What are Pass the Hash (PtH) Attacks

What are Pass the Hash (PtH) Attacks OA80HsI


Pass the Hash (PtH) is a hacking technique by which an attacker can authenticate to a remote server or service by using the Windows NT LAN Manager (NTLM) authentication protocol or LanMan hash of a user password.

A typical PtH attack starts with one end point being compromised by malware, which then manages to gain administrator-level access. With this access, the malware can steal the user’s derived credentials and impersonate the user on other devices. As the attacker moves laterally across he network and finds additional devices to which the user has access, the malware can steal the derived credentials from other users who previously signed in to those devices.

Over time, an attacker can typically gain access to more and more derived credentials that have increased levels of network access. Eventually, it is likely that domain administrator accounts can be compromised, and then the consequences can be even worse.

Here are the Microsoft features that address password and PtH attacks in Windows 10:

  • Microsoft Passport
  • Windows Hello
  • Isolated User Mode


The PtH attack is one of the most popular types of credential theft and reuse attack seen by Microsoft to date.

Our recommendations for addressing PtH attacks in Windows 10:

  • Restrict and protect high privileged domain accounts.

  • Restrict and protect local accounts with administrative privileges.

  • Remove standard users from the local administrators group.

  • Limit the number and use of privileged domain accounts.

  • Configure outbound proxies to deny Internet access to privileged accounts.

  • Ensure administrative accounts do not have email accounts.

  • Update applications and operating systems.

  • Remove LM hashes.

  • Disable the NTLM protocol.



Did you find this tutorial helpful? Don’t forget to share your views with us.