How pass-the-hash works
In Windows environments, the NTLM authentication protocol proves identity using a hash of the user’s password rather than the password itself. The consequence is subtle but severe: for NTLM, the hash is functionally equivalent to the password. An attacker who obtains the hash can authenticate as that user directly, with no need to crack anything.
Hashes are harvested from systems the attacker already controls, from the memory of the authentication subsystem, from the local account database or from saved credential stores, typically requiring administrative rights on that first machine. The stolen hash is then presented to other systems that accept NTLM authentication, granting file access, remote execution and further credential harvesting on each new host. Related techniques apply the same idea to Kerberos, replaying stolen tickets instead of hashes.
Why it matters
Pass-the-hash has been a backbone of Windows network intrusions for over two decades because it converts one compromised machine into a skeleton key for many. Password strength is irrelevant: a fifty-character password produces a hash that is stolen and replayed exactly as easily as a weak one. Rotating a password helps only after the fact, since the new hash can be stolen the same way.
The technique is central to how ransomware spreads inside networks. A typical chain runs from one infected workstation, to its local admin hash, to every machine sharing that local admin password, to a domain administrator who once logged into any of them. Environments with heavy NTLM usage, shared local passwords and admins logging in everywhere are structurally vulnerable regardless of their perimeter defenses.
How to defend against pass-the-hash
Defense concentrates on three fronts. First, deny the harvest: credential guard features that isolate secrets in memory, unique local administrator passwords on every machine and strict limits on which accounts may log into which systems all reduce what a compromised host yields. Second, reduce replay surface: phase out NTLM where possible in favor of Kerberos with modern protections, and segment administrative traffic so a hash stolen in one tier is useless in another.
Third, keep valuable hashes out of reach entirely. Tiered administration prevents domain admin credentials from ever touching workstations, and a PAM platform such as Monopam brokers privileged sessions from a hardened gateway so administrator secrets are never cached on endpoints. Detection focuses on NTLM authentications appearing where they should not, and on one account authenticating to many systems in rapid succession.