Pass-the-Hash is a credential abuse technique in Windows environments where an attacker uses a stolen NTLM hash to authenticate to another system, rather than needing the user’s actual password. If the environment still accepts NTLM authentication, the hash itself can be enough to move laterally.
When a user signs in to a Windows machine, credentials may be present in memory or accessible through other post-compromise techniques. If an attacker obtains an NTLM hash for a local administrator or domain account, there are publicly available tools such as PsExec that can sometimes use that hash to authenticate to remote systems. The attacker is effectively replaying the proof of identity without ever attempting to crack the hash into the original password.
The technique is particularly impactful in environments where privileged accounts log on to lower-trust systems, where local administrator passwords are reused, or if legacy NTLM usage remains widespread. A single compromised workstation can therefore become a stepping stone to servers, file shares, or even domain administration through rapid lateral movement .
Pass-the-Hash techniques remain a key finding area in internal penetration testing , especially in older or hybrid Windows estates. Reducing NTLM reliance, enforcing tiered administration, limiting privileged logons, and deploying unique local admin passwords are practical controls that materially reduce the risk.