What Is a Pass-the-Hash (PtH) Attack?

Updated on September 17, 2025

A Pass-the-Hash (PtH) attack is a cyberattack technique where an attacker authenticates to a remote server or service by using a user’s password hash instead of the plaintext password. This attack exploits the fact that many network authentication protocols, particularly in Windows environments, use password hashes for authentication.

PtH attacks are a critical component of lateral movement within a network. They allow an attacker to escalate privileges and access a wide range of systems without ever needing to crack the stolen password hash. This article will define the PtH attack, explain its technical workflow, and detail its security implications and common mitigation strategies.

Definition and Core Concepts

In a PtH attack, an adversary obtains a cryptographic hash of a user’s password from a compromised system’s memory or storage. Instead of trying to crack the hash, the attacker “passes” it directly to an authentication protocol to impersonate the user. This differs from a traditional brute-force attack, which attempts to discover the original password.

• Password Hash: A one-way cryptographic function of a password. The original password cannot be recovered from the hash. In Windows, this is commonly the NT LAN Manager (NTLM) hash.
• Authentication Protocol: The set of rules and procedures used to verify a user’s identity. Protocols like NTLM and certain Kerberos configurations support hash-based authentication.
• Lateral Movement: The process by which an attacker moves from one compromised host to another on the network. PtH is a primary technique for expanding access and control.

The attack leverages the authentication process itself. When a user authenticates, their password hash is either stored in memory—for example, in the Local Security Authority Subsystem Service (LSASS)—or is used for a challenge-response exchange. An attacker with the hash can replay this authentication process.

How It Works

A typical PtH attack workflow unfolds in several steps:

1. Initial Compromise

An attacker first gains a foothold on a system within the network. This is often achieved through a phishing email, a software vulnerability exploit, or the use of previously compromised credentials.

2. Credential Dumping

Once inside, the attacker runs a tool like Mimikatz or Pwdump to extract password hashes. These hashes are typically pulled from the compromised system’s memory (the LSASS process) or the Security Account Manager (SAM) database.

3. Hash Acquisition

The attacker now possesses the NTLM hashes of local and domain accounts that have recently logged into the system. This can include highly privileged administrator or service accounts.

4. Lateral Movement (The “Pass-the-Hash” Part)

Using a tool that supports PtH, the attacker uses the stolen hash to authenticate to another computer on the network. The tool crafts an authentication request that includes the hash, and the target server, which expects a hash for authentication, accepts the request.

5. Access and Escalation

The attacker can now access resources on the new system with the privileges of the impersonated user. They can repeat this process to gain control of a domain controller, which contains all user hashes, leading to a total domain compromise.

Mitigation and Security Implications

The risk of PtH attacks is a primary concern for network security. Several strategies can mitigate this threat.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is one of the most effective mitigations. PtH attacks rely solely on the stolen hash, but MFA requires a second factor that is not part of the hash, such as a one-time code, a push notification, or a biometric scan.

Principle of Least Privilege

Restricting users to only the access they need for their roles reduces the attack surface. If an attacker compromises a user account, the principle of least privilege limits the potential damage and restricts their ability to access high-privilege account hashes.

Network Segmentation

Isolating critical systems, like domain controllers and database servers, on separate network segments can limit an attacker’s ability to move laterally. Even if an attacker gains a foothold on one segment, segmentation makes it more difficult to use PtH to reach critical assets on another.

Credential Guard

Windows 10, Windows 11, and Windows Server 2016 and newer operating systems include Credential Guard. This feature uses virtualization-based security to isolate and protect credential data in memory, making it significantly harder for attackers to dump hashes from the LSASS process.

Endpoint Detection and Response (EDR)

Endpoint Detection and Response (EDR) solutions can detect the tools and techniques used for credential dumping and lateral movement. By monitoring system processes and network activity, EDR can identify the signs of a PtH attack in progress and alert administrators to take action.