Pass-the-Hash

Pass-the-Hash vs Overpass-the-Hash

• Pass-the-Hash (PtH) involves reusing NTLM password hashes—typically the NT hash of a user account—to authenticate over NTLM. This technique works with both local and domain accounts but only against services that accept NTLM (e.g., SMB, WMI, WinRM with NTLM fallback).

• Overpass-the-Hash (OtH) leverages the NT or AES keys of a domain user to generate valid Kerberos TGTs, which are then injected into the current session (or a new one). This enables access to Kerberos-authenticated services and is preferred in environments that restrict or monitor NTLM. OtH is effectively a Kerberos-based equivalent of PtH, offering broader access in modern enterprise networks.

Pass-the-Hash (PtH) allows authentication using NTLM password hashes instead of plaintext credentials, enabling lateral movement without knowing the original password. It targets NTLM-based authentication (not Kerberos), and is typically used over SMB to authenticate to remote systems.

Remote code execution via PtH requires local administrative privileges on the target, and SMB (port 445) must be accessible with File and Printer Sharing enabled, the ADMIN$ share available, and a valid NTLM hash of a user with admin rights.

PtH is not an NTLM vulnerability—it abuses the reuse of password hashes, often obtained from LSASS memory or SAM. Tools like Impacket (e.g., wmiexec.py, psexec.py) and Metasploit’s PsExec module perform authentication with the supplied NTLM hash, and optionally execute code by installing and starting a remote service, then communicating via named pipes through the Service Control Manager. For file access alone, service creation is not needed.

This technique works with both domain and local administrator accounts, but post-2014 changes by Microsoft restrict authentication using local admin hashes across hosts due to SID isolation, limiting reuse of local accounts in lateral movement.