^.^;

Pass-the-Hash Attack Simulator

Authenticate without passwords using captured NTLM hashes.

Simulate credential theft from LSASS memory and use the hash to authenticate to remote systems without knowing the plaintext password.

This attack exploits Windows NTLM authentication, allowing attackers to move laterally across networks using stolen credentials.

IntermediatePhase 3: Lateral MovementInteractive

What is Pass-the-Hash?

Pass-the-Hash (PtH) is an attack where an attacker uses a stolen password hash (NTLM) to authenticate as the user, without needing to crack the plaintext password. Windows accepts the hash itself for authentication, making password complexity irrelevant.

Normal vs. Pass-the-Hash Authentication:

Normal Login:
1. User enters password
2. System hashes password
3. Compares hash with stored hash
4. Access granted if match
Pass-the-Hash:
1. Attacker steals hash from memory
2. Attacker presents stolen hash
3. System accepts hash directly
4. Access granted! (no password needed)

Pass-the-Hash Attack Flow

1
Gain Local Admin

Attacker compromises one machine (phishing, exploit, stolen creds)

2
Dump Password Hashes

Use Mimikatz to extract NTLM hashes from LSASS memory or SAM database

mimikatz # sekurlsa::logonpasswords
3
Pass the Hash

Use stolen hash to authenticate to other machines (lateral movement)

mimikatz # sekurlsa::pth /user:admin /ntlm:[hash] /domain:corp.com
4
Escalate & Persist

Repeat process, move to Domain Controllers, dump all domain hashes

Why Pass-the-Hash Works

  • NTLM Protocol Design: Windows accepts hashes for authentication (for backwards compatibility)
  • Stored in Memory: Hashes cached in LSASS process after user logs in
  • Reusable Hashes: Same hash works across all machines user has access to
  • No Cracking Needed: Hash IS the credential - no need to crack to plaintext

Pass-the-Hash Tools

Hash Extraction:

  • Mimikatz: The most popular credential dumper
  • ProcDump + Mimikatz: Dump LSASS memory
  • Impacket secretsdump: Python-based SAM/NTDS dump

Pass-the-Hash Execution:

  • Mimikatz: sekurlsa::pth module
  • Impacket psexec: Remote execution with hash
  • CrackMapExec: Mass PtH across networks

Defense Against Pass-the-Hash

Disable NTLM: Force Kerberos-only authentication (eliminates PtH)
Credential Guard: Windows feature isolates LSASS using virtualization
Protected Users Group: Disables NTLM for high-value accounts
LAPS: Local Administrator Password Solution (unique local admin passwords per machine)
Restrict Admin Logins: Don't use Domain Admin for daily tasks
Monitor 4624 & 4625: Detect NTLM authentication events

Detection Signs

  • Event ID 4624: Logon type 3 (network) with NTLM authentication from unusual sources
  • Lateral Movement: Same user logging into many machines rapidly
  • LSASS Access: Non-system processes reading LSASS memory (Mimikatz)
  • Admin Login from Workstation: Domain Admin account used on non-DC

Example Commands

Mimikatz (dump hashes):
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
Pass-the-Hash with Mimikatz:
sekurlsa::pth /user:Administrator /domain:corp.com /ntlm:[hash] /run:cmd.exe
Impacket psexec (PtH remote execution):
psexec.py -hashes :[ntlm_hash] domain/user@target
Interactive Simulation Mode

Pass-the-Hash Command Center

Lateral Movement via NTLM Hash Injection

Administrator: mimikatz
mimikatz #

LSASS.exe Memory Dump

ADDRESS
HEX CONTENT
ASCII
0x00401000
48 89 5C 24 08 57 48 83 EC 20 48 8B F9 48 8B DA
. . . .
0x00401010
E8 D7 FF FF FF 48 8B C8 48 85 C0 74 12 48 8B 10
. . . .
0x00401020
B4 B9 20 20 20 20 20 20 20 20 20 20 20 20 20 20
. . . .
0x00401030
48 8B 43 10 48 8B 48 08 48 8B 50 10 48 89 54 24
. . . .
0x00401040
4C 8B 00 4C 8B 48 08 4C 8B 50 10 4C 89 44 24 28
. . . .
LATERAL MOVEMENT
Workstation (Compromised)
Domain Controller
Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.