickets are encrypted and contain the user's identity and group memberships.
How PtH Works Mechanically
1. Initial Access: The attacker gains administrative privileges on a compromised host (e.g., via phishing, exploit, or weak password).
2. Credential Dumping: The attacker uses tools like Mimikatz, Windows Credential Editor (WCE), or PowerShell to extract password hashes from LSASS memory. The LSASS process stores NTLM hashes of logged-on users.
3. Hash Reuse: The attacker uses the captured hash to authenticate to other systems via NTLM. For example, using Mimikatz's sekurlsa::pth command:
mimikatz # sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:HASH /run:cmdThis launches a new cmd.exe process with the given user's NTLM hash. Any network connections made from this process will use that hash for NTLM authentication. 4. Lateral Movement: The attacker uses tools like PsExec, WMI, or scheduled tasks to execute commands on remote hosts. Since the authentication uses the hash, the remote system accepts it as valid.
How PtT Works Mechanically
1. Initial Access: Similar to PtH, the attacker gains admin privileges on a host. 2. Ticket Dumping: The attacker uses Mimikatz to extract Kerberos tickets from memory. Specifically, the TGT and service tickets are stored in the Kerberos ticket cache.
mimikatz # sekurlsa::tickets /export This exports all tickets to .kirbi files.
3. Ticket Reuse: The attacker injects the exported ticket into a new logon session using Mimikatz's kerberos::ptt command:
mimikatz # kerberos::ptt ticket.kirbiThis makes the ticket available for Kerberos authentication. 4. Lateral Movement: The attacker can now access remote services that accept Kerberos authentication, such as SMB, HTTP, or LDAP. Tools like PsExec with Kerberos can be used.
Key Components and Standards
NTLM Hash: A cryptographic hash of the password. Windows stores two hashes: LM hash (weak, disabled by default since Vista) and NT hash (MD4 of Unicode password). NTLMv1 and NTLMv2 are challenge-response protocols that use these hashes.
Kerberos Tickets: TGT is encrypted with the krbtgt account's password hash. Service tickets are encrypted with the target service's password hash. Tickets contain a PAC (Privilege Attribute Certificate) with user info.
LSASS: Local Security Authority Subsystem Service handles authentication and stores credentials in memory. It is the primary target for credential dumping.
Mimikatz: The most common tool for PtH and PtT. It can dump credentials, manipulate tickets, and perform other attacks.
Attack Variants
Overpass-the-Hash (Pass-the-Key): Uses Kerberos instead of NTLM. The attacker uses the NT hash to request a TGT from the Domain Controller, then uses that TGT for PtT. This bypasses NTLM restrictions.
Pass-the-Certificate: Uses a certificate to authenticate via PKINIT (Kerberos with smart cards).
Golden Ticket: Forges a TGT using the krbtgt hash, granting domain admin access.
Silver Ticket: Forges a service ticket for a specific service, allowing access without a TGT.
Defenses
Credential Guard: Uses virtualization-based security to protect LSASS secrets. Enabled via Group Policy.
Protected Users Group: Users in this group cannot use NTLM, and Kerberos will not cache tickets that can be exported.
Restricted Admin Mode: For RDP, this mode prevents credential delegation.
Network Segmentation: Limit lateral movement by segmenting networks and using firewalls.
Least Privilege: Minimize admin accounts and use separate accounts for admin tasks.
Monitoring: Detect credential dumping via event logs (Event ID 4624, 4648, 4672) and tools like Sysmon. Look for anomalous use of Mimikatz or suspicious process creation.
Disable NTLM: Where possible, use Kerberos only. NTLM can be disabled via Group Policy.
Real Command and Tool Examples
- Dumping hashes with Mimikatz:
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords- PtH with Mimikatz:
mimikatz # sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 /run:powershell.exe- PtT with Mimikatz:
mimikatz # kerberos::ptt ticket.kirbi- Exporting tickets:
mimikatz # sekurlsa::tickets /export- Using PSExec with PtH:
psexec \\target -u administrator -p hash cmd(Note: PsExec typically requires password, but with PtH, the hash is injected into the session.)
Initial Compromise and Privilege Escalation
The attacker first gains a foothold on a system, often through phishing or exploiting a vulnerability. They then escalate privileges to local administrator or SYSTEM. This is necessary because credential dumping requires high integrity access. Tools like PowerUp or Metasploit may be used. Logs: Event ID 4672 (special privileges assigned) indicates escalation. The attacker will also disable security tools like Windows Defender or AMSI.
Credential Dumping from LSASS
With admin rights, the attacker dumps credentials from LSASS memory. Mimikatz's `sekurlsa::logonpasswords` extracts NTLM hashes and Kerberos tickets. This requires the `SeDebugPrivilege` privilege. The attacker may also dump the SAM database for local account hashes. Detection: Event ID 4663 (attempt to access LSASS process) or Sysmon Event ID 10 (process access). Tools like Mimikatz trigger these events.
Injecting Hash for Pass-the-Hash
The attacker uses Mimikatz's `sekurlsa::pth` to inject the NTLM hash into a new logon session. This creates a process (e.g., cmd.exe) that authenticates using the hash for all NTLM network connections. The attacker now has the identity of the dumped user. Logs: Event ID 4624 (logon) with LogonType 9 (NewCredentials) or 2 (Interactive). The logon process will show `seclogo` as the authentication package.
Lateral Movement via Remote Execution
Using the injected session, the attacker runs commands on remote machines. Common tools: PsExec, WMI, PowerShell remoting, or scheduled tasks. For example, `psexec \\target cmd` will use the hash for NTLM authentication. The attacker may target high-value servers like domain controllers. Detection: Event ID 5145 (network share access) for SMB, or Event ID 4698 (scheduled task creation). Look for anomalous remote connections from the compromised host.
Pass-the-Ticket: Dumping and Injecting Kerberos Tickets
Alternatively, the attacker dumps Kerberos tickets using `sekurlsa::tickets /export`. Then injects a TGT or service ticket with `kerberos::ptt`. This allows Kerberos authentication without needing the password hash. The attacker can request new service tickets using the TGT. Detection: Event ID 4768 (TGT requested) or 4769 (service ticket requested) may show anomalous activity. Tools like Rubeus can also perform PtT.
Scenario 1: Lateral Movement After Phishing
A SOC analyst notices multiple failed logon attempts from a single workstation to several servers. Investigation reveals that a user clicked a phishing link, leading to installation of a remote access trojan (RAT). The attacker used Mimikatz to dump the user's NTLM hash and then performed PtH to access a file server. The analyst sees Event ID 4624 with LogonType 3 (network) from the compromised workstation to the file server, but the logon process is NTLMSSP. The correct response is to isolate the workstation, reset the compromised user's password, and revoke Kerberos tickets. A common mistake is to only block the attacker's IP, but the attacker can pivot from another host. Tools used: SIEM for correlation of logon events, Sysmon for process access to LSASS.
Scenario 2: Domain Admin Account Compromise
An attacker compromises a domain admin account through a pass-the-hash attack. They dump the krbtgt hash and create a golden ticket, granting persistent domain admin access. The SOC sees a spike in TGT requests (Event ID 4768) for a single user from multiple machines. The attacker uses the golden ticket to access any resource. Detection: Anomalous TGT renewals or service ticket requests. The correct response is to reset the krbtgt password twice (to invalidate all tickets) and rebuild domain controllers. A common mistake is to only reset the compromised admin password, but golden tickets remain valid. Tools: Microsoft's Kerberos Ticket Management script, Event Logs.
Scenario 3: Pass-the-Ticket from a Compromised Server
An attacker compromises a web server and dumps Kerberos tickets from the service account. They inject a service ticket for the database server and exfiltrate data. The SOC sees Event ID 4769 for service ticket requests from the web server to the database server, but the user is the service account. The correct response is to rotate the service account password and implement Credential Guard on the web server. A common mistake is to assume the service account is not privileged, but it may have delegated access. Tools: Network traffic analysis for anomalous SQL queries, Event Logs.
What SY0-701 Tests on PtH and PtT
The exam focuses on recognizing indicators of these attacks and choosing appropriate mitigations. Specifically, Objective 2.4 asks you to analyze indicators of malicious activity. You must be able to identify PtH/PtT from logs, understand the difference between them, and know which defenses apply.
Common Wrong Answers and Why
"Pass-the-hash requires the plaintext password." Wrong. PtH uses the hash, not the password. Candidates confuse hash with password.
"Pass-the-ticket is a type of pass-the-hash." Wrong. They are distinct attacks using different protocols (NTLM vs Kerberos). Candidates lump them together.
"Disabling NTLM completely prevents pass-the-hash." Partially true, but overpass-the-hash (using Kerberos) can still work. Also, some applications rely on NTLM.
"Mimikatz is the only tool for these attacks." Wrong. Tools like Rubeus, WCE, and PowerShell scripts also exist. Candidates focus too much on Mimikatz.
Key Terms and Values
NTLM hash format: 32-character hexadecimal (e.g., aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0) where the first part is LM hash and second is NT hash. The exam may show a hash and ask what it is.
Mimikatz commands: sekurlsa::logonpasswords, sekurlsa::pth, kerberos::ptt.
Event IDs: 4624 (logon), 4672 (admin logon), 4768 (TGT request), 4769 (service ticket request), 4663 (process access).
Defenses: Credential Guard, Protected Users Group, Restricted Admin Mode.
Trick Questions
"Which attack uses a hash to authenticate via NTLM?" Answer: Pass-the-hash. But watch for "overpass-the-hash" which uses Kerberos.
"What is the difference between a golden ticket and a silver ticket?" Golden ticket forges a TGT (krbtgt hash), silver ticket forges a service ticket (service account hash).
"Which defense prevents credential dumping from LSASS?" Credential Guard. Not simply "disabling LM hashes" or "using strong passwords."
Decision Rule for Scenario Questions
If a scenario describes an attacker gaining access to another system without providing a password, and the authentication is NTLM-based (e.g., using PsExec), think PtH. If the authentication is Kerberos-based (e.g., accessing a web service), think PtT. Also, if the attacker dumps credentials from memory, it's likely PtH or PtT. Look for keywords like "hash" or "ticket" in the answer choices.
Pass-the-hash uses the NTLM hash (not the plaintext password) to authenticate via NTLM.
Pass-the-ticket uses Kerberos tickets (TGT or service ticket) to authenticate via Kerberos.
Mimikatz is the most common tool for both attacks; commands include sekurlsa::pth and kerberos::ptt.
Credential Guard and Protected Users Group are key defenses against credential dumping.
Overpass-the-hash converts an NTLM hash into a Kerberos TGT, bypassing NTLM restrictions.
Golden tickets forge a TGT using the krbtgt hash; silver tickets forge a service ticket.
Monitoring Event IDs 4624, 4768, 4769, and 4663 helps detect these attacks.
Disabling NTLM reduces PtH risk but does not eliminate overpass-the-hash.
Least privilege and network segmentation limit lateral movement after credential theft.
Resetting the krbtgt password twice is required to invalidate golden tickets.
These come up on the exam all the time. Here's how to tell them apart.
Pass-the-Hash (PtH)
Uses NTLM hash (NT hash)
Authenticates via NTLM challenge-response
Requires access to LSASS memory for hash
Common tools: Mimikatz, WCE
Defenses: Disable NTLM, Credential Guard
Pass-the-Ticket (PtT)
Uses Kerberos tickets (TGT or service ticket)
Authenticates via Kerberos protocol
Requires access to Kerberos ticket cache
Common tools: Mimikatz, Rubeus
Defenses: Protected Users Group, ticket lifetime limits
Mistake
Pass-the-hash attacks require the attacker to know the plaintext password.
Correct
PtH only requires the NTLM hash. The attacker does not need the plaintext password, as the hash is used directly in the NTLM challenge-response.
Mistake
Pass-the-ticket and pass-the-hash are the same attack.
Correct
They are different. PtH uses NTLM hashes for NTLM authentication; PtT uses Kerberos tickets for Kerberos authentication. The tools and defenses differ.
Mistake
If NTLM is disabled, pass-the-hash is impossible.
Correct
Disabling NTLM prevents traditional PtH, but overpass-the-hash (using the hash to request a Kerberos TGT) can still work. Also, some environments still require NTLM.
Mistake
Only Mimikatz can perform pass-the-hash.
Correct
Many tools can perform PtH, including Windows Credential Editor (WCE), Rubeus, and PowerShell scripts. Mimikatz is the most famous but not the only one.
Mistake
Pass-the-hash only works for local accounts.
Correct
PtH works for domain accounts as well. The hash is used to authenticate to remote systems, and the remote system validates it against the domain controller.
Pass-the-hash (PtH) uses an NTLM hash to authenticate via the NTLM protocol. Pass-the-ticket (PtT) uses a Kerberos ticket (TGT or service ticket) to authenticate via Kerberos. PtH is for NTLM-based authentication; PtT is for Kerberos-based. Both are lateral movement techniques. On the exam, if the scenario mentions NTLM or PsExec, think PtH. If it mentions Kerberos or service tickets, think PtT.
Mimikatz uses the `sekurlsa::pth` command to inject an NTLM hash into a new logon session. The syntax is: `sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:HASH /run:COMMAND`. This launches a process (e.g., cmd.exe) that authenticates using the hash for all NTLM network connections. The attacker can then use tools like PsExec from that process.
Overpass-the-hash, also called pass-the-key, is a technique where the attacker uses an NTLM hash to request a Kerberos TGT from a domain controller. This converts the hash into a usable Kerberos ticket, allowing PtT attacks. It bypasses environments where NTLM is disabled. Tools like Mimikatz's `sekurlsa::pth` with Kerberos or Rubeus can perform this.
A golden ticket attack is a type of pass-the-ticket where the attacker forges a TGT using the krbtgt account's password hash. This grants the attacker domain admin privileges for as long as the ticket is valid (default 10 years). The attacker must first obtain the krbtgt hash, usually from a domain controller. Defenses include resetting the krbtgt password twice and monitoring for anomalous TGT requests.
Detection involves monitoring event logs: Event ID 4624 (logon) with LogonType 3 (network) using NTLM authentication from an unexpected source; Event ID 4672 (special privileges) indicating admin logon; Event ID 4663 (process access) when LSASS is accessed. Also, Sysmon Event ID 10 (process access) can detect Mimikatz. Network traffic analysis may show repeated NTLM authentication attempts.
Credential Guard uses virtualization-based security to isolate and protect LSASS secrets. It stores NTLM hashes and Kerberos tickets in a protected environment that cannot be accessed by the operating system or admin tools like Mimikatz. This prevents credential dumping. It is enabled via Group Policy and requires hardware virtualization support.
Traditional pass-the-hash (using NTLM) does not work in Kerberos-only environments because NTLM is disabled. However, overpass-the-hash can convert the NTLM hash into a Kerberos TGT, allowing the attacker to use Kerberos authentication. So, disabling NTLM reduces but does not eliminate the risk.
You've just covered Pass-the-Hash and Pass-the-Ticket — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?