# Pass-the-hash

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/pass-the-hash

## Quick definition

Pass-the-hash is a type of attack where a hacker steals the scrambled version of your password, called a hash, and uses it to log into computers or services on a network. The attacker does not need to know your actual password, only the hash. This works on many older Windows systems and some other networks. Defenses include using long, strong passwords and newer authentication protocols.

## Simple meaning

Imagine your password is like a secret recipe. When you log into a computer, the system does not actually check the recipe itself. Instead, it blends the recipe into a unique smoothie, called a hash, and compares that smoothie to one it made earlier. If the smoothies match, you get in. In a Pass-the-hash attack, a criminal does not steal your recipe. They steal your smoothie. Because the system only checks smoothies, the criminal can use your smoothie to log in and pretend to be you, even if they never learn your actual recipe.

This attack is especially dangerous on older networks where computers trust each other more easily. Once an attacker gets a hash, they can often use it to move from one computer to another, gaining access to more and more parts of the network. Think of it like a thief who grabs your building access badge. They do not need to know your employee ID number, they just need the badge to swipe through doors. The hash is that digital badge. The attack works because many systems rely on just the hash to verify identity, without requiring extra proof like a fingerprint or a second password.

To protect against this, modern systems use methods that limit how hashes can be reused. They also require stronger verification steps, like a second factor. But the attack remains a common threat in legacy environments and on networks that have not been updated. Understanding Pass-the-hash helps you see why simply encrypting passwords is not enough for security.

## Technical definition

Pass-the-hash (PtH) is a type of credential theft and lateral movement attack that exploits how Windows and some other operating systems handle authentication using the NT LAN Manager (NTLM) protocol. In an NTLM authentication, the user's password is never transmitted in plaintext. Instead, the client machine computes a cryptographic hash of the password and sends that hash to a domain controller or target server for verification. The server, holding a stored hash of the user's password, compares the two hashes. If they match, authentication succeeds.

An attacker who gains administrative access to a machine can extract the password hashes of all logged-in users from the Local Security Authority Subsystem Service (LSASS) process memory or from the Security Account Manager (SAM) registry hive. These hashes can be obtained using tools like Mimikatz, which dumps credentials from memory. Once the attacker has a hash, they do not need to crack it to get the plaintext password. Instead, they can perform a Pass-the-hash attack by injecting the hash into a new authentication session, essentially impersonating the legitimate user.

This attack works against NTLM and also against the earlier LM (LAN Manager) hash, though LM is now disabled by default. It does not work against Kerberos in the same direct way because Kerberos uses ticket-based authentication that includes timestamp and client information, making hash replay more difficult. However, attackers can still use the hash to request Kerberos tickets if the domain controller accepts NTLM-to-Kerberos translation, or they can downgrade the authentication to NTLM.

From a standards perspective, PtH exploits the fact that NTLM is a challenge-response protocol that does not bind the authentication to a specific machine or session context. The lack of channel binding allows a hash captured on one system to be reused on another system. Microsoft has introduced mitigations over the years, including Restricted Admin mode for Remote Desktop, Credential Guard, and Windows Defender Remote Credential Guard, which isolate credentials in a virtualized environment and prevent hash extraction. Enabling Extended Protection for Authentication (EPA) and using smart cards or multi-factor authentication can reduce the risk.

In real IT implementations, Pass-the-hash attacks are commonly used in penetration testing to simulate lateral movement and privilege escalation. Security professionals test for PtH vulnerabilities by attempting to use extracted hashes to access other machines on the network. Defenders monitor for anomalous use of NTLM authentication, such as a single account authenticating from multiple workstations simultaneously, or an increase in NTLM authentication events in logs.

## Real-life example

Think about a large office building with many doors. Each employee has a key card that opens the front door, and inside, each office door also requires the same key card. Now imagine a thief somehow gets a copy of your key card's magnetic stripe data. The thief does not know your name or your employee number. They just have the digital code from the card. Because every door reader only checks that code, the thief can swipe into the front door, then into your office, and even into the server room, all while pretending to be you.

In this analogy, your key card data is the hash. The front door is your personal computer. The office door is the file server. The server room is the domain controller. The thief is the attacker who captures the hash from your computer's memory. Just like the thief does not need to know your name to use the card, an attacker does not need the actual password to authenticate. The system trusts the card data alone, just like NTLM trusts the hash alone.

If the building had a second requirement, like a fingerprint scan at every door, the thief's card alone would not work. That extra step is like multi-factor authentication. If the building required a different key code for each door, the thief could not reuse the same data everywhere. That is like channel binding or using Kerberos tickets that are tied to specific services. This simple analogy helps explain why older authentication methods are vulnerable and why adding layers of verification makes Pass-the-hash much harder to execute.

## Why it matters

Pass-the-hash matters because it is one of the most common and dangerous attack methods used by hackers to move laterally inside corporate networks. Once an attacker compromises a single workstation and extracts password hashes, they can often gain access to other systems, escalate privileges, and eventually reach high-value targets like domain controllers or sensitive databases. This attack bypasses the need to crack passwords, which can be time-consuming and computationally expensive. As a result, attackers can spread quickly through a network before defenders even realize an initial breach has occurred.

For IT professionals, understanding Pass-the-hash is critical for designing secure authentication architectures. It influences decisions around which authentication protocols to use, how to store credentials, and what tools to implement for credential protection. For example, disabling NTLM and moving to Kerberos-only environments can reduce the attack surface. Enabling Credential Guard on Windows systems protects hashes even if an attacker gains administrative access. Regular vulnerability assessments should include testing for PtH, and incident response plans must account for the possibility that hashes have been stolen.

From an organizational perspective, a single Pass-the-hash attack can lead to a full domain compromise, resulting in data breaches, ransomware deployment, and significant financial and reputational damage. The attack exploits a fundamental weakness in how trust is established in Windows networks. Therefore, knowledge of PtH is not just academic, it is a practical survival skill for anyone managing enterprise IT environments. Security certifications frequently test this concept because it represents a real-world threat that every administrator must understand and mitigate.

## Why it matters in exams

Pass-the-hash is a core topic in major IT security certifications such as CompTIA Security+, CompTIA PenTest+, CEH, CISSP, and Microsoft security exams like SC-900 and MS-500. In CompTIA Security+, it appears under Domain 2 (Architecture and Design) and Domain 4 (Operations and Incident Response), specifically in the context of authentication protocols and attack types. You may be asked to identify PtH in a scenario, choose the best mitigation, or explain why it works against NTLM but not Kerberos.

In CompTIA PenTest+, the concept is even more hands-on. Questions might describe a penetration test where the tester extracts hashes from a compromised workstation and uses them to access a file server. You could be expected to select the correct tool for hash extraction (Mimikatz), identify the protocol being exploited (NTLM), or recommend a remediating control (Credential Guard). In CEH, PtH is covered under system hacking and privilege escalation, often with multiple-choice questions that test your understanding of the attack chain.

For CISSP, Pass-the-hash relates to the Identity and Access Management domain. You may see questions about the importance of using Kerberos instead of NTLM or about the function of channel binding. The exam might present a scenario where a help desk analyst observes multiple logins from the same account from different workstations and asks you to identify the likely attack. In Microsoft security exams, PtH is relevant to configuring Azure AD Seamless Single Sign-On and understanding how Windows Defender Credential Guard blocks the attack.

Regardless of the exam, typical question formats include scenario-based multiple choice, where you must identify the attack type from a description of events, and best-practice questions, where you select the most effective mitigation. You might also see drag-and-drop questions asking you to sequence the steps of a PtH attack. Knowing that PtH is a lateral movement technique that relies on NTLM hash reuse is essential for scoring well on these exams.

## How it appears in exam questions

In IT certification exams, Pass-the-hash questions often present a scenario where an organization discovers unusual network activity. For example, a question might describe an administrator noticing that a standard user account is authenticating to multiple servers within a short time window, even though the user is on vacation. The question would then ask what type of attack has occurred and which protocol is being exploited. The correct answer is Pass-the-hash exploiting NTLM.

Another common question pattern involves a penetration test report. The question might list the tools used during the test, such as Mimikatz and PsExec, and then describe the steps: gain initial access, dump credentials, and use those credentials to access additional systems. You would be asked to identify the technique used. The answer choices might include Pass-the-hash, Pass-the-ticket, brute force, or phishing. The key clue is the mention of hash extraction and reuse without cracking.

Configuration-based questions ask how to prevent PtH. You might see a list of possible settings: disable NTLM, enable Credential Guard, implement smart cards, use longer passwords, or enable audit logging. The best answers are disabling NTLM and enabling Credential Guard, because they directly block the attack vector. Questions might also ask about the difference between PtH and Pass-the-ticket, requiring you to understand that PtH uses NTLM hashes while Pass-the-ticket uses Kerberos tickets.

Troubleshooting scenarios might involve a user reporting that they cannot authenticate after a security update. The update might have disabled NTLM, breaking a legacy application that relies on it. You would need to diagnose that the application is failing because NTLM is required for PtH-like reauthentication. These questions test both your knowledge of the attack and your understanding of the underlying protocols and mitigations.

## Example scenario

A medium-sized company, GreenLeaf Tech, uses a Windows domain with all systems running Windows 10. One day, an employee named Sarah receives a phishing email with a malicious attachment. She opens it, and it installs a small program on her workstation. The program gives the attacker, Eve, administrative control over Sarah's computer. Eve immediately runs a tool called Mimikatz, which extracts password hashes of all users currently logged into the machine. Among the hashes, Eve finds the hash for Sarah's domain account and also for a service account with local admin rights on the file server.

Eve does not know the actual passwords, but that does not matter. She opens a command prompt on her own machine and uses a tool to inject Sarah's hash into a new authentication session. She then connects to the file server using PsExec, and the file server treats her as if she is Sarah. Because Sarah has permission to read the financial reports folder, Eve accesses sensitive data and copies it out of the network. Later, Eve uses the service account hash to access the domain controller, elevating her privileges even further.

The IT team notices unusual logon events: Sarah's account logged into the file server at the same time she was in a meeting. They also see the service account logging in from Sarah's workstation, which is unusual. The team suspects a Pass-the-hash attack and immediately disables NTLM on the domain controller, enables Credential Guard on all workstations, and resets affected passwords. This scenario shows how a single compromised workstation can lead to widespread data theft through hash reuse, and why rapid detection and mitigation are critical.

## Understanding the Pass-the-Hash Attack Mechanism and Impact

Pass-the-Hash (PtH) is a network authentication attack that exploits the Windows authentication protocol, primarily NTLM (NT LAN Manager). In this attack, an adversary captures the hash of a user's password, rather than the plaintext password itself, and uses that hash to authenticate to remote systems or services. The core vulnerability lies in Windows' use of password hashes in challenge-response authentication: if a system has access to the user's password hash (e.g., from the local SAM database or LSASS memory), it can respond to authentication challenges without ever knowing the plaintext password.

The attack typically unfolds in three stages. First, the attacker gains initial access to a machine, often through phishing, malware, or exploiting a vulnerability. Once on the system, the attacker uses tools like Mimikatz, Windows Credential Editor (WCE), or custom scripts to extract password hashes from memory (LSASS process) or from disk (SAM file). The most critical hashes are the NTLM hashes, which are stored as a single MD4 hash of the password. In modern Windows environments, these hashes are often protected by mechanisms like Credential Guard, but many systems still expose them.

Second, the attacker identifies a target system where the extracted user account has privileges-typically a domain controller, file server, or another workstation. The attacker then initiates an NTLM authentication request to that target, using the captured hash. The target sends a challenge (a random 8-byte nonce). The attacker's machine computes an NTLM response by encrypting the challenge with the captured hash using the DES-like algorithm. This response is sent back to the target, which computes its own version using the user's actual password hash stored in its own database. If they match, access is granted.

Finally, once authenticated, the attacker can execute commands, move laterally, or escalate privileges. The attack is particularly dangerous because it requires no password cracking-the hash is used directly. The impact is severe: an attacker can compromise an entire domain from a single workstation if they obtain a domain admin hash. In exam contexts, you should know that PtH does not require plaintext passwords; it bypasses traditional password policies; and it works against NTLMv1 and NTLMv2, though NTLMv2 adds a timestamp to make replay harder. Defenses include using Kerberos (which uses tickets not hashes), enabling Credential Guard, limiting local admin rights, and monitoring for unusual logon events (event ID 4624 with logon type 3).

On exams, you may see questions about why PtH succeeds despite strong passwords. The answer is that PtH targets the authentication protocol, not the password strength. Also, remember that PtH is distinct from brute-force or dictionary attacks-it reuses valid credentials. The attack is most effective in Windows environments with NTLM in use, and it is a primary reason why Microsoft recommends moving to Kerberos-only deployments. Understanding the exact flow-capture hash, use in challenge-response-is crucial for security certification questions.

## Mitigation Strategies and Detection Techniques for Pass-the-Hash

Mitigating pass-the-hash attacks requires a layered security approach that addresses both the technical vulnerabilities and operational practices. At the protocol level, the most effective mitigation is to disable NTLM authentication entirely and rely solely on Kerberos. Kerberos uses ticket-granting tickets (TGTs) and service tickets that are time-stamped and tied to the requesting machine, making them far more resistant to hash reuse. However, many organizations still require NTLM for legacy applications, so a phased approach is necessary. Microsoft provides Group Policy settings to restrict NTLM: you can set it to deny all, deny for domain accounts, or audit only. For exam purposes, remember that the ultimate goal is NTLM disablement, but practical mitigation includes limiting NTLM to specific servers.

Credential protection is another key layer. Windows Defender Credential Guard, introduced in Windows 10 and Server 2016, uses virtualization-based security to isolate LSASS, preventing tools like Mimikatz from extracting hashes from memory. This requires hardware virtualization support and is enabled via Group Policy. Microsoft introduced Remote Credential Guard for RDP sessions, which prevents credential forwarding. On Windows 8.1 and later, Protected Users security group members get non-delegable Kerberos tickets, further hardening accounts. For exam certifications, you should know that Credential Guard is a primary defense against PtH because it protects the hash even if the machine is compromised.

Administrative practices also reduce risk. Principle of least privilege is critical: limit the number of local administrators and use separate accounts for administrative tasks. Domain admins should never log on to lower-trust workstations, as that exposes their hashes. Using Microsoft's Local Administrator Password Solution (LAPS) ensures unique local admin passwords, preventing hash reuse across machines. Implementing Restricted Admin mode for RDP (enabled via Group Policy) prevents credential caching. On exams, you may be asked why LAPS helps: it eliminates the common practice of using the same local admin password, which would allow an attacker to PtH across all workstations.

Detection relies on monitoring event logs for suspicious activity. Key events include: Event ID 4624 (logon) with Logon Type 3 (network) from unusual source workstations, especially when the account has high privileges; Event ID 4672 (special privileges assigned to new logon) for admin accounts; and Event ID 4648 (logon using explicit credentials) which may indicate lateral movement. Unusual scheduling of logons or multiple network logons from a single machine can indicate hash spraying. Advanced detection uses honeytokens-fake accounts with no real privileges that, when used, trigger alerts. Security Information and Event Management (SIEM) solutions can correlate these events. In exam questions, expect scenarios where you need to choose the correct event ID or describe why a logon type 3 with a domain admin account is suspicious.

Finally, patch management and network segmentation play a role. Keeping systems patched reduces vulnerability exploits that lead to initial access. Segmenting networks limits lateral movement-if a workstation in one VLAN is compromised, PtH cannot reach servers in another segment without additional access. Implementing tiered administrative models (e.g., Tier 0, 1, 2) where domain controllers are isolated reduces exposure. For certifications like the CISSP or CompTIA Security+, understanding these layers is essential for questions about defending against credential attacks.

## Common mistakes

- **Mistake:** Thinking that Pass-the-hash requires knowing the plaintext password.
  - Why it is wrong: The attack uses only the hash, not the password. The attacker does not need to crack the hash. This is the entire point of the attack.
  - Fix: Understand that the hash itself is the credential used for authentication in NTLM. Protect hashes as if they were passwords.
- **Mistake:** Believing that Pass-the-hash only works on old or unpatched systems.
  - Why it is wrong: While older systems are more vulnerable, modern systems can still be compromised if Credential Guard is not enabled or if NTLM is still allowed. The attack is still effective in many environments.
  - Fix: Assume that any system with NTLM enabled and without Credential Guard is vulnerable. Apply mitigations regardless of patch level.
- **Mistake:** Confusing Pass-the-hash with password cracking or brute-force attacks.
  - Why it is wrong: Password cracking tries to guess the plaintext password from the hash. Pass-the-hash skips that step entirely and uses the hash directly. They are fundamentally different techniques.
  - Fix: Remember that PtH does not involve cracking at all. It is about reusing a stolen hash in a new session.
- **Mistake:** Assuming that only domain administrator hashes are valuable.
  - Why it is wrong: Any user's hash can be used to access resources that user has permissions to. Even a low-privilege user hash can be used for lateral movement to other systems, eventually leading to privilege escalation.
  - Fix: Protect all cached hashes, not just high-privilege accounts. Every hash is a potential foothold.
- **Mistake:** Thinking that using Kerberos alone eliminates all risk of Pass-the-hash.
  - Why it is wrong: While Kerberos is more resistant, attackers can sometimes request a Kerberos ticket using the NTLM hash if the domain allows NTLM-to-Kerberos translation. Also, downgrade attacks can force NTLM.
  - Fix: Disable NTLM entirely where possible and use Credential Guard to protect hashes even from being captured.

## Exam trap

{"trap":"A question describes an attacker extracting a password hash from a workstation and then using that hash to log into a web application that uses forms-based authentication. The correct answer is NOT Pass-the-hash.","why_learners_choose_it":"Learners see 'hash' and 'log into another system' and immediately assume PtH. They do not check the authentication protocol.","how_to_avoid_it":"Remember that Pass-the-hash specifically exploits NTLM or LM challenge-response. Web applications using forms or token-based authentication are not vulnerable to PtH. Look for clues like 'Windows authentication' or 'NTLM' in the scenario."}

## Commonly confused with

- **Pass-the-hash vs Pass-the-ticket:** Pass-the-hash uses NTLM password hashes, while Pass-the-ticket uses Kerberos ticket-granting tickets (TGTs) or service tickets. PtH works against NTLM authentication; Pass-the-ticket works against Kerberos authentication. (Example: If an attacker steals a Kerberos ticket from memory and uses it to access a network share, that is Pass-the-ticket. If they steal a hash and use it to authenticate via NTLM, that is Pass-the-hash.)
- **Pass-the-hash vs Hash cracking:** Hash cracking is the process of trying to reverse a hash to find the original plaintext password through guessing or brute force. Pass-the-hash does not require cracking; it uses the hash directly to authenticate. They are separate steps often used in sequence but are different attack techniques. (Example: Cracking the hash '5d41402abc4b2a76b9719d911017c592' to discover the password 'hello' is cracking. Using that hash to log into a server without knowing 'hello' is Pass-the-hash.)
- **Pass-the-hash vs Silver ticket:** A silver ticket is a forged Kerberos service ticket created using the hash of a service account. It is used to access a specific service, not to authenticate broadly via NTLM. Pass-the-hash uses real stolen hashes, not forged tickets. (Example: An attacker creates a fake ticket for the print server using the printer's password hash. That is a silver ticket. An attacker steals your hash from memory and uses it to log into the print server via NTLM. That is Pass-the-hash.)

## Step-by-step breakdown

1. **Initial compromise** — The attacker gains access to a target machine, often through phishing, a malicious download, or exploiting a vulnerability. This gives them the ability to execute code, usually with administrative privileges.
2. **Credential dumping** — The attacker runs a tool like Mimikatz to extract password hashes from the LSASS process memory or the SAM registry hive. These hashes belong to users currently logged on or whose credentials are cached.
3. **Hash selection** — The attacker identifies a useful hash, typically one belonging to a domain user with access to other systems. They do not need to crack the hash or know the plaintext password.
4. **Hash injection** — The attacker uses a tool to inject the stolen hash into the current authentication session on the attacker's machine. This creates an authentication context that appears to be the target user.
5. **Lateral movement** — The attacker uses the injected hash to authenticate to another system on the network, such as a file server, domain controller, or another workstation. The target system verifies the hash against its own stored hash and grants access.
6. **Privilege escalation (optional)** — Once on the new system, the attacker may find additional credentials or service account hashes, allowing them to move to even more sensitive systems, often leading to domain admin access.

## Practical mini-lesson

In practice, Pass-the-hash is a technique that every IT security professional must understand both to defend against and to use in authorized penetration testing. The attack exploits a fundamental design weakness in the NTLM protocol, which does not bind the authentication to a specific machine or session context. This means that once a hash is captured, it can be replayed from any machine on the network as long as the target system accepts NTLM authentication.

To execute a Pass-the-hash attack, a penetration tester typically starts by gaining administrative access to a target workstation, often through a vulnerability or weak password. They then deploy Mimikatz, a powerful credential dumping tool that can extract plaintext passwords, hashes, and Kerberos tickets from memory. The command 'sekurlsa::logonpasswords' is a classic Mimikatz command to dump all cached credentials. The tester extracts NTLM hashes and selects a target user account with sufficient privileges.

Next, the tester uses a tool like Invoke-Mimikatz in PowerShell or a standalone utility to inject the hash into the current login session. With the hash loaded, they can use PsExec or other remote execution tools to access other machines. For example, 'PsExec \\target-server -u domain\username -p hash' (with the hash injected) allows access without knowing the plaintext password. The tester can then repeat the process, moving laterally until they reach a domain controller or other high-value target.

From a defensive perspective, professionals must understand what controls actually stop PtH. Enabling Credential Guard uses virtualization-based security to protect LSASS, making it impossible to dump hashes even with admin rights. Disabling NTLM entirely forces all authentication to use Kerberos, which is more resistant. Implementing Restricted Admin mode for Remote Desktop ensures that when an admin connects remotely, their credentials are not stored on the target machine. Using smart cards or other multi-factor authentication methods ensures that a hash alone is insufficient for access.

What can go wrong in practice? Attackers may find that Credential Guard is enabled and cannot dump hashes, forcing them to use other techniques. Or they may find that NTLM is disabled, making PtH impossible. On the other side, defenders may incorrectly assume that regular patching alone prevents PtH, but patching does not change the fundamental NTLM behavior. Another common mistake is focusing only on domain admin accounts while ignoring service accounts with local admin rights, which can be just as dangerous. A thorough understanding of PtH helps professionals design layered defenses and respond effectively when an attack is detected.

## Commands

```
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
```
Runs Mimikatz to extract NTLM hashes from the LSASS process memory on the local machine. Useful during post-exploitation to harvest credentials.

*Exam note: Testing your ability to identify tools that extract hashes from memory. Often associated with privilege escalation and lateral movement.*

```
mimikatz.exe "privilege::debug" "sekurlsa::pth /user:Administrator /domain:corp.com /ntlm:098f6bcd4621d373cade4e832627b4f6" exit
```
Performs a pass-the-hash attack by injecting the specified NTLM hash into an authentication session, allowing the attacker to impersonate the user for network authentication.

*Exam note: This specific command syntax tests your understanding of how Mimikatz initiates PtH. The /ntlm flag is the hash, and /domain is critical for domain environments.*

```
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::pth /user:jdoe /domain:contoso.com /ntlm:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0"'
```
PowerShell version of the same PtH attack using Invoke-Mimikatz, often used in scripts for automated lateral movement.

*Exam note: PowerShell-based attacks are tested on certs like OSCP and CISSP for script execution context. The hash format is LM:NT (blank LM) typical of modern hashes.*

```
crackmapexec smb 192.168.1.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 --local-auth
```
Uses CrackMapExec to pass the hash against a subnet of SMB services, attempting authentication with the given NTLM hash. The --local-auth flag targets local accounts rather than domain accounts.

*Exam note: CrackMapExec is a common tool for lateral movement. Note the distinction between local-auth and domain authentication. Understand when each is used.*

```
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v DisableDomainCreds /t REG_DWORD /d 1 /f
```
Disables the storage of domain credentials in the LSASS cache, making it harder to extract hashes. Applied via registry on Windows systems.

*Exam note: Mitigation command. Also known as disabling WDigest. On exams, you might need to know that setting DisableDomainCreds to 1 prevents clear-text passwords but hashes may still be available.*

```
Get-WmiObject -Class Win32_LoggedOnUser | Select-Object Antecedent
```
Lists users currently logged on to a Windows machine, useful for identifying targets with potentially exploitable credentials.

*Exam note: WMI queries are used for reconnaissance. This command helps find admin accounts that could be PtH targets.*

```
New-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Control\Lsa -Name RunAsPPL -PropertyType DWord -Value 1 -Force
```
Enables Protected Process Light (PPL) for LSASS, which prevents non-PPL processes from accessing LSASS memory, hardening against hash extraction.

*Exam note: PPL is a security boundary; understanding how it blocks Mimikatz is important for Windows security exam questions.*

## Memory tip

Think of PtH as the 'digital badge' attack: steal the badge (hash), not the ID (password), and swipe into any door that only checks the badge.

## FAQ

**Can Pass-the-hash work on a network that only uses Kerberos?**

No, Pass-the-hash specifically exploits NTLM. If Kerberos is the only protocol allowed, PtH will not work directly. However, attackers may try to downgrade authentication to NTLM if the network allows it.

**Does resetting the password stop a Pass-the-hash attack?**

Yes, resetting the user's password generates a new hash. Any stolen hash becomes invalid immediately. This is why password reset is a key step in incident response for PtH.

**Is Pass-the-hash only a Windows attack?**

Primarily yes, because NTLM is used almost exclusively in Windows environments. However, other systems using similar challenge-response mechanisms could theoretically be vulnerable, though it is rare in practice.

**What is the most effective single defense against Pass-the-hash?**

Disabling NTLM authentication entirely and using only Kerberos is the most effective defense, but it may break legacy applications. Enabling Windows Defender Credential Guard is also highly effective.

**Can a regular user do a Pass-the-hash attack?**

No, the attacker needs administrative privileges on the compromised machine to dump hashes from LSASS memory. A standard user cannot extract those hashes.

**Are password hashes stored in Active Directory also vulnerable?**

Yes, if an attacker compromises a domain controller, they can dump all hashes from Active Directory. Those hashes can then be used in PtH attacks against any machine on the domain.

## Summary

Pass-the-hash is a credential reuse attack that exploits the NTLM authentication protocol to allow an attacker to authenticate to network resources using only the cryptographic hash of a user's password, without ever needing to know the actual password. This technique is a powerful lateral movement tool used by both real-world attackers and penetration testers. It works because NTLM does not bind authentication to a specific machine or session, allowing stolen hashes to be replayed from any system.

Understanding PtH is crucial for IT security professionals because it is commonly tested in major certifications like CompTIA Security+, CEH, and CISSP. Mitigation requires a combination of disabling NTLM, enabling Credential Guard, using multi-factor authentication, and regularly testing for vulnerabilities. The attack highlights the importance of protecting credentials at rest and in memory, and the need for defense-in-depth strategies.

For exam preparation, remember that PtH is not about cracking passwords, it is about reusing stolen hashes. Look for scenario clues like 'hash extraction,' 'lateral movement,' and 'NTLM authentication.' Do not confuse it with Pass-the-ticket or silver ticket attacks. With strong defenses and a clear understanding of the attack vector, you can effectively secure networks against this persistent threat and score well on certification exams.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/pass-the-hash
