← All terms
Pass-the-Hash Attack

What is a Pass-the-Hash Attack?

Pass-the-hash lets attackers authenticate with a stolen password hash instead of the password itself, enabling lateral movement across Windows networks.

Last updated: 15 July 2026

How pass-the-hash works

In Windows environments, the NTLM authentication protocol proves identity using a hash of the user’s password rather than the password itself. The consequence is subtle but severe: for NTLM, the hash is functionally equivalent to the password. An attacker who obtains the hash can authenticate as that user directly, with no need to crack anything.

Hashes are harvested from systems the attacker already controls, from the memory of the authentication subsystem, from the local account database or from saved credential stores, typically requiring administrative rights on that first machine. The stolen hash is then presented to other systems that accept NTLM authentication, granting file access, remote execution and further credential harvesting on each new host. Related techniques apply the same idea to Kerberos, replaying stolen tickets instead of hashes.

Why it matters

Pass-the-hash has been a backbone of Windows network intrusions for over two decades because it converts one compromised machine into a skeleton key for many. Password strength is irrelevant: a fifty-character password produces a hash that is stolen and replayed exactly as easily as a weak one. Rotating a password helps only after the fact, since the new hash can be stolen the same way.

The technique is central to how ransomware spreads inside networks. A typical chain runs from one infected workstation, to its local admin hash, to every machine sharing that local admin password, to a domain administrator who once logged into any of them. Environments with heavy NTLM usage, shared local passwords and admins logging in everywhere are structurally vulnerable regardless of their perimeter defenses.

How to defend against pass-the-hash

Defense concentrates on three fronts. First, deny the harvest: credential guard features that isolate secrets in memory, unique local administrator passwords on every machine and strict limits on which accounts may log into which systems all reduce what a compromised host yields. Second, reduce replay surface: phase out NTLM where possible in favor of Kerberos with modern protections, and segment administrative traffic so a hash stolen in one tier is useless in another.

Third, keep valuable hashes out of reach entirely. Tiered administration prevents domain admin credentials from ever touching workstations, and a PAM platform such as Monopam brokers privileged sessions from a hardened gateway so administrator secrets are never cached on endpoints. Detection focuses on NTLM authentications appearing where they should not, and on one account authenticating to many systems in rapid succession.

Frequently asked questions

Does a strong password protect against pass-the-hash?
No. The attack never touches the password; it replays the hash, which is derived from the password but stolen and used as-is. Password strength matters for cracking attacks, not for replay. Protection comes from preventing hash theft, limiting NTLM and keeping privileged credentials off vulnerable machines.
Is pass-the-hash still relevant on modern Windows?
Yes, wherever NTLM remains enabled, and most enterprises still have it for legacy compatibility. Modern Windows adds meaningful mitigations, including memory protection for credentials and restrictions on local account remoting, but environments that have not deployed them, or that share local admin passwords, remain routinely exploited this way.