Skip to main content
Support

Pass-the-Hash

Authenticate with Stolen NTLM Hashes

Use a stolen NTLM password hash to authenticate as a user without ever knowing their plaintext password — the foundational lateral movement technique.

Intermediate~5 minT1550.002
Prerequisites:NTLM hash of target user (from Mimikatz, SAM dump, etc.)Network access to target host (SMB TCP 445)Target host allows NTLM authentication
1

Obtain NTLM Hash from Mimikatz Output

Pass-the-Hash — Step 1/3
PS C:\Tools>

Click or press Enter to skip

Step 1: Review Stolen Credentials

We have a Domain Admin's NTLM hash from a previous Mimikatz dump. The NTLM hash is a one-way transformation of the password — we don't know the password, but we don't need it.

We have a "password fingerprint" (NTLM hash) from a Domain Admin account. Even though we don't know the actual password, Windows will accept this hash as proof of identity. It's like having a copy of someone's house key without knowing the key's code.

Detection Events
4624Logon Type 9 (NewCredentials)
Attack Flow
Inject NTLM hash
Attacker
Stolen Hash(da-admin)
DC01
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org