A Pass the Hash (PtH) attack is a hacking technique where an attacker steals a hashed user credential and reuses it to trick an authentication system into creating a new session on the same network. This method allows the attacker to move laterally through a network without ever needing to crack the password's hash to learn the plaintext password.
A Pass the Hash (PtH) attack is like a thief stealing your building's master key card instead of the key itself. They don't know the master key's code (the password), but they can still use the card (the hash) to open every door in the building. In this article, we'll break down exactly what a hash is, how attackers snatch them, and the steps you can take to stop them from waltzing through your digital front door.
Before we can fully unpack Pass the Hash, we need to talk about how modern authentication works. It’s not as simple as you typing your password and the system saying, "Yep, that's the one!"
Think of a hash as a digital fingerprint for your password. When you create a password for a service, the system doesn't store your actual password—that would be a huge security risk. Instead, it runs your password through a complex mathematical function called a "hashing algorithm" (like NTLM or LANMAN). This process converts your simple password, like P@ssword123!, into a long, fixed-length string of characters, such as A1B2C3D4E5F6G7H8....
It's a clever system designed to protect credentials even if a database is breached. But as we know, attackers are even more clever.
So, if the system doesn't store the password, how do attackers get in? They go after the next best thing: the hash.
When a user logs into a machine on a Windows network, their hashed credential is often stored in the computer's memory—specifically in a process like the Local Security Authority Subsystem Service (LSASS). An attacker who has already gained initial access to a single machine on the network can use tools like Mimikatz to dump the contents of the LSASS memory.
Inside this data dump are the golden tickets: NTLM hashes of users who have recently logged into that machine, including local administrators and domain users. The attacker doesn't need to know the password. They just need the hash.
Once the attacker has a user's NTLM hash, the real fun begins for them—and the nightmare for you. They can now impersonate that user to access other systems on the network.
Here’s a simplified breakdown of the steps:
Initial Compromise: The attacker gains a foothold on one computer in the network, often through a phishing email, a software vulnerability, or a misconfiguration.
Credential Dumping: Using tools like Mimikatz, they extract password hashes from the compromised machine's memory. They're usually looking for hashes belonging to accounts with high privileges, like a domain administrator.
Lateral Movement (The "Pass"): The attacker takes the stolen hash and "passes" it to another machine on the network to authenticate. For example, they might try to access a file share, a database, or a domain controller.
Authentication: The target machine receives the hash. Since it's a legitimate hash for an authorized user, the system grants access. It has no way of knowing the request came from an attacker and not the real user.
Rinse and Repeat: The attacker moves from system to system, dumping more hashes and gaining more access until they control the entire domain or find the high-value data they were after.
The real danger here is that it all looks like legitimate user activity to many traditional security tools. No password was guessed incorrectly. No brute-force alarm was triggered. It’s a ghost moving through the machine.
Pass the Hash remains a popular technique because it exploits the very mechanisms Windows uses for authentication in many network environments. It’s deeply embedded in the way single sign-on (SSO) and network authentication protocols like NTLM were designed to function.
Even with the rise of Kerberos, which is more secure, NTLM is often kept enabled for backward compatibility. This creates a window of opportunity for attackers. They can force systems to downgrade their authentication protocol to NTLM, making them vulnerable to PtH.
According to the CISA, threat actors frequently use techniques like Pass the Hash after gaining initial access to escalate privileges and move laterally within a network. It’s a foundational part of the modern attacker’s playbook.
Alright, enough doom and gloom. You're not helpless against PtH. Shutting this attack vector down requires a layered defense strategy. It's not about one single fix, but about making it much, much harder for an attacker to pull off.
Here are some key steps to take:
Principle of Least Privilege (PoLP): This is your #1 defense. Ensure users only have the access they absolutely need to do their jobs. A standard user's hash is far less valuable to an attacker than a domain admin's. Don't let users log into workstations with administrator accounts for daily tasks.
Enable Credential Guard: On Windows 10/11 Enterprise and Windows Server 2016 and later, Credential Guard uses virtualization-based security to isolate the LSASS process. This effectively prevents tools like Mimikatz from accessing and dumping password hashes from memory.
Restrict Local Admin Rights: An attacker who compromises a standard user account can't dump hashes from memory. Limit who has local administrator rights across your fleet of workstations.
Use Multi-Factor Authentication (MFA): While not a direct block for PtH once a hash is stolen, MFA makes the initial compromise much more difficult. If they can't get that first foothold, they can't start hunting for hashes.
Network Segmentation: Divide your network into smaller, isolated zones. This contains the blast radius of an attack. If an attacker compromises a machine in the marketing department, segmentation can prevent them from "passing the hash" over to the engineering or finance networks.
Monitor for Lateral Movement: Use security solutions that are specifically designed to detect suspicious lateral movement. Huntress, for example, monitors for the tools and techniques (TTPs) associated with PtH and other credential theft methods, alerting you when an attacker tries to make a move.
Pass the Hash (PtH) is an attack where a threat actor steals a hashed password and uses it to access other systems on a network. Bad threat actors don't need the actual password, just its digital fingerprint (the hash). The technique relies on stealing hashes from system memory (LSASS) on a compromised machine.
It's a primary method for lateral movement, allowing attackers to pivot from one system to another until they achieve their objective. Defense is a layered effort: implement the principle of least privilege, enable Credential Guard, restrict admin rights, and monitor your network for suspicious activity.
Stopping Pass the Hash isn't about finding a magic bullet. It's about solid security hygiene and having the visibility to spot an attacker before they can get comfortable in your environment.