Pass the hash (PtH) is a type of cyber attack that enables an attacker to authenticate to remote systems by using the underlying NTLM or LanMan hash of a user’s password, rather than requiring the plaintext password itself. This type of attack exploits the fact that a password hash can be used for authentication instead of the actual password, giving an attacker access to a user’s account without the need to crack the password itself.
Initial compromise: The attacker first compromises a single workstation or user account on the target network. This can be done via social engineering, phishing, exploiting software vulnerabilities, or other methods.
Hash extraction: Once the attacker gains access to the compromised system, they are able to extract the password hashes of users stored in the system. Tools like Mimikatz, Windows Credential Editor, or PowerShell scripts can be used to obtain these hashes.
Lateral movement: The attacker then leverages the extracted password hashes to access other systems and services within the network. This is done by using the PtH technique to bypass authentication mechanisms and impersonate legitimate users. The attacker continues to search for and collect additional password hashes, looking for privileged account hashes that can grant them further access.
Privilege escalation: The attacker uses the stolen privileged account hashes to gain increased permissions on the network. This can lead to the attacker gaining control over critical systems, allowing them to exfiltrate sensitive data or even create backdoors for future attacks.
To defend against pass the hash attacks, organizations should implement a combination of the following measures: