Skip to main content
Support
IntermediateT1550

Pass-the-Hash & Pass-the-Ticket

Attackers skip passwords entirely by reusing stolen hashes or Kerberos tickets to authenticate as any user — no cracking required.

When you log in to a Windows computer, your password is converted into a special code called a hash or a Kerberos ticket. These codes are stored in the computer's memory while you are logged in. An attacker who gains access to that computer can extract these codes and use them to log in to other systems as you — without ever knowing your actual password. Pass-the-Hash (PtH) reuses the password hash with NTLM authentication. Pass-the-Ticket (PtT) reuses a Kerberos ticket (TGT or service ticket). Both techniques let an attacker move sideways through a network, jumping from machine to machine.

Imagine a hotel where doors open with key cards. Instead of guessing the guest's PIN at the front desk, a thief simply clones the magnetic key card from a maid's cart. The cloned card opens the door exactly like the original — the lock never checks whether the person holding the card is actually the guest. Pass-the-Hash and Pass-the-Ticket work the same way: the attacker clones the authentication credential and presents it directly, bypassing the need to know the actual password.

Pass the Hash Simulator

Walk through this attack step-by-step in an interactive terminal

Key Takeaways

  1. Pass-the-Hash reuses NTLM hashes; Pass-the-Ticket reuses Kerberos tickets — neither requires the password.
  2. Credentials are extracted from LSASS memory using tools like Mimikatz or Rubeus.
  3. PtH works with NTLM-accepting services; PtT works with Kerberos-protected resources.
  4. Credential Guard (VBS) is the strongest defense against credential theft from memory.
  5. Lateral movement via PtH/PtT is the most common post-exploitation technique in AD environments.
Why Should I Care?

Pass-the-Hash and Pass-the-Ticket are the bread and butter of AD lateral movement. Once an attacker compromises a single workstation, these techniques let them hop across the entire network without ever cracking a password.

Defense Recommendations

Deploy Credential Guard, enforce Kerberos-only authentication, limit privileged logons, and monitor for anomalous credential use.

  1. 1Enable Credential Guard on all Windows 10/11 and Server 2016+ systems to isolate LSASS secrets.
  2. 2Disable NTLM where possible: set Network Security: Restrict NTLM policies via GPO.
  3. 3Implement a tiered administration model: Tier 0 credentials never touch Tier 1/2 machines.
  4. 4Use Protected Users security group for privileged accounts (prevents NTLM, forces Kerberos, short TGT lifetime).
  5. 5Monitor Event ID 4624 with LogonType 9 (NewCredentials) and Event ID 4648 (explicit credential logon).
  6. 6Deploy Microsoft Defender for Identity to detect Pass-the-Hash and Pass-the-Ticket in real time.

Related Topics

Authentication ProtocolsKerberoasting Deep DiveAD Enumeration Without Admin Rights
Sources
AS-REP Roasting
Kerberos Delegation Abuse
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org